Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 03:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
16 signatures
150 seconds
General
-
Target
fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
fe5abeb99b41caabc40ca3fdc4e32357
-
SHA1
31395d40d0499d83a755e558d16f46a23340b500
-
SHA256
3de1898cb9ba05922118274f4286962392e3eb63ddb7744ffe3cd3ca9970df1b
-
SHA512
b2cbdd292881a529fc4eec2423ecdb3603cf52139949557887144816d13617f08919d794af0a4a1aa097d36f48af55956ecc02ced0c175157e20918a6fc5909c
-
SSDEEP
24576:cjg6rklsxivedtl8wz8iJ2Gqxfrk0mg5jWWPPv/k:ckmklsxw2Dwg2Gg5jXv/k
Malware Config
Extracted
Family
darkcomet
Botnet
Fucked
C2
hidesn.no-ip.org:1604
Mutex
DC_MUTEX-ZEGD8UE
Attributes
-
InstallPath
System32C/winlogon.exe
-
gencode
QKzVM5n527Ug
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
winlogon
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
2.exe1.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\QKzVM5n527Ug\\System32C/winlogon.exe" 2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\QKzVM5n527Ug\\System32C/winlogon.exe,C:\\Windows\\u0wmjTPJ09qd\\System32C/winlogon.exe" 1.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
1.exe2.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" 1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" 2.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 1.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
2.exe1.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" 2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" 1.exe -
Processes:
2.exe1.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
2.exe1.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 1.exe -
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid Process 3544 attrib.exe 4688 attrib.exe 1340 attrib.exe 1496 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1.exe2.exefe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 1.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
1.exe2.exepid Process 760 1.exe 2544 2.exe -
Processes:
2.exe1.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2.exe1.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\QKzVM5n527Ug\\System32C/winlogon.exe" 2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\u0wmjTPJ09qd\\System32C/winlogon.exe" 1.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exedescription ioc Process File created C:\Windows\assembly\Desktop.ini fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe -
Drops file in Windows directory 11 IoCs
Processes:
2.exe1.exefe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exedescription ioc Process File created C:\Windows\QKzVM5n527Ug\System32C\winlogon.exe 2.exe File opened for modification C:\Windows\QKzVM5n527Ug\ 2.exe File opened for modification C:\Windows\u0wmjTPJ09qd\ 1.exe File opened for modification C:\Windows\assembly\Desktop.ini fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe File created C:\Windows\System32C\winlogon.exe 2.exe File opened for modification C:\Windows\QKzVM5n527Ug\System32C\winlogon.exe 2.exe File created C:\Windows\System32C\winlogon.exe 1.exe File created C:\Windows\u0wmjTPJ09qd\System32C\winlogon.exe 1.exe File opened for modification C:\Windows\u0wmjTPJ09qd\System32C\winlogon.exe 1.exe File opened for modification C:\Windows\assembly fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
2.exepid Process 2544 2.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
1.exe2.exedescription pid Process Token: SeIncreaseQuotaPrivilege 760 1.exe Token: SeIncreaseQuotaPrivilege 2544 2.exe Token: SeSecurityPrivilege 2544 2.exe Token: SeSecurityPrivilege 760 1.exe Token: SeTakeOwnershipPrivilege 2544 2.exe Token: SeTakeOwnershipPrivilege 760 1.exe Token: SeLoadDriverPrivilege 2544 2.exe Token: SeLoadDriverPrivilege 760 1.exe Token: SeSystemProfilePrivilege 2544 2.exe Token: SeSystemProfilePrivilege 760 1.exe Token: SeSystemtimePrivilege 2544 2.exe Token: SeSystemtimePrivilege 760 1.exe Token: SeProfSingleProcessPrivilege 2544 2.exe Token: SeProfSingleProcessPrivilege 760 1.exe Token: SeIncBasePriorityPrivilege 2544 2.exe Token: SeIncBasePriorityPrivilege 760 1.exe Token: SeCreatePagefilePrivilege 2544 2.exe Token: SeCreatePagefilePrivilege 760 1.exe Token: SeBackupPrivilege 760 1.exe Token: SeBackupPrivilege 2544 2.exe Token: SeRestorePrivilege 2544 2.exe Token: SeRestorePrivilege 760 1.exe Token: SeShutdownPrivilege 760 1.exe Token: SeShutdownPrivilege 2544 2.exe Token: SeDebugPrivilege 760 1.exe Token: SeDebugPrivilege 2544 2.exe Token: SeSystemEnvironmentPrivilege 760 1.exe Token: SeSystemEnvironmentPrivilege 2544 2.exe Token: SeChangeNotifyPrivilege 760 1.exe Token: SeChangeNotifyPrivilege 2544 2.exe Token: SeRemoteShutdownPrivilege 760 1.exe Token: SeRemoteShutdownPrivilege 2544 2.exe Token: SeUndockPrivilege 760 1.exe Token: SeUndockPrivilege 2544 2.exe Token: SeManageVolumePrivilege 760 1.exe Token: SeManageVolumePrivilege 2544 2.exe Token: SeImpersonatePrivilege 760 1.exe Token: SeImpersonatePrivilege 2544 2.exe Token: SeCreateGlobalPrivilege 760 1.exe Token: SeCreateGlobalPrivilege 2544 2.exe Token: 33 760 1.exe Token: 33 2544 2.exe Token: 34 760 1.exe Token: 34 2544 2.exe Token: 35 760 1.exe Token: 35 2544 2.exe Token: 36 760 1.exe Token: 36 2544 2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
2.exepid Process 2544 2.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe1.exe2.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 468 wrote to memory of 760 468 fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe 93 PID 468 wrote to memory of 760 468 fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe 93 PID 468 wrote to memory of 760 468 fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe 93 PID 468 wrote to memory of 2544 468 fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe 96 PID 468 wrote to memory of 2544 468 fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe 96 PID 468 wrote to memory of 2544 468 fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe 96 PID 760 wrote to memory of 400 760 1.exe 99 PID 760 wrote to memory of 400 760 1.exe 99 PID 760 wrote to memory of 400 760 1.exe 99 PID 2544 wrote to memory of 2764 2544 2.exe 100 PID 2544 wrote to memory of 2764 2544 2.exe 100 PID 2544 wrote to memory of 2764 2544 2.exe 100 PID 2544 wrote to memory of 4620 2544 2.exe 101 PID 2544 wrote to memory of 4620 2544 2.exe 101 PID 2544 wrote to memory of 4620 2544 2.exe 101 PID 760 wrote to memory of 4040 760 1.exe 102 PID 760 wrote to memory of 4040 760 1.exe 102 PID 760 wrote to memory of 4040 760 1.exe 102 PID 400 wrote to memory of 1496 400 cmd.exe 109 PID 4040 wrote to memory of 4688 4040 cmd.exe 108 PID 4040 wrote to memory of 4688 4040 cmd.exe 108 PID 4040 wrote to memory of 4688 4040 cmd.exe 108 PID 400 wrote to memory of 1496 400 cmd.exe 109 PID 400 wrote to memory of 1496 400 cmd.exe 109 PID 2764 wrote to memory of 1340 2764 cmd.exe 110 PID 2764 wrote to memory of 1340 2764 cmd.exe 110 PID 2764 wrote to memory of 1340 2764 cmd.exe 110 PID 4620 wrote to memory of 3544 4620 cmd.exe 111 PID 4620 wrote to memory of 3544 4620 cmd.exe 111 PID 4620 wrote to memory of 3544 4620 cmd.exe 111 PID 2544 wrote to memory of 4300 2544 2.exe 107 PID 2544 wrote to memory of 4300 2544 2.exe 107 PID 2544 wrote to memory of 4300 2544 2.exe 107 PID 2544 wrote to memory of 2804 2544 2.exe 112 PID 2544 wrote to memory of 2804 2544 2.exe 112 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 PID 2544 wrote to memory of 4336 2544 2.exe 113 -
Views/modifies file attributes 1 TTPs 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid Process 1340 attrib.exe 1496 attrib.exe 3544 attrib.exe 4688 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\1.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4688
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\2.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\2.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1340
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3544
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:4300
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:2804
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:4336
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:81⤵PID:700
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
756KB
MD5813f1a78f96928559c28ca0e9e893364
SHA1b2a6db617a08f972c5fad15db2dec11f9ec473f7
SHA256d8d4c8d87b35eed612c023f596483a2abd342280971a4eef995488e824a0e452
SHA5121458119161d04f366866d98c8f00edcf985dfad29e20f0b2dea1ea8459c9e77dffddb844cc7d8294ae57b4fc34975347d3f6874e22ed2ed4769bfe08b8a641ac
-
Filesize
756KB
MD5a3b4f11a867a36b24b1a00d32025b230
SHA1bef76a2a11954d86030cd7b7bcb23648a61f0f12
SHA256015cbf610dd013789e40a9dc415fd422df6038ba733a7f43f076afc410779123
SHA51205f505584db73cf36ec99db073f288c8fdbe95895b6f64ab533985b48f4657cb821e380fcdce27b6ee4ce1ccbaffc8c1298dc52a1dfcdab3f2d0c7c0646f9a9a