Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
03-05-2024 15:32
Behavioral task
behavioral1
Sample
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe
-
Size
658KB
-
MD5
10d86ea86bf22d7dfdfd4fe1e5f174e5
-
SHA1
c150c81bbd9e79265449e386dd4f2c597de51801
-
SHA256
9fa03c7aff5ea9ad90dc5f178b87ee4d79b414814ec1b8c7ee6d2f5685157d07
-
SHA512
548f55237310a8d1bcd07b939364391832e58829b1bf5eaa11cdad7a7ffb58e51a90a7cf7fb29dc992ee5cb6bf9d21a21bd8d40996ea22548346655f03ea22dc
-
SSDEEP
12288:u9HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyFE:6iBIGkbxqEcjsWiDxguehC2Sr
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-ECAZT3D
-
gencode
j6rbVHgXif2y
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 2688 attrib.exe 2560 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exepid Process 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeSecurityPrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeSystemtimePrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeBackupPrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeRestorePrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeShutdownPrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeDebugPrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeUndockPrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeManageVolumePrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeImpersonatePrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: 33 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: 34 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: 35 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exepid Process 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.execmd.execmd.exedescription pid Process procid_target PID 2912 wrote to memory of 2588 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 28 PID 2912 wrote to memory of 2588 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 28 PID 2912 wrote to memory of 2588 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 28 PID 2912 wrote to memory of 2588 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 28 PID 2912 wrote to memory of 2148 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 30 PID 2912 wrote to memory of 2148 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 30 PID 2912 wrote to memory of 2148 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 30 PID 2912 wrote to memory of 2148 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 30 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2952 2912 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 32 PID 2588 wrote to memory of 2688 2588 cmd.exe 34 PID 2588 wrote to memory of 2688 2588 cmd.exe 34 PID 2588 wrote to memory of 2688 2588 cmd.exe 34 PID 2588 wrote to memory of 2688 2588 cmd.exe 34 PID 2148 wrote to memory of 2560 2148 cmd.exe 33 PID 2148 wrote to memory of 2560 2148 cmd.exe 33 PID 2148 wrote to memory of 2560 2148 cmd.exe 33 PID 2148 wrote to memory of 2560 2148 cmd.exe 33 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 2688 attrib.exe 2560 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe"1⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2688
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2560
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵PID:2952
-