Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
03-05-2024 15:32
Behavioral task
behavioral1
Sample
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe
-
Size
658KB
-
MD5
10d86ea86bf22d7dfdfd4fe1e5f174e5
-
SHA1
c150c81bbd9e79265449e386dd4f2c597de51801
-
SHA256
9fa03c7aff5ea9ad90dc5f178b87ee4d79b414814ec1b8c7ee6d2f5685157d07
-
SHA512
548f55237310a8d1bcd07b939364391832e58829b1bf5eaa11cdad7a7ffb58e51a90a7cf7fb29dc992ee5cb6bf9d21a21bd8d40996ea22548346655f03ea22dc
-
SSDEEP
12288:u9HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyFE:6iBIGkbxqEcjsWiDxguehC2Sr
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-ECAZT3D
-
gencode
j6rbVHgXif2y
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 1384 attrib.exe 1740 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4448 1624 WerFault.exe 86 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exepid Process 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeSecurityPrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeSystemtimePrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeBackupPrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeRestorePrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeShutdownPrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeDebugPrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeUndockPrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeManageVolumePrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeImpersonatePrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: 33 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: 34 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: 35 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe Token: 36 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exepid Process 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.execmd.execmd.exedescription pid Process procid_target PID 2180 wrote to memory of 2408 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 83 PID 2180 wrote to memory of 2408 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 83 PID 2180 wrote to memory of 2408 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 83 PID 2180 wrote to memory of 1504 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 85 PID 2180 wrote to memory of 1504 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 85 PID 2180 wrote to memory of 1504 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 85 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2180 wrote to memory of 1624 2180 10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe 86 PID 2408 wrote to memory of 1384 2408 cmd.exe 90 PID 2408 wrote to memory of 1384 2408 cmd.exe 90 PID 2408 wrote to memory of 1384 2408 cmd.exe 90 PID 1504 wrote to memory of 1740 1504 cmd.exe 91 PID 1504 wrote to memory of 1740 1504 cmd.exe 91 PID 1504 wrote to memory of 1740 1504 cmd.exe 91 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 1384 attrib.exe 1740 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe"1⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1384
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1740
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵PID:1624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 803⤵
- Program crash
PID:4448
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1624 -ip 16241⤵PID:4540