Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 01:56
Behavioral task
behavioral1
Sample
5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
-
Size
658KB
-
MD5
5c98db14eae2051a75db884bc62938c0
-
SHA1
771310c416fba4ab0ffa135bebec6c04ea3a2e5e
-
SHA256
16b8d72b51b7518ab8660f7ebaf9163ce6495c1e383f6a07fe2d36ec21486668
-
SHA512
ea75ed405bba523babf68685ad02cd932e4bbcb9e2944c21aeb1883bfe67e1717203d60fbf3eccecdd9e26c1900999bfcbdfa127d20306d1bd44e1490008a5d3
-
SSDEEP
12288:O9HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyFV:aiBIGkbxqEcjsWiDxguehC2SS
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:25565
92.246.89.145:25565
92.246.89.145:5555
92.246.89.145:8888
127.0.0.1:8888
127.0.0.1:5555
DC_MUTEX-UBCQNRK
-
gencode
QP5sRdeDQuBd
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exedescription pid process Token: SeIncreaseQuotaPrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeSecurityPrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeSystemtimePrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeBackupPrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeRestorePrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeShutdownPrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeDebugPrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeUndockPrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeManageVolumePrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeImpersonatePrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: 33 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: 34 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: 35 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe Token: 36 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exepid process 3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe