Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 05:03
Behavioral task
behavioral1
Sample
6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe
-
Size
658KB
-
MD5
6d6aceaf5c3f2d9c02d292c15e4ff3d6
-
SHA1
b92e13064b7693551963909d879f1e9eae57a021
-
SHA256
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3
-
SHA512
6a78c45f1dc631f77b2bc5f7e2bc3e7dc31c8aa81f46f549de035616f922c277dce75bf12a710d3be02731e87f649a5cbb36e08226e256a141bad91ba51cfbb9
-
SSDEEP
12288:i9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hZ:OZ1xuVVjfFoynPaVBUR8f+kN10EBX
Malware Config
Extracted
darkcomet
Sazan
127.0.0.1:1604
DC_MUTEX-H33CPZ0
-
gencode
oUoFztxq4qF8
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2276 attrib.exe 2924 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeSecurityPrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeSystemtimePrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeBackupPrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeRestorePrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeShutdownPrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeDebugPrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeUndockPrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeManageVolumePrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeImpersonatePrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: 33 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: 34 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Token: 35 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1224 wrote to memory of 2124 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe 28 PID 1224 wrote to memory of 2124 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe 28 PID 1224 wrote to memory of 2124 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe 28 PID 1224 wrote to memory of 2124 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe 28 PID 1224 wrote to memory of 2868 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe 29 PID 1224 wrote to memory of 2868 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe 29 PID 1224 wrote to memory of 2868 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe 29 PID 1224 wrote to memory of 2868 1224 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe 29 PID 2868 wrote to memory of 2276 2868 cmd.exe 32 PID 2868 wrote to memory of 2276 2868 cmd.exe 32 PID 2868 wrote to memory of 2276 2868 cmd.exe 32 PID 2868 wrote to memory of 2276 2868 cmd.exe 32 PID 2124 wrote to memory of 2924 2124 cmd.exe 33 PID 2124 wrote to memory of 2924 2124 cmd.exe 33 PID 2124 wrote to memory of 2924 2124 cmd.exe 33 PID 2124 wrote to memory of 2924 2124 cmd.exe 33 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" 6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2276 attrib.exe 2924 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe"1⤵
- Modifies firewall policy service
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\6d6aceaf5c3f2d9c02d292c15e4ff3d6_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2924
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2276
-
-