Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 10:27
Static task
static1
Behavioral task
behavioral1
Sample
7ca08682ca6d9a60cdb68190196b644e_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
7ca08682ca6d9a60cdb68190196b644e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
file.exe
Resource
win7-20240508-en
General
-
Target
7ca08682ca6d9a60cdb68190196b644e_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
7ca08682ca6d9a60cdb68190196b644e
-
SHA1
224ef3c5376281b7aed832cfe0a07b3d88e94634
-
SHA256
763bd57d8dec6366174644ca1e92f974f895c3c995900068b1b1e013c00c2bec
-
SHA512
43fac1261f7a3008435fb17c1fdc85a45d263907a433c3feec8690e41da2dac316a18e04f4b349b37eee5b7c072f29dd115d786ef41b3380584b682da5aecee1
-
SSDEEP
24576:GiEYxyUt70b7sTJb0HxP7kOw17mjIpn2KwJfV97:1V00p0RP75o6jUnxcfH7
Malware Config
Extracted
darkcomet
hacked
sulumanco.duckdns.org:4000
DCMIN_MUTEX-5JGPC4U
-
gencode
PSXl8AA8UgHs
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
file.exepid process 1360 file.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\file.exe autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
file.exedescription pid process Token: SeIncreaseQuotaPrivilege 1360 file.exe Token: SeSecurityPrivilege 1360 file.exe Token: SeTakeOwnershipPrivilege 1360 file.exe Token: SeLoadDriverPrivilege 1360 file.exe Token: SeSystemProfilePrivilege 1360 file.exe Token: SeSystemtimePrivilege 1360 file.exe Token: SeProfSingleProcessPrivilege 1360 file.exe Token: SeIncBasePriorityPrivilege 1360 file.exe Token: SeCreatePagefilePrivilege 1360 file.exe Token: SeBackupPrivilege 1360 file.exe Token: SeRestorePrivilege 1360 file.exe Token: SeShutdownPrivilege 1360 file.exe Token: SeDebugPrivilege 1360 file.exe Token: SeSystemEnvironmentPrivilege 1360 file.exe Token: SeChangeNotifyPrivilege 1360 file.exe Token: SeRemoteShutdownPrivilege 1360 file.exe Token: SeUndockPrivilege 1360 file.exe Token: SeManageVolumePrivilege 1360 file.exe Token: SeImpersonatePrivilege 1360 file.exe Token: SeCreateGlobalPrivilege 1360 file.exe Token: 33 1360 file.exe Token: 34 1360 file.exe Token: 35 1360 file.exe Token: 36 1360 file.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7ca08682ca6d9a60cdb68190196b644e_JaffaCakes118.exedescription pid process target process PID 4296 wrote to memory of 1360 4296 7ca08682ca6d9a60cdb68190196b644e_JaffaCakes118.exe file.exe PID 4296 wrote to memory of 1360 4296 7ca08682ca6d9a60cdb68190196b644e_JaffaCakes118.exe file.exe PID 4296 wrote to memory of 1360 4296 7ca08682ca6d9a60cdb68190196b644e_JaffaCakes118.exe file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ca08682ca6d9a60cdb68190196b644e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7ca08682ca6d9a60cdb68190196b644e_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exefile.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\autF9F0.tmpFilesize
729KB
MD56282456314baaedd946a479297670cda
SHA12f52b46aaeece5cc905d6cfeb58efe1586d37af0
SHA256e89d885b13a6f07c583e6e3c99085332aacc4ab308d886a05ab2029d6ce01609
SHA512442dad83f03a30a7e1f1f7c696c6b313e10caa90ec16daf0d78041386726b248680d4dd16a249279e4bdc14c92f269b6587482b982630eb0bdf4fd9bd9132b7f
-
C:\Users\Admin\AppData\Local\Temp\file.exeFilesize
1.6MB
MD5e3603e6b91428087eb12338246595774
SHA181a184ffb1dbd62a7ecf555ab53d820be7bda8af
SHA2565c583a1d407073f8db55e5facd87a7cfb476b8ec1df2b04d516320c749be985d
SHA51216e3a3db42b93b227f7815d5b6a6e06df43556fb0262f993d9e3126803f4f1ce8af7b982c4c805136208a5a2352ed79c70bf8c412194e6e73ccc0caa11814b10
-
memory/1360-16-0x0000000003A40000-0x0000000003AF9000-memory.dmpFilesize
740KB
-
memory/1360-13-0x0000000003A40000-0x0000000003AF9000-memory.dmpFilesize
740KB
-
memory/1360-14-0x0000000003A40000-0x0000000003AF9000-memory.dmpFilesize
740KB
-
memory/1360-15-0x0000000003A40000-0x0000000003AF9000-memory.dmpFilesize
740KB
-
memory/1360-12-0x0000000003A40000-0x0000000003AF9000-memory.dmpFilesize
740KB
-
memory/1360-17-0x0000000003A40000-0x0000000003AF9000-memory.dmpFilesize
740KB
-
memory/1360-19-0x0000000003F40000-0x0000000003F41000-memory.dmpFilesize
4KB
-
memory/1360-18-0x0000000003D40000-0x0000000003DF2000-memory.dmpFilesize
712KB
-
memory/1360-21-0x0000000003D40000-0x0000000003DF2000-memory.dmpFilesize
712KB
-
memory/1360-20-0x0000000003D40000-0x0000000003DF2000-memory.dmpFilesize
712KB
-
memory/1360-22-0x0000000003D40000-0x0000000003DF2000-memory.dmpFilesize
712KB
-
memory/1360-23-0x0000000003F40000-0x0000000003F41000-memory.dmpFilesize
4KB