Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 16:45
Static task
static1
Behavioral task
behavioral1
Sample
12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe
-
Size
1.8MB
-
MD5
12afa41586011ca7da4c854e5aa25e20
-
SHA1
5d39239559226d86bb42c95ee7e488e898782328
-
SHA256
225a79b6670f27da254a019a4111693edab9a1198148c303690089f467413ba1
-
SHA512
d85baa4d8a1ec8c01cbb390d78ac8bc8fab2ebc533aaa1f82f7400c2660c708483a569725224007759443e63a98627b516d82175283eed2822196e5d6bc0e6be
-
SSDEEP
49152:8oVAFnZq6c0zRnxGXKvGEDyY6vMpl6HuK9mxuQx:8zjqqo6GEDBpEOK9M
Malware Config
Extracted
darkcomet

nnns.zapto.org:4433
DC_MUTEX-Q2XZ4M3
-
gencode
N6RGFjbT4YgW
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exedescription pid process target process PID 1676 set thread context of 2712 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exedescription pid process Token: SeIncreaseQuotaPrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeSecurityPrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeSystemtimePrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeBackupPrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeRestorePrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeShutdownPrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeDebugPrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeUndockPrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeManageVolumePrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeImpersonatePrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: 33 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: 34 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: 35 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exepid process 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 2712 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exedescription pid process target process PID 1676 wrote to memory of 2712 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 1676 wrote to memory of 2712 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 1676 wrote to memory of 2712 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 1676 wrote to memory of 2712 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 1676 wrote to memory of 2712 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 1676 wrote to memory of 2712 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 1676 wrote to memory of 2712 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 1676 wrote to memory of 2712 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 1676 wrote to memory of 2712 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 1676 wrote to memory of 2712 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 1676 wrote to memory of 2712 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 1676 wrote to memory of 2712 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 1676 wrote to memory of 2712 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 1676 wrote to memory of 2712 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 1676 wrote to memory of 2712 1676 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe"2⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2712