Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 16:45
Static task
static1
Behavioral task
behavioral1
Sample
12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe
-
Size
1.8MB
-
MD5
12afa41586011ca7da4c854e5aa25e20
-
SHA1
5d39239559226d86bb42c95ee7e488e898782328
-
SHA256
225a79b6670f27da254a019a4111693edab9a1198148c303690089f467413ba1
-
SHA512
d85baa4d8a1ec8c01cbb390d78ac8bc8fab2ebc533aaa1f82f7400c2660c708483a569725224007759443e63a98627b516d82175283eed2822196e5d6bc0e6be
-
SSDEEP
49152:8oVAFnZq6c0zRnxGXKvGEDyY6vMpl6HuK9mxuQx:8zjqqo6GEDBpEOK9M
Malware Config
Extracted
darkcomet

nnns.zapto.org:4433
DC_MUTEX-Q2XZ4M3
-
gencode
N6RGFjbT4YgW
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exedescription pid process target process PID 3248 set thread context of 4476 3248 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exedescription pid process Token: SeIncreaseQuotaPrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeSecurityPrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeLoadDriverPrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeSystemProfilePrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeSystemtimePrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeBackupPrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeRestorePrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeShutdownPrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeDebugPrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeUndockPrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeManageVolumePrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeImpersonatePrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: 33 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: 34 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: 35 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe Token: 36 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exepid process 3248 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 4476 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exedescription pid process target process PID 3248 wrote to memory of 4476 3248 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 3248 wrote to memory of 4476 3248 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 3248 wrote to memory of 4476 3248 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 3248 wrote to memory of 4476 3248 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 3248 wrote to memory of 4476 3248 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 3248 wrote to memory of 4476 3248 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 3248 wrote to memory of 4476 3248 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 3248 wrote to memory of 4476 3248 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 3248 wrote to memory of 4476 3248 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 3248 wrote to memory of 4476 3248 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 3248 wrote to memory of 4476 3248 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 3248 wrote to memory of 4476 3248 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 3248 wrote to memory of 4476 3248 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe PID 3248 wrote to memory of 4476 3248 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe 12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\12afa41586011ca7da4c854e5aa25e20_JaffaCakes118.exe"2⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:2080