Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 00:16
Static task
static1
Behavioral task
behavioral1
Sample
65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe
-
Size
819KB
-
MD5
65642f6048c56ff3ae6fb6cb91330e15
-
SHA1
541cdd3507d5a80e04d2700e788649cf1df41a27
-
SHA256
2d2abd10b60d6464e062eaa347bbeb48aa78a9cde4217a1f2c2cfc301953c9de
-
SHA512
ec63b50e5ec96d9162b86299293aa894092b8141ae79846dda1439477d670aa3bb030b54bc2b526c249c548a79182b8faf5d2d8872ae82a02a5b8ffab34e3a0f
-
SSDEEP
24576:8z////TfavT+0lJsnl/DwGts3nngrwF7ubcTRmgYaneKw9hSegs5cHCdEcRmUhsx:kkT+0onl/DwGts3nngrwF7ubcYgYan5v
Malware Config
Extracted
darkcomet
Spreaded
simproxid.no-ip.org:1604
DC_MUTEX-MXX0V30
-
gencode
jll1Ljobqc1P
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2892 NPaqpR.exe 2752 svchost.exe -
Loads dropped DLL 3 IoCs
pid Process 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\javawi.exe" NPaqpR.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2376 set thread context of 2752 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2752 svchost.exe Token: SeSecurityPrivilege 2752 svchost.exe Token: SeTakeOwnershipPrivilege 2752 svchost.exe Token: SeLoadDriverPrivilege 2752 svchost.exe Token: SeSystemProfilePrivilege 2752 svchost.exe Token: SeSystemtimePrivilege 2752 svchost.exe Token: SeProfSingleProcessPrivilege 2752 svchost.exe Token: SeIncBasePriorityPrivilege 2752 svchost.exe Token: SeCreatePagefilePrivilege 2752 svchost.exe Token: SeBackupPrivilege 2752 svchost.exe Token: SeRestorePrivilege 2752 svchost.exe Token: SeShutdownPrivilege 2752 svchost.exe Token: SeDebugPrivilege 2752 svchost.exe Token: SeSystemEnvironmentPrivilege 2752 svchost.exe Token: SeChangeNotifyPrivilege 2752 svchost.exe Token: SeRemoteShutdownPrivilege 2752 svchost.exe Token: SeUndockPrivilege 2752 svchost.exe Token: SeManageVolumePrivilege 2752 svchost.exe Token: SeImpersonatePrivilege 2752 svchost.exe Token: SeCreateGlobalPrivilege 2752 svchost.exe Token: 33 2752 svchost.exe Token: 34 2752 svchost.exe Token: 35 2752 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2752 svchost.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2972 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 30 PID 2376 wrote to memory of 2972 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 30 PID 2376 wrote to memory of 2972 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 30 PID 2376 wrote to memory of 2972 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 30 PID 2972 wrote to memory of 2416 2972 csc.exe 32 PID 2972 wrote to memory of 2416 2972 csc.exe 32 PID 2972 wrote to memory of 2416 2972 csc.exe 32 PID 2972 wrote to memory of 2416 2972 csc.exe 32 PID 2376 wrote to memory of 2892 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 33 PID 2376 wrote to memory of 2892 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 33 PID 2376 wrote to memory of 2892 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 33 PID 2376 wrote to memory of 2892 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 33 PID 2376 wrote to memory of 2752 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 34 PID 2376 wrote to memory of 2752 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 34 PID 2376 wrote to memory of 2752 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 34 PID 2376 wrote to memory of 2752 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 34 PID 2376 wrote to memory of 2752 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 34 PID 2376 wrote to memory of 2752 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 34 PID 2376 wrote to memory of 2752 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 34 PID 2376 wrote to memory of 2752 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 34 PID 2376 wrote to memory of 2752 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 34 PID 2376 wrote to memory of 2752 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 34 PID 2376 wrote to memory of 2752 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 34 PID 2376 wrote to memory of 2752 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 34 PID 2376 wrote to memory of 2752 2376 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 34 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35 PID 2752 wrote to memory of 2956 2752 svchost.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3u0ymqul.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB54.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBB53.tmp"3⤵PID:2416
-
-
-
C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe"C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:2956
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5194da627fc66d769974bf6217d0f0d34
SHA1084c303019facdfb275a6d0277677cf4c4a69fa8
SHA256b5c7bd0bb9dd7ed651bf41af74a63c745f0c189aacf12b78d00ae0340944b9f7
SHA5124309223412108cbcdf712124e6fd7913645195c2b49a33aac01ed1e14e8fc84db8a3e9549eaf0f7b3c34708942226c367748e5886874dbbd644eaf3e03b04dec
-
Filesize
1KB
MD591b3570eb53f524b6a6d48f69e8068c3
SHA1f0abdbc7ca4837ba9f400cc080b01a793b28585e
SHA256c7c8bdeefb5056e66963adf86f8a569a694cb3116c3cab8c99012d1a4f2b61da
SHA5128ea73e04c16a7ac27008c5e67bb34d3c46e3e666aa4a8c55fc2e52fd1cd6253e883e5c70614ff0207e6f28833eeacf34c354d77252e609874889b0bce04084a1
-
Filesize
1KB
MD588cb62593ae10e37e02f7f43aee77246
SHA1ed80fdfb7d3fbb035a544e712e92bc2438f6b089
SHA25631a5a148395b88114101dedd9e5418b04b1b57d0964f0088b431aa4835631390
SHA512811eef58966f3eb0723a6c6944f2ca9f504445260cdeb0e40faf3353924686634b8acdec0f35b4d9e1aa243ccae1cb419163630b822e1dba66e16f8f22bcc9f5
-
Filesize
259B
MD59003215acbdcf7886bd99e71aa0dfba6
SHA1078137a917bcb3d613a49229889f1865ba1766d3
SHA25619e8d5ee6a4121428d0f28e355719942f6f86e68aaf57f41702af7947e40d6db
SHA5129d5c918182de776a81a933e30fdb0e2db873b2275e7da6a9cfd7510d7ee8d4d95f77063c2034b039852481fe1eaa3fe851a73bebba6b7813dd030e667f6da70b
-
Filesize
644B
MD514e95655e74fe8a8c7df3d505720ea45
SHA1158511920ab075fd1f4eb51dbc47ccf2953358aa
SHA2563cbee629e0898006d2e85803f1a78d29a26490ff88a7348313b07dd9c39ec398
SHA512f01213dcae74c07ad0e07f9ff1f2eed11ef62feed100e78222c61a3495f4ec157fbc53123e05f9e938f24ca177e5e1dc49c9649636e333261d6efff843b696fa
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2