Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 00:16
Static task
static1
Behavioral task
behavioral1
Sample
65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe
-
Size
819KB
-
MD5
65642f6048c56ff3ae6fb6cb91330e15
-
SHA1
541cdd3507d5a80e04d2700e788649cf1df41a27
-
SHA256
2d2abd10b60d6464e062eaa347bbeb48aa78a9cde4217a1f2c2cfc301953c9de
-
SHA512
ec63b50e5ec96d9162b86299293aa894092b8141ae79846dda1439477d670aa3bb030b54bc2b526c249c548a79182b8faf5d2d8872ae82a02a5b8ffab34e3a0f
-
SSDEEP
24576:8z////TfavT+0lJsnl/DwGts3nngrwF7ubcTRmgYaneKw9hSegs5cHCdEcRmUhsx:kkT+0onl/DwGts3nngrwF7ubcYgYan5v
Malware Config
Extracted
darkcomet
Spreaded
simproxid.no-ip.org:1604
DC_MUTEX-MXX0V30
-
gencode
jll1Ljobqc1P
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 6112 NPaqpR.exe 5980 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\javawi.exe" NPaqpR.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5344 set thread context of 5980 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 5980 svchost.exe Token: SeSecurityPrivilege 5980 svchost.exe Token: SeTakeOwnershipPrivilege 5980 svchost.exe Token: SeLoadDriverPrivilege 5980 svchost.exe Token: SeSystemProfilePrivilege 5980 svchost.exe Token: SeSystemtimePrivilege 5980 svchost.exe Token: SeProfSingleProcessPrivilege 5980 svchost.exe Token: SeIncBasePriorityPrivilege 5980 svchost.exe Token: SeCreatePagefilePrivilege 5980 svchost.exe Token: SeBackupPrivilege 5980 svchost.exe Token: SeRestorePrivilege 5980 svchost.exe Token: SeShutdownPrivilege 5980 svchost.exe Token: SeDebugPrivilege 5980 svchost.exe Token: SeSystemEnvironmentPrivilege 5980 svchost.exe Token: SeChangeNotifyPrivilege 5980 svchost.exe Token: SeRemoteShutdownPrivilege 5980 svchost.exe Token: SeUndockPrivilege 5980 svchost.exe Token: SeManageVolumePrivilege 5980 svchost.exe Token: SeImpersonatePrivilege 5980 svchost.exe Token: SeCreateGlobalPrivilege 5980 svchost.exe Token: 33 5980 svchost.exe Token: 34 5980 svchost.exe Token: 35 5980 svchost.exe Token: 36 5980 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5980 svchost.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 5344 wrote to memory of 4412 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 86 PID 5344 wrote to memory of 4412 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 86 PID 5344 wrote to memory of 4412 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 86 PID 4412 wrote to memory of 912 4412 csc.exe 89 PID 4412 wrote to memory of 912 4412 csc.exe 89 PID 4412 wrote to memory of 912 4412 csc.exe 89 PID 5344 wrote to memory of 6112 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 91 PID 5344 wrote to memory of 6112 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 91 PID 5344 wrote to memory of 6112 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 91 PID 5344 wrote to memory of 5980 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 92 PID 5344 wrote to memory of 5980 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 92 PID 5344 wrote to memory of 5980 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 92 PID 5344 wrote to memory of 5980 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 92 PID 5344 wrote to memory of 5980 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 92 PID 5344 wrote to memory of 5980 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 92 PID 5344 wrote to memory of 5980 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 92 PID 5344 wrote to memory of 5980 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 92 PID 5344 wrote to memory of 5980 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 92 PID 5344 wrote to memory of 5980 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 92 PID 5344 wrote to memory of 5980 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 92 PID 5344 wrote to memory of 5980 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 92 PID 5344 wrote to memory of 5980 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 92 PID 5344 wrote to memory of 5980 5344 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe 92 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93 PID 5980 wrote to memory of 5916 5980 svchost.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5344 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mfo8zr_a.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB92F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB92E.tmp"3⤵PID:912
-
-
-
C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe"C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6112
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5980 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:5916
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD59a73b6d289fdeb89fad4edfaa067ce78
SHA19d4087e5b2beae27ffd8bf48105186323a2001ab
SHA256a0ebb612de0a9a528aa9b1872155ed2aae2f11d051bc3208c5803b38afaf72de
SHA512dd1653a73f73e8a13e26429b5d20826b1aaccaccdf625184c02b7f611cfda199a0e7f733ce7ae8481a3198cfae7462478fed3be4bfaa24028b3e4c62e7de40e6
-
Filesize
1KB
MD53932d99806d24dd184193f1dbea64e9e
SHA16c81f869cc1cae49c30430a6866906da3a2d750a
SHA2568fb7b55a735a2313b43d8f4fcb556ceae5ff57dcb9b338c47db144ccf66edada
SHA512fcaf1bbbbcd35bc0bce57097633e38a2dbe50973ebe2b6f3a9cfa0edf63b21097972fc9fb9bbb77a614883f60405f3b6d57814cbd5327a1626b741820c9fc518
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
644B
MD514e95655e74fe8a8c7df3d505720ea45
SHA1158511920ab075fd1f4eb51dbc47ccf2953358aa
SHA2563cbee629e0898006d2e85803f1a78d29a26490ff88a7348313b07dd9c39ec398
SHA512f01213dcae74c07ad0e07f9ff1f2eed11ef62feed100e78222c61a3495f4ec157fbc53123e05f9e938f24ca177e5e1dc49c9649636e333261d6efff843b696fa
-
Filesize
1KB
MD588cb62593ae10e37e02f7f43aee77246
SHA1ed80fdfb7d3fbb035a544e712e92bc2438f6b089
SHA25631a5a148395b88114101dedd9e5418b04b1b57d0964f0088b431aa4835631390
SHA512811eef58966f3eb0723a6c6944f2ca9f504445260cdeb0e40faf3353924686634b8acdec0f35b4d9e1aa243ccae1cb419163630b822e1dba66e16f8f22bcc9f5
-
Filesize
259B
MD5d44fa53ca7076d3784ee760f14e5594c
SHA1a14b6eb84ee75a73bf9848ae034c785ac41c60bb
SHA2567648a9774e0820b68468828f020f26ce82df453b12f399a7c4a8a78d8f5111a9
SHA512c7bafe94027a8d96a5b2cd21c6501c86813d7c0bc4cbdb9aa8a72cb212ca91221a047a34a8fb1c99a651a99a6eb31f654fc6d40e3a69428bf4bd47354aeb5307