Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 14:24
Static task
static1
Behavioral task
behavioral1
Sample
746f7391381312f198f1503a294cac3e_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
746f7391381312f198f1503a294cac3e_JaffaCakes118.exe
-
Size
785KB
-
MD5
746f7391381312f198f1503a294cac3e
-
SHA1
b1cb209e1e4604e451100f59fbb323e8fbb8fe81
-
SHA256
02b8b255bad9a0b4011b531e830008a0abf02d501f5339a05ecc25e161d5eb75
-
SHA512
3127d6a750f0896e8cd4cbe1058f39d06633cbcea9e95c94462200f48210d73904fb5e003af296d2d05db7df1ed9264cb5804b0a9f748996f54359e09c9e702a
-
SSDEEP
24576:PT4H9LNgqq/29Obvmt0A5OzmKtNmG/b3rt8VlllXZ1D:PT4jgDbDmt06IEVlllXD
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-5HZDY0Z
-
gencode
punQMW272CsU
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
tmp.tmp.tmp1pid process 2928 tmp.tmp.tmp1 -
Drops file in Windows directory 1 IoCs
Processes:
746f7391381312f198f1503a294cac3e_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\tmp.tmp.tmp1 746f7391381312f198f1503a294cac3e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
746f7391381312f198f1503a294cac3e_JaffaCakes118.exetmp.tmp.tmp1description ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 746f7391381312f198f1503a294cac3e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp.tmp.tmp1 -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
tmp.tmp.tmp1description pid process Token: SeIncreaseQuotaPrivilege 2928 tmp.tmp.tmp1 Token: SeSecurityPrivilege 2928 tmp.tmp.tmp1 Token: SeTakeOwnershipPrivilege 2928 tmp.tmp.tmp1 Token: SeLoadDriverPrivilege 2928 tmp.tmp.tmp1 Token: SeSystemProfilePrivilege 2928 tmp.tmp.tmp1 Token: SeSystemtimePrivilege 2928 tmp.tmp.tmp1 Token: SeProfSingleProcessPrivilege 2928 tmp.tmp.tmp1 Token: SeIncBasePriorityPrivilege 2928 tmp.tmp.tmp1 Token: SeCreatePagefilePrivilege 2928 tmp.tmp.tmp1 Token: SeBackupPrivilege 2928 tmp.tmp.tmp1 Token: SeRestorePrivilege 2928 tmp.tmp.tmp1 Token: SeShutdownPrivilege 2928 tmp.tmp.tmp1 Token: SeDebugPrivilege 2928 tmp.tmp.tmp1 Token: SeSystemEnvironmentPrivilege 2928 tmp.tmp.tmp1 Token: SeChangeNotifyPrivilege 2928 tmp.tmp.tmp1 Token: SeRemoteShutdownPrivilege 2928 tmp.tmp.tmp1 Token: SeUndockPrivilege 2928 tmp.tmp.tmp1 Token: SeManageVolumePrivilege 2928 tmp.tmp.tmp1 Token: SeImpersonatePrivilege 2928 tmp.tmp.tmp1 Token: SeCreateGlobalPrivilege 2928 tmp.tmp.tmp1 Token: 33 2928 tmp.tmp.tmp1 Token: 34 2928 tmp.tmp.tmp1 Token: 35 2928 tmp.tmp.tmp1 -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
746f7391381312f198f1503a294cac3e_JaffaCakes118.exetmp.tmp.tmp1pid process 1716 746f7391381312f198f1503a294cac3e_JaffaCakes118.exe 2928 tmp.tmp.tmp1 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
746f7391381312f198f1503a294cac3e_JaffaCakes118.exedescription pid process target process PID 1716 wrote to memory of 2928 1716 746f7391381312f198f1503a294cac3e_JaffaCakes118.exe tmp.tmp.tmp1 PID 1716 wrote to memory of 2928 1716 746f7391381312f198f1503a294cac3e_JaffaCakes118.exe tmp.tmp.tmp1 PID 1716 wrote to memory of 2928 1716 746f7391381312f198f1503a294cac3e_JaffaCakes118.exe tmp.tmp.tmp1 PID 1716 wrote to memory of 2928 1716 746f7391381312f198f1503a294cac3e_JaffaCakes118.exe tmp.tmp.tmp1
Processes
-
C:\Users\Admin\AppData\Local\Temp\746f7391381312f198f1503a294cac3e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\746f7391381312f198f1503a294cac3e_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\tmp.tmp.tmp1C:\Windows\tmp.tmp.tmp12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
757KB
MD59336f1bbc7b7c34c4939b6ff96b2a05d
SHA18c80abf6269f7d5f8b86fb25245b45150ba8a09b
SHA256273f1248609c3bd6e1021d6f7be9d6e0faf9b2129ce60d63f787281c5a430e32
SHA5129c8003a4b4060f5a62ccafa06e8b6586b4994602b41b91c5dfb476b27f463e9c438806e3a326567a670466f8c0ba0459aeb6be16ffcea5c38e38857014dea10b