Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 20:26
Static task
static1
Behavioral task
behavioral1
Sample
759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe
-
Size
681KB
-
MD5
759659ac9816a28383faeda799b1e6de
-
SHA1
465fd31c664f9766c87bfadf1c147259d8579c37
-
SHA256
11ab6ac3b489b6662c7b638e3e94db436bcac428ce8260b3428611ed600afdc5
-
SHA512
617703e33122f6d81910a21829f44dc0116729fdea39fa11085bef95e22191b5f43e4eb2fa88eca1085042e5562ea385479216005a5ff359fc66b06ddacad590
-
SSDEEP
12288:S+SRRw04j29U9RpijpJDKQ4LP/6NRJ03k4IgKHxqr4M2GbIZv2/vxpgNM11sab2F:i94/Rp20/6ghPKHM2Z23xeW1ai2lgxo
Malware Config
Extracted
darkcomet
Guest16
hakimzaio1.no-ip.biz:1604
DC_MUTEX-209H53N
-
gencode
PkcUmjfCvV9f
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
hoaaa.exeiexplore.exepid process 2360 hoaaa.exe 2544 iexplore.exe -
Loads dropped DLL 6 IoCs
Processes:
759659ac9816a28383faeda799b1e6de_JaffaCakes118.exehoaaa.exepid process 3032 759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe 3032 759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe 3032 759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe 3032 759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe 3032 759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe 2360 hoaaa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
hoaaa.exeiexplore.exe759659ac9816a28383faeda799b1e6de_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hoaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
759659ac9816a28383faeda799b1e6de_JaffaCakes118.exehoaaa.exedescription pid process Token: 33 3032 759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3032 759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2360 hoaaa.exe Token: SeSecurityPrivilege 2360 hoaaa.exe Token: SeTakeOwnershipPrivilege 2360 hoaaa.exe Token: SeLoadDriverPrivilege 2360 hoaaa.exe Token: SeSystemProfilePrivilege 2360 hoaaa.exe Token: SeSystemtimePrivilege 2360 hoaaa.exe Token: SeProfSingleProcessPrivilege 2360 hoaaa.exe Token: SeIncBasePriorityPrivilege 2360 hoaaa.exe Token: SeCreatePagefilePrivilege 2360 hoaaa.exe Token: SeBackupPrivilege 2360 hoaaa.exe Token: SeRestorePrivilege 2360 hoaaa.exe Token: SeShutdownPrivilege 2360 hoaaa.exe Token: SeDebugPrivilege 2360 hoaaa.exe Token: SeSystemEnvironmentPrivilege 2360 hoaaa.exe Token: SeChangeNotifyPrivilege 2360 hoaaa.exe Token: SeRemoteShutdownPrivilege 2360 hoaaa.exe Token: SeUndockPrivilege 2360 hoaaa.exe Token: SeManageVolumePrivilege 2360 hoaaa.exe Token: SeImpersonatePrivilege 2360 hoaaa.exe Token: SeCreateGlobalPrivilege 2360 hoaaa.exe Token: 33 2360 hoaaa.exe Token: 34 2360 hoaaa.exe Token: 35 2360 hoaaa.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
hoaaa.exepid process 2360 hoaaa.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
759659ac9816a28383faeda799b1e6de_JaffaCakes118.exehoaaa.exedescription pid process target process PID 3032 wrote to memory of 2360 3032 759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe hoaaa.exe PID 3032 wrote to memory of 2360 3032 759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe hoaaa.exe PID 3032 wrote to memory of 2360 3032 759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe hoaaa.exe PID 3032 wrote to memory of 2360 3032 759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe hoaaa.exe PID 2360 wrote to memory of 2544 2360 hoaaa.exe iexplore.exe PID 2360 wrote to memory of 2544 2360 hoaaa.exe iexplore.exe PID 2360 wrote to memory of 2544 2360 hoaaa.exe iexplore.exe PID 2360 wrote to memory of 2544 2360 hoaaa.exe iexplore.exe PID 2360 wrote to memory of 2612 2360 hoaaa.exe explorer.exe PID 2360 wrote to memory of 2612 2360 hoaaa.exe explorer.exe PID 2360 wrote to memory of 2612 2360 hoaaa.exe explorer.exe PID 2360 wrote to memory of 2612 2360 hoaaa.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\759659ac9816a28383faeda799b1e6de_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\jjjj\1.0.0.0\2012.04.08T19.13\Virtual\STUBEXE\8.0.1135\@DESKTOP@\hoaaa.exe"C:\Users\Admin\Desktop\hoaaa.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\jjjj\1.0.0.0\2012.04.08T19.13\Native\STUBEXE\8.0.1135\@PROGRAMFILES@\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\jjjj\1.0.0.0\2012.04.08T19.13\Native\STUBEXE\8.0.1135\@PROGRAMFILES@\Internet Explorer\iexplore.exe
Filesize17KB
MD583e15607a85eb6252d05c6aedfa028da
SHA1b018f91204486641a564e52a977fce59de263c07
SHA256a4b68b0650631bb9c1d8ad1b332af503cec3d3fa55fe25ffea8a1f43af9ff3ff
SHA51261d327fae6e8b339649adb3c8beb2d43b9de24df7e0a808f85df2ac51374753042e37f09b4d5b523261eeeaf5b5bbce011f76ec7c312d0f5aea8b2cb667461f3
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\jjjj\1.0.0.0\2012.04.08T19.13\Virtual\MODIFIED\@DESKTOP@\hoaaa.exe
Filesize649KB
MD5277d82cb96c5627aaf8cb662ee2be7fa
SHA1c47a2bf628f40be300d01651af267bcfbdf46cb5
SHA2565be45ae092102a073ad4fe5e228f393c8270b081837733511bfa5c364f115a9e
SHA5126b3339273eabaaf47f887d3e5334daf61f58917b141a5c363292327378f81b0635a88bee2ab802803a12e50fd1f912822aabe241448f9e13af3885e4d974640f
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\jjjj\1.0.0.0\2012.04.08T19.13\Virtual\STUBEXE\8.0.1135\@DESKTOP@\hoaaa.exe
Filesize17KB
MD54422a8a32fa7895c1eb3cdc97a705cc5
SHA1d5dd26bee0f4a47ca784a94f82f553f6bf2321b2
SHA25663b6201b60d2e627cb1b739d882a613693cdc2588decdac40c520e86a80014f3
SHA5124e060cdc6b8182f523d6a47e91afffbb168c389d1e6d5c992333ab3e4e8bd1d533a2a866175438e0d1589fa1270ce1081d1bb8fdcf8a4de45783673be968d867