Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
31-07-2024 13:30
Static task
static1
Behavioral task
behavioral1
Sample
7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exe
-
Size
430KB
-
MD5
7c9ae8488746834bc5ec11ab54e68d29
-
SHA1
3115ba864f2e784303612a371d032be344a2f38f
-
SHA256
769af23207f07f92372bb3b2924a6f2f7c8834f1a0c18137941b5ad204329b71
-
SHA512
42e2cbe99b4d4541dc02548d59d0590a9e962d0dfbec93ce39a03b99ed5a78dfac64332116c36d2196b5b555deeec8ad1287ba1035da02c1c799f3b9b003c0f6
-
SSDEEP
12288:SLoQy901VSRXatHYj0ib1nV3l/6oLgDD:WyMYM4jRv3lvgD
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-F54S21D
-
gencode
0pAtwdXMAyDm
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
JEXE~1.EXEpid process 2696 JEXE~1.EXE -
Loads dropped DLL 3 IoCs
Processes:
7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exeJEXE~1.EXEpid process 2152 7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exe 2152 7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exe 2696 JEXE~1.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exeJEXE~1.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JEXE~1.EXE -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
JEXE~1.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 2696 JEXE~1.EXE Token: SeSecurityPrivilege 2696 JEXE~1.EXE Token: SeTakeOwnershipPrivilege 2696 JEXE~1.EXE Token: SeLoadDriverPrivilege 2696 JEXE~1.EXE Token: SeSystemProfilePrivilege 2696 JEXE~1.EXE Token: SeSystemtimePrivilege 2696 JEXE~1.EXE Token: SeProfSingleProcessPrivilege 2696 JEXE~1.EXE Token: SeIncBasePriorityPrivilege 2696 JEXE~1.EXE Token: SeCreatePagefilePrivilege 2696 JEXE~1.EXE Token: SeBackupPrivilege 2696 JEXE~1.EXE Token: SeRestorePrivilege 2696 JEXE~1.EXE Token: SeShutdownPrivilege 2696 JEXE~1.EXE Token: SeDebugPrivilege 2696 JEXE~1.EXE Token: SeSystemEnvironmentPrivilege 2696 JEXE~1.EXE Token: SeChangeNotifyPrivilege 2696 JEXE~1.EXE Token: SeRemoteShutdownPrivilege 2696 JEXE~1.EXE Token: SeUndockPrivilege 2696 JEXE~1.EXE Token: SeManageVolumePrivilege 2696 JEXE~1.EXE Token: SeImpersonatePrivilege 2696 JEXE~1.EXE Token: SeCreateGlobalPrivilege 2696 JEXE~1.EXE Token: 33 2696 JEXE~1.EXE Token: 34 2696 JEXE~1.EXE Token: 35 2696 JEXE~1.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
JEXE~1.EXEpid process 2696 JEXE~1.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exedescription pid process target process PID 2152 wrote to memory of 2696 2152 7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exe JEXE~1.EXE PID 2152 wrote to memory of 2696 2152 7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exe JEXE~1.EXE PID 2152 wrote to memory of 2696 2152 7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exe JEXE~1.EXE PID 2152 wrote to memory of 2696 2152 7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exe JEXE~1.EXE PID 2152 wrote to memory of 2696 2152 7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exe JEXE~1.EXE PID 2152 wrote to memory of 2696 2152 7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exe JEXE~1.EXE PID 2152 wrote to memory of 2696 2152 7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exe JEXE~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7c9ae8488746834bc5ec11ab54e68d29_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JEXE~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JEXE~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660KB
MD56a13354dd555e071f442fc95c4880fa2
SHA1d33174bb58c9916876b54082b7d858a0bd71fedf
SHA256b0068e1853bd861f3907ab5c93978eebb699a95ae14f352337de12b8f537fe22
SHA5129c3ecb28d028eedf29582e10cd74e25c968c492857044124749ccd917c29820d3641b4f77f9836e6cbd3844909c457e35ee21b949eb52cde0c6a05bf07e4fc45