Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 03:00
Static task
static1
Behavioral task
behavioral1
Sample
7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe
-
Size
384KB
-
MD5
7eeef1990b0a4af6b465c10a86880b66
-
SHA1
b4f69cb08bcd395a2c7bce52a61e13d78ee6fd8c
-
SHA256
50468539cb23b07d310e2a1de807662e57715bd844d6d2aa3be7d7fac7b87f01
-
SHA512
3f4035d9f663d7812ead85960028bd25402e8667335353ae8f49cda35db6785c9e907f0efdd6286c2d38522569f9f982c7c43f3c170cfebac747e6e3cb242af3
-
SSDEEP
6144:gT+zyLfDv+c5yhqNM/s6OL06yVn61oTdWfOgXGebZM/EWhx+DHGnxZ:gT+zeDVAhqIzWwuoTLgXhVM/EK4Dmj
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-F54S21D
-
gencode
pYHN7iXDsAb9
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exedescription pid process target process PID 2208 set thread context of 2864 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe iexplore.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
iexplore.exe7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeSecurityPrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeSystemtimePrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeBackupPrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeRestorePrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeShutdownPrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeDebugPrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeUndockPrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeManageVolumePrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeImpersonatePrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: 33 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: 34 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: 35 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2864 iexplore.exe Token: SeSecurityPrivilege 2864 iexplore.exe Token: SeTakeOwnershipPrivilege 2864 iexplore.exe Token: SeLoadDriverPrivilege 2864 iexplore.exe Token: SeSystemProfilePrivilege 2864 iexplore.exe Token: SeSystemtimePrivilege 2864 iexplore.exe Token: SeProfSingleProcessPrivilege 2864 iexplore.exe Token: SeIncBasePriorityPrivilege 2864 iexplore.exe Token: SeCreatePagefilePrivilege 2864 iexplore.exe Token: SeBackupPrivilege 2864 iexplore.exe Token: SeRestorePrivilege 2864 iexplore.exe Token: SeShutdownPrivilege 2864 iexplore.exe Token: SeDebugPrivilege 2864 iexplore.exe Token: SeSystemEnvironmentPrivilege 2864 iexplore.exe Token: SeChangeNotifyPrivilege 2864 iexplore.exe Token: SeRemoteShutdownPrivilege 2864 iexplore.exe Token: SeUndockPrivilege 2864 iexplore.exe Token: SeManageVolumePrivilege 2864 iexplore.exe Token: SeImpersonatePrivilege 2864 iexplore.exe Token: SeCreateGlobalPrivilege 2864 iexplore.exe Token: 33 2864 iexplore.exe Token: 34 2864 iexplore.exe Token: 35 2864 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2864 iexplore.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exedescription pid process target process PID 2208 wrote to memory of 2864 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe iexplore.exe PID 2208 wrote to memory of 2864 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe iexplore.exe PID 2208 wrote to memory of 2864 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe iexplore.exe PID 2208 wrote to memory of 2864 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe iexplore.exe PID 2208 wrote to memory of 2864 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe iexplore.exe PID 2208 wrote to memory of 2864 2208 7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2864