Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 12:21
Static task
static1
Behavioral task
behavioral1
Sample
807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe
-
Size
532KB
-
MD5
807db56ebe8ed9ccbcc7f74e531d3031
-
SHA1
2e7578b9e9f0cc87dba222f23c93ed792a39c4c1
-
SHA256
f7ee8851507a15aba2a9b9cbfb46e5a4aaa70c900c496409a79433ddeb9fbe29
-
SHA512
3ef37f25d8a380af75c4222acbb3c1d4c5ec8925f2207cd642cfc49b7ca17fd7ad7c05fd2b9618a0c964f81d272db6d697c84644ff57a1aa10b46d3b42ac31ab
-
SSDEEP
12288:neJMKa8NSOGmIq1SFToJJhvdv/z1gzF9zZijkiT9+:e+KaMSO6qMFTibBL152
Malware Config
Extracted
darkcomet
Guest16
drgh.no-ip.biz:1604
DC_MUTEX-JRUALJP
-
gencode
z4pSQ6YBTt5f
-
install
false
-
offline_keylogger
true
-
password
0123456789
-
persistence
false
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2952 1904 WerFault.exe iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exedescription pid process target process PID 2124 set thread context of 1904 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe iexplore.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exeiexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exedescription pid process Token: SeIncreaseQuotaPrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeSecurityPrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeSystemtimePrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeBackupPrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeRestorePrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeShutdownPrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeDebugPrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeUndockPrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeManageVolumePrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeImpersonatePrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: 33 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: 34 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: 35 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exeiexplore.exedescription pid process target process PID 2124 wrote to memory of 1904 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe iexplore.exe PID 2124 wrote to memory of 1904 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe iexplore.exe PID 2124 wrote to memory of 1904 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe iexplore.exe PID 2124 wrote to memory of 1904 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe iexplore.exe PID 2124 wrote to memory of 1904 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe iexplore.exe PID 2124 wrote to memory of 1904 2124 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe iexplore.exe PID 1904 wrote to memory of 2952 1904 iexplore.exe WerFault.exe PID 1904 wrote to memory of 2952 1904 iexplore.exe WerFault.exe PID 1904 wrote to memory of 2952 1904 iexplore.exe WerFault.exe PID 1904 wrote to memory of 2952 1904 iexplore.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1963⤵
- Program crash
PID:2952