Analysis
-
max time kernel
96s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 12:21
Static task
static1
Behavioral task
behavioral1
Sample
807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe
-
Size
532KB
-
MD5
807db56ebe8ed9ccbcc7f74e531d3031
-
SHA1
2e7578b9e9f0cc87dba222f23c93ed792a39c4c1
-
SHA256
f7ee8851507a15aba2a9b9cbfb46e5a4aaa70c900c496409a79433ddeb9fbe29
-
SHA512
3ef37f25d8a380af75c4222acbb3c1d4c5ec8925f2207cd642cfc49b7ca17fd7ad7c05fd2b9618a0c964f81d272db6d697c84644ff57a1aa10b46d3b42ac31ab
-
SSDEEP
12288:neJMKa8NSOGmIq1SFToJJhvdv/z1gzF9zZijkiT9+:e+KaMSO6qMFTibBL152
Malware Config
Extracted
darkcomet
Guest16
drgh.no-ip.biz:1604
DC_MUTEX-JRUALJP
-
gencode
z4pSQ6YBTt5f
-
install
false
-
offline_keylogger
true
-
password
0123456789
-
persistence
false
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1616 1716 WerFault.exe iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exedescription pid process target process PID 3644 set thread context of 1716 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe iexplore.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exedescription pid process Token: SeIncreaseQuotaPrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeSecurityPrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeSystemtimePrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeBackupPrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeRestorePrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeShutdownPrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeDebugPrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeUndockPrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeManageVolumePrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeImpersonatePrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: 33 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: 34 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: 35 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe Token: 36 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exedescription pid process target process PID 3644 wrote to memory of 1716 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe iexplore.exe PID 3644 wrote to memory of 1716 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe iexplore.exe PID 3644 wrote to memory of 1716 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe iexplore.exe PID 3644 wrote to memory of 1716 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe iexplore.exe PID 3644 wrote to memory of 1716 3644 807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\807db56ebe8ed9ccbcc7f74e531d3031_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵PID:1716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 2843⤵
- Program crash
PID:1616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1716 -ip 17161⤵PID:3380