Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11-08-2024 06:49
Static task
static1
Behavioral task
behavioral1
Sample
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe
-
Size
890KB
-
MD5
89673c1d2e00671c71a2ab8037cb7da3
-
SHA1
b13a9c7bbcd79cd38b6182da0c22a7426784f0c3
-
SHA256
8c2df3f9cdcef9fd08faf79d1d8eb233e8e5daf3fab6689d67445120ddd2ba7b
-
SHA512
31ac5a99a22f8168e748ebf21b44b7d926381835715626d234fbe2055e1e0a5be150db94469acff357fbf6a5cbd5ce359d20256107a6fffa9c3c591af776ff68
-
SSDEEP
12288:xTmBJtebrqexwPbp1iYXgrlh6fznP2y0+bUjCCPAbpaTu626AZq2X2QJ4N0:xq7teaexwX+lh87l9gjCZbpVfN4mp
Malware Config
Extracted
darkcomet
Guest16
smr9.no-ip.org:1604
DC_MUTEX-NJSZLY8
-
InstallPath
MSDCSC\lsass.exe
-
gencode
6xtSkc229rlk
-
install
true
-
offline_keylogger
false
-
password
123456
-
persistence
true
-
reg_key
lsass.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\lsass.exe" 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
lsass.exelsass.exepid process 2872 lsass.exe 2916 lsass.exe -
Loads dropped DLL 2 IoCs
Processes:
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exepid process 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exelsass.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "C:\\MSDCSC\\lsass.exe" 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "C:\\MSDCSC\\lsass.exe" lsass.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exelsass.exedescription pid process target process PID 1732 set thread context of 1980 1732 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 2872 set thread context of 2916 2872 lsass.exe lsass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exelsass.exelsass.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
lsass.exepid process 2916 lsass.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exelsass.exedescription pid process Token: SeIncreaseQuotaPrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeSecurityPrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeSystemtimePrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeBackupPrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeRestorePrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeShutdownPrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeDebugPrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeUndockPrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeManageVolumePrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeImpersonatePrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: 33 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: 34 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: 35 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2916 lsass.exe Token: SeSecurityPrivilege 2916 lsass.exe Token: SeTakeOwnershipPrivilege 2916 lsass.exe Token: SeLoadDriverPrivilege 2916 lsass.exe Token: SeSystemProfilePrivilege 2916 lsass.exe Token: SeSystemtimePrivilege 2916 lsass.exe Token: SeProfSingleProcessPrivilege 2916 lsass.exe Token: SeIncBasePriorityPrivilege 2916 lsass.exe Token: SeCreatePagefilePrivilege 2916 lsass.exe Token: SeBackupPrivilege 2916 lsass.exe Token: SeRestorePrivilege 2916 lsass.exe Token: SeShutdownPrivilege 2916 lsass.exe Token: SeDebugPrivilege 2916 lsass.exe Token: SeSystemEnvironmentPrivilege 2916 lsass.exe Token: SeChangeNotifyPrivilege 2916 lsass.exe Token: SeRemoteShutdownPrivilege 2916 lsass.exe Token: SeUndockPrivilege 2916 lsass.exe Token: SeManageVolumePrivilege 2916 lsass.exe Token: SeImpersonatePrivilege 2916 lsass.exe Token: SeCreateGlobalPrivilege 2916 lsass.exe Token: 33 2916 lsass.exe Token: 34 2916 lsass.exe Token: 35 2916 lsass.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exelsass.exedescription pid process target process PID 1732 wrote to memory of 1980 1732 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 1732 wrote to memory of 1980 1732 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 1732 wrote to memory of 1980 1732 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 1732 wrote to memory of 1980 1732 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 1732 wrote to memory of 1980 1732 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 1732 wrote to memory of 1980 1732 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 1732 wrote to memory of 1980 1732 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 1732 wrote to memory of 1980 1732 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 1732 wrote to memory of 1980 1732 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 1732 wrote to memory of 1980 1732 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 1732 wrote to memory of 1980 1732 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 1732 wrote to memory of 1980 1732 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 1732 wrote to memory of 1980 1732 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 1980 wrote to memory of 2872 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe lsass.exe PID 1980 wrote to memory of 2872 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe lsass.exe PID 1980 wrote to memory of 2872 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe lsass.exe PID 1980 wrote to memory of 2872 1980 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe lsass.exe PID 2872 wrote to memory of 2916 2872 lsass.exe lsass.exe PID 2872 wrote to memory of 2916 2872 lsass.exe lsass.exe PID 2872 wrote to memory of 2916 2872 lsass.exe lsass.exe PID 2872 wrote to memory of 2916 2872 lsass.exe lsass.exe PID 2872 wrote to memory of 2916 2872 lsass.exe lsass.exe PID 2872 wrote to memory of 2916 2872 lsass.exe lsass.exe PID 2872 wrote to memory of 2916 2872 lsass.exe lsass.exe PID 2872 wrote to memory of 2916 2872 lsass.exe lsass.exe PID 2872 wrote to memory of 2916 2872 lsass.exe lsass.exe PID 2872 wrote to memory of 2916 2872 lsass.exe lsass.exe PID 2872 wrote to memory of 2916 2872 lsass.exe lsass.exe PID 2872 wrote to memory of 2916 2872 lsass.exe lsass.exe PID 2872 wrote to memory of 2916 2872 lsass.exe lsass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\MSDCSC\lsass.exe"C:\MSDCSC\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\MSDCSC\lsass.exeC:\MSDCSC\lsass.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2916
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
890KB
MD589673c1d2e00671c71a2ab8037cb7da3
SHA1b13a9c7bbcd79cd38b6182da0c22a7426784f0c3
SHA2568c2df3f9cdcef9fd08faf79d1d8eb233e8e5daf3fab6689d67445120ddd2ba7b
SHA51231ac5a99a22f8168e748ebf21b44b7d926381835715626d234fbe2055e1e0a5be150db94469acff357fbf6a5cbd5ce359d20256107a6fffa9c3c591af776ff68