Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 22:27
Static task
static1
Behavioral task
behavioral1
Sample
acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe
-
Size
368KB
-
MD5
acd426055b1c58e8f322993bfafd16b0
-
SHA1
fbbd25fefb8dff81d6ba2d017b8ec311f291f10b
-
SHA256
511c2164990ee3d37cd456adc3f45807bf6206a58505479acffd0d4c9a5671f7
-
SHA512
d08b199fd0563647b33639d1c3086759044ee1010c0eb6e9e1821dd51943e6199dd165adfe82af39b53d014b3e9867b928742eb4cb01d12940ddcb46a054e6b4
-
SSDEEP
6144:jX6GsHrzGkmp/7ap1XSDgROePpdqf+wUFsVGv4cQFXxnO+KxDy:LrsLzMp/7aphSkxpAfhkO1hKy
Malware Config
Extracted
darkcomet
Guest16
aniss1.no-ip.biz:82
DC_MUTEX-N60MKLN
-
gencode
DPgy4ZqsndoU
-
install
false
-
offline_keylogger
true
-
password
123
-
persistence
false
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1548 attrib.exe 4484 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeSecurityPrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeLoadDriverPrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeSystemProfilePrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeSystemtimePrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeBackupPrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeRestorePrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeShutdownPrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeDebugPrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeUndockPrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeManageVolumePrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeImpersonatePrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: 33 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: 34 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: 35 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe Token: 36 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4808 wrote to memory of 3316 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe 85 PID 4808 wrote to memory of 3316 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe 85 PID 4808 wrote to memory of 3316 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe 85 PID 4808 wrote to memory of 3624 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe 86 PID 4808 wrote to memory of 3624 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe 86 PID 4808 wrote to memory of 3624 4808 acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe 86 PID 3316 wrote to memory of 1548 3316 cmd.exe 89 PID 3316 wrote to memory of 1548 3316 cmd.exe 89 PID 3316 wrote to memory of 1548 3316 cmd.exe 89 PID 3624 wrote to memory of 4484 3624 cmd.exe 90 PID 3624 wrote to memory of 4484 3624 cmd.exe 90 PID 3624 wrote to memory of 4484 3624 cmd.exe 90 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1548 attrib.exe 4484 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe"1⤵
- Modifies firewall policy service
- Windows security bypass
- Checks computer location settings
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\acd426055b1c58e8f322993bfafd16b0_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4484
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
3