Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-10-2024 13:55
Static task
static1
Behavioral task
behavioral1
Sample
79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
-
Size
880KB
-
MD5
79f26faebf6f232fd71c2d81c400a91e
-
SHA1
2a0b954324ff364271acb04589f1cceeb3b8a713
-
SHA256
39dd349bae7daea858678837db336d958aab66ca4f47c852ca16a45b273cb18b
-
SHA512
1ec197da98d1f5f75be1a3fe8a91fb30db78bee52a72d8c23c7d1b3626cceab46fc85a5f236dbfc9cba65207250b6102dbbb3770c88dd36aee9e52487c1d46c2
-
SSDEEP
12288:wqFvD1WrkIwrOqepNt0RoirD7/xNmcBH0dqhTtlN9p41zlq4uhT:wAB7IEOqBRbrDz2eU8IPuhT
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\winserv.exe" 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
Processes:
winserv.exewinserv.exewinserv.exepid Process 2864 winserv.exe 2076 winserv.exe 2200 winserv.exe -
Loads dropped DLL 2 IoCs
Processes:
79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exepid Process 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exewinserv.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdates = "C:\\MSDCSC\\winserv.exe" 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdates = "C:\\MSDCSC\\winserv.exe" winserv.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exewinserv.exedescription ioc Process File opened for modification \??\PhysicalDrive0 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 winserv.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exewinserv.exewinserv.exedescription pid Process procid_target PID 2892 set thread context of 2308 2892 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 30 PID 2308 set thread context of 2736 2308 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 31 PID 2864 set thread context of 2076 2864 winserv.exe 33 PID 2076 set thread context of 2200 2076 winserv.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exewinserv.exewinserv.exewinserv.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exewinserv.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeSecurityPrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeSystemtimePrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeBackupPrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeRestorePrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeShutdownPrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeDebugPrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeUndockPrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeManageVolumePrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeImpersonatePrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: 33 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: 34 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: 35 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2200 winserv.exe Token: SeSecurityPrivilege 2200 winserv.exe Token: SeTakeOwnershipPrivilege 2200 winserv.exe Token: SeLoadDriverPrivilege 2200 winserv.exe Token: SeSystemProfilePrivilege 2200 winserv.exe Token: SeSystemtimePrivilege 2200 winserv.exe Token: SeProfSingleProcessPrivilege 2200 winserv.exe Token: SeIncBasePriorityPrivilege 2200 winserv.exe Token: SeCreatePagefilePrivilege 2200 winserv.exe Token: SeBackupPrivilege 2200 winserv.exe Token: SeRestorePrivilege 2200 winserv.exe Token: SeShutdownPrivilege 2200 winserv.exe Token: SeDebugPrivilege 2200 winserv.exe Token: SeSystemEnvironmentPrivilege 2200 winserv.exe Token: SeChangeNotifyPrivilege 2200 winserv.exe Token: SeRemoteShutdownPrivilege 2200 winserv.exe Token: SeUndockPrivilege 2200 winserv.exe Token: SeManageVolumePrivilege 2200 winserv.exe Token: SeImpersonatePrivilege 2200 winserv.exe Token: SeCreateGlobalPrivilege 2200 winserv.exe Token: 33 2200 winserv.exe Token: 34 2200 winserv.exe Token: 35 2200 winserv.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exewinserv.exewinserv.exewinserv.exepid Process 2892 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 2308 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 2864 winserv.exe 2076 winserv.exe 2200 winserv.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exewinserv.exewinserv.exedescription pid Process procid_target PID 2892 wrote to memory of 2308 2892 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 30 PID 2892 wrote to memory of 2308 2892 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 30 PID 2892 wrote to memory of 2308 2892 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 30 PID 2892 wrote to memory of 2308 2892 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 30 PID 2892 wrote to memory of 2308 2892 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 30 PID 2892 wrote to memory of 2308 2892 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 30 PID 2892 wrote to memory of 2308 2892 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 30 PID 2892 wrote to memory of 2308 2892 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 30 PID 2892 wrote to memory of 2308 2892 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 30 PID 2308 wrote to memory of 2736 2308 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2736 2308 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2736 2308 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2736 2308 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2736 2308 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2736 2308 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2736 2308 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2736 2308 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2736 2308 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2736 2308 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2736 2308 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2736 2308 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2736 2308 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 31 PID 2736 wrote to memory of 2864 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 32 PID 2736 wrote to memory of 2864 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 32 PID 2736 wrote to memory of 2864 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 32 PID 2736 wrote to memory of 2864 2736 79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe 32 PID 2864 wrote to memory of 2076 2864 winserv.exe 33 PID 2864 wrote to memory of 2076 2864 winserv.exe 33 PID 2864 wrote to memory of 2076 2864 winserv.exe 33 PID 2864 wrote to memory of 2076 2864 winserv.exe 33 PID 2864 wrote to memory of 2076 2864 winserv.exe 33 PID 2864 wrote to memory of 2076 2864 winserv.exe 33 PID 2864 wrote to memory of 2076 2864 winserv.exe 33 PID 2864 wrote to memory of 2076 2864 winserv.exe 33 PID 2864 wrote to memory of 2076 2864 winserv.exe 33 PID 2076 wrote to memory of 2200 2076 winserv.exe 34 PID 2076 wrote to memory of 2200 2076 winserv.exe 34 PID 2076 wrote to memory of 2200 2076 winserv.exe 34 PID 2076 wrote to memory of 2200 2076 winserv.exe 34 PID 2076 wrote to memory of 2200 2076 winserv.exe 34 PID 2076 wrote to memory of 2200 2076 winserv.exe 34 PID 2076 wrote to memory of 2200 2076 winserv.exe 34 PID 2076 wrote to memory of 2200 2076 winserv.exe 34 PID 2076 wrote to memory of 2200 2076 winserv.exe 34 PID 2076 wrote to memory of 2200 2076 winserv.exe 34 PID 2076 wrote to memory of 2200 2076 winserv.exe 34 PID 2076 wrote to memory of 2200 2076 winserv.exe 34 PID 2076 wrote to memory of 2200 2076 winserv.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe"3⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\MSDCSC\winserv.exe"C:\MSDCSC\winserv.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\MSDCSC\winserv.exe"C:\MSDCSC\winserv.exe"5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\MSDCSC\winserv.exe"C:\MSDCSC\winserv.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2200
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
880KB
MD579f26faebf6f232fd71c2d81c400a91e
SHA12a0b954324ff364271acb04589f1cceeb3b8a713
SHA25639dd349bae7daea858678837db336d958aab66ca4f47c852ca16a45b273cb18b
SHA5121ec197da98d1f5f75be1a3fe8a91fb30db78bee52a72d8c23c7d1b3626cceab46fc85a5f236dbfc9cba65207250b6102dbbb3770c88dd36aee9e52487c1d46c2