Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-10-2024 00:25
Static task
static1
Behavioral task
behavioral1
Sample
7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.exe
-
Size
849KB
-
MD5
7d4215b25a3d8881a18641d83873ac96
-
SHA1
79293a0badf34dc14380c70181d61aa11a53ac33
-
SHA256
69460fd08183865d32f5f319299449ffcadd08e6759b5aa1a9bc9a0a2e77a97a
-
SHA512
40358d530a621bdf44ddaeced4071312325aa91ead3847f41cb4ea40783c75927a0e09ff6be932a6945320eb92bae73346cdc0030aefa39df5a991573e00b7a4
-
SSDEEP
24576:VGjjUxDpIUDdNIFPy4AKVJp0vC2SXwTDxNT:VGjAdpIUxaVykfp0vC2SXIDxNT
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ciara.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\System\\ÚÈÏÇáÑÍãä.exe" ciara.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ciara.exeÚÈÏÇáÑÍãä.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ciara.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ÚÈÏÇáÑÍãä.exe -
Executes dropped EXE 2 IoCs
Processes:
ciara.exeÚÈÏÇáÑÍãä.exepid process 2748 ciara.exe 2528 ÚÈÏÇáÑÍãä.exe -
Loads dropped DLL 4 IoCs
Processes:
7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.execiara.exepid process 2644 7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.exe 2644 7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.exe 2748 ciara.exe 2748 ciara.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ciara.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\System\\ÚÈÏÇáÑÍãä.exe" ciara.exe -
Drops file in System32 directory 1 IoCs
Processes:
7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\ciara.exe 7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.exeDllHost.execiara.exeÚÈÏÇáÑÍãä.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ciara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ÚÈÏÇáÑÍãä.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ÚÈÏÇáÑÍãä.execiara.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ÚÈÏÇáÑÍãä.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier ÚÈÏÇáÑÍãä.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ciara.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ciara.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ciara.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier ciara.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ÚÈÏÇáÑÍãä.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ÚÈÏÇáÑÍãä.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
ciara.exeÚÈÏÇáÑÍãä.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier ciara.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier ÚÈÏÇáÑÍãä.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
ciara.exeÚÈÏÇáÑÍãä.exedescription pid process Token: SeIncreaseQuotaPrivilege 2748 ciara.exe Token: SeSecurityPrivilege 2748 ciara.exe Token: SeTakeOwnershipPrivilege 2748 ciara.exe Token: SeLoadDriverPrivilege 2748 ciara.exe Token: SeSystemProfilePrivilege 2748 ciara.exe Token: SeSystemtimePrivilege 2748 ciara.exe Token: SeProfSingleProcessPrivilege 2748 ciara.exe Token: SeIncBasePriorityPrivilege 2748 ciara.exe Token: SeCreatePagefilePrivilege 2748 ciara.exe Token: SeBackupPrivilege 2748 ciara.exe Token: SeRestorePrivilege 2748 ciara.exe Token: SeShutdownPrivilege 2748 ciara.exe Token: SeDebugPrivilege 2748 ciara.exe Token: SeSystemEnvironmentPrivilege 2748 ciara.exe Token: SeChangeNotifyPrivilege 2748 ciara.exe Token: SeRemoteShutdownPrivilege 2748 ciara.exe Token: SeUndockPrivilege 2748 ciara.exe Token: SeManageVolumePrivilege 2748 ciara.exe Token: SeImpersonatePrivilege 2748 ciara.exe Token: SeCreateGlobalPrivilege 2748 ciara.exe Token: 33 2748 ciara.exe Token: 34 2748 ciara.exe Token: 35 2748 ciara.exe Token: SeIncreaseQuotaPrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeSecurityPrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeTakeOwnershipPrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeLoadDriverPrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeSystemProfilePrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeSystemtimePrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeProfSingleProcessPrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeIncBasePriorityPrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeCreatePagefilePrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeBackupPrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeRestorePrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeShutdownPrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeDebugPrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeSystemEnvironmentPrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeChangeNotifyPrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeRemoteShutdownPrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeUndockPrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeManageVolumePrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeImpersonatePrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: SeCreateGlobalPrivilege 2528 ÚÈÏÇáÑÍãä.exe Token: 33 2528 ÚÈÏÇáÑÍãä.exe Token: 34 2528 ÚÈÏÇáÑÍãä.exe Token: 35 2528 ÚÈÏÇáÑÍãä.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 2800 DllHost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
DllHost.exepid process 2800 DllHost.exe 2800 DllHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.execiara.exedescription pid process target process PID 2644 wrote to memory of 2748 2644 7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.exe ciara.exe PID 2644 wrote to memory of 2748 2644 7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.exe ciara.exe PID 2644 wrote to memory of 2748 2644 7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.exe ciara.exe PID 2644 wrote to memory of 2748 2644 7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.exe ciara.exe PID 2748 wrote to memory of 2528 2748 ciara.exe ÚÈÏÇáÑÍãä.exe PID 2748 wrote to memory of 2528 2748 ciara.exe ÚÈÏÇáÑÍãä.exe PID 2748 wrote to memory of 2528 2748 ciara.exe ÚÈÏÇáÑÍãä.exe PID 2748 wrote to memory of 2528 2748 ciara.exe ÚÈÏÇáÑÍãä.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7d4215b25a3d8881a18641d83873ac96_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\ciara.exe"C:\Windows\System32\ciara.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\System\ÚÈÏÇáÑÍãä.exe"C:\System\ÚÈÏÇáÑÍãä.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2800
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
103KB
MD5d5d2915166e718d9a9f6870a026c3f20
SHA1aad7353b2dcc11c8d45a9567351275e159fb14ab
SHA25688164c99795d25018b6944ed3eb76d692917a7da81c934cff99968ee0db8183f
SHA51271e12c5a40e0eb29643393ac8ab1ea304dd3bf5b9ef2366403964ed7deebd63e71af04494153d97ecb29cd56bce89ca98eee158d8ad8a9acf4a1822c3b63916c
-
Filesize
713KB
MD5226167943df3c9945a486fe8633dca89
SHA16b5ff809ca57fc3f01001d92749071c6a3a76aa0
SHA2564dc458e8d9f7d5a9c7c327f98758f1b1887b03f7fab8de276f28ed31182596d1
SHA512ace422d779cbc5c0969528bdbcb77ed445d9aa10eac6a25b905b74f45c933b640b9a7dfbfd49a913c80fe060b7ef21917eafedaf8846f57601a7b14b7037f07f