Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 06:38
Static task
static1
Behavioral task
behavioral1
Sample
99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Resource
win7-20241023-en
General
-
Target
99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
-
Size
5.0MB
-
MD5
99d2656e3599ba235242dc9763b3940b
-
SHA1
2ac901d260222eed2c8d7f1cdc92ae8d11b50c7b
-
SHA256
bb14ef332f01f1db8ce7a225adc9fe5f6ee5c4a6ffd2038478065e270080abad
-
SHA512
af8c8fd9e842ad21feb9da2c06637dc484927714a7c562f2916e1fe4f349bf2a12fd513e750440a02280ee773a8bcaf9df0f97dba5b8cbc7d81c521adee78ce3
-
SSDEEP
98304:Bp0K5DI69NeNw/V/dMBJ5Yr0M1oDBoMqnE6oNv7rW:BDB/tN/YJOozDBiE667rW
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe" 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winupdate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation winupdate.exe -
Executes dropped EXE 4 IoCs
pid Process 3048 CCSETUP305.EXE 2304 winupdate.exe 5060 winupdate.exe 4268 CCSETUP305.EXE -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe" 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1928 set thread context of 2084 1928 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 83 PID 2304 set thread context of 5060 2304 winupdate.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CCSETUP305.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CCSETUP305.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x000a000000023b69-82.dat nsis_installer_1 behavioral2/files/0x000a000000023b69-82.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5060 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 1928 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeSecurityPrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeSystemtimePrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeBackupPrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeRestorePrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeShutdownPrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeDebugPrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeUndockPrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeManageVolumePrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeImpersonatePrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: 33 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: 34 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: 35 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: 36 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe Token: SeDebugPrivilege 2304 winupdate.exe Token: SeIncreaseQuotaPrivilege 5060 winupdate.exe Token: SeSecurityPrivilege 5060 winupdate.exe Token: SeTakeOwnershipPrivilege 5060 winupdate.exe Token: SeLoadDriverPrivilege 5060 winupdate.exe Token: SeSystemProfilePrivilege 5060 winupdate.exe Token: SeSystemtimePrivilege 5060 winupdate.exe Token: SeProfSingleProcessPrivilege 5060 winupdate.exe Token: SeIncBasePriorityPrivilege 5060 winupdate.exe Token: SeCreatePagefilePrivilege 5060 winupdate.exe Token: SeBackupPrivilege 5060 winupdate.exe Token: SeRestorePrivilege 5060 winupdate.exe Token: SeShutdownPrivilege 5060 winupdate.exe Token: SeDebugPrivilege 5060 winupdate.exe Token: SeSystemEnvironmentPrivilege 5060 winupdate.exe Token: SeChangeNotifyPrivilege 5060 winupdate.exe Token: SeRemoteShutdownPrivilege 5060 winupdate.exe Token: SeUndockPrivilege 5060 winupdate.exe Token: SeManageVolumePrivilege 5060 winupdate.exe Token: SeImpersonatePrivilege 5060 winupdate.exe Token: SeCreateGlobalPrivilege 5060 winupdate.exe Token: 33 5060 winupdate.exe Token: 34 5060 winupdate.exe Token: 35 5060 winupdate.exe Token: 36 5060 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5060 winupdate.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2084 1928 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 83 PID 1928 wrote to memory of 2084 1928 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 83 PID 1928 wrote to memory of 2084 1928 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 83 PID 1928 wrote to memory of 2084 1928 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 83 PID 1928 wrote to memory of 2084 1928 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 83 PID 1928 wrote to memory of 2084 1928 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 83 PID 1928 wrote to memory of 2084 1928 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 83 PID 1928 wrote to memory of 2084 1928 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 83 PID 1928 wrote to memory of 2084 1928 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 83 PID 1928 wrote to memory of 2084 1928 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 83 PID 1928 wrote to memory of 2084 1928 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 83 PID 1928 wrote to memory of 2084 1928 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 83 PID 1928 wrote to memory of 2084 1928 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 83 PID 1928 wrote to memory of 2084 1928 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 83 PID 2084 wrote to memory of 3048 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 84 PID 2084 wrote to memory of 3048 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 84 PID 2084 wrote to memory of 3048 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 84 PID 3048 wrote to memory of 4648 3048 CCSETUP305.EXE 85 PID 3048 wrote to memory of 4648 3048 CCSETUP305.EXE 85 PID 2084 wrote to memory of 764 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 87 PID 2084 wrote to memory of 764 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 87 PID 2084 wrote to memory of 764 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 87 PID 2084 wrote to memory of 2304 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 88 PID 2084 wrote to memory of 2304 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 88 PID 2084 wrote to memory of 2304 2084 99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe 88 PID 2304 wrote to memory of 5060 2304 winupdate.exe 89 PID 2304 wrote to memory of 5060 2304 winupdate.exe 89 PID 2304 wrote to memory of 5060 2304 winupdate.exe 89 PID 2304 wrote to memory of 5060 2304 winupdate.exe 89 PID 2304 wrote to memory of 5060 2304 winupdate.exe 89 PID 2304 wrote to memory of 5060 2304 winupdate.exe 89 PID 2304 wrote to memory of 5060 2304 winupdate.exe 89 PID 2304 wrote to memory of 5060 2304 winupdate.exe 89 PID 2304 wrote to memory of 5060 2304 winupdate.exe 89 PID 2304 wrote to memory of 5060 2304 winupdate.exe 89 PID 2304 wrote to memory of 5060 2304 winupdate.exe 89 PID 2304 wrote to memory of 5060 2304 winupdate.exe 89 PID 2304 wrote to memory of 5060 2304 winupdate.exe 89 PID 2304 wrote to memory of 5060 2304 winupdate.exe 89 PID 5060 wrote to memory of 4792 5060 winupdate.exe 90 PID 5060 wrote to memory of 4792 5060 winupdate.exe 90 PID 5060 wrote to memory of 4792 5060 winupdate.exe 90 PID 5060 wrote to memory of 4268 5060 winupdate.exe 91 PID 5060 wrote to memory of 4268 5060 winupdate.exe 91 PID 5060 wrote to memory of 4268 5060 winupdate.exe 91 PID 4268 wrote to memory of 4852 4268 CCSETUP305.EXE 94 PID 4268 wrote to memory of 4852 4268 CCSETUP305.EXE 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\CCSETUP305.EXE"C:\Users\Admin\AppData\Local\Temp\CCSETUP305.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\system32\pcaui.exe"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {d5ceeb93-9830-4406-a772-e167287b96c4} -a "CCleaner" -v "Piriform Ltd" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 2 -f 2021048 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\CCSETUP305.EXE"4⤵PID:4648
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵PID:764
-
-
C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"4⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"5⤵PID:4792
-
-
C:\Users\Admin\AppData\Local\Temp\CCSETUP305.EXE"C:\Users\Admin\AppData\Local\Temp\CCSETUP305.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\system32\pcaui.exe"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {d5ceeb93-9830-4406-a772-e167287b96c4} -a "CCleaner" -v "Piriform Ltd" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 2 -f 2021048 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\CCSETUP305.EXE"6⤵PID:4852
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5a0c156da60803807cf6b46ec340c9739
SHA124aeaf6ff4d2ad611f2e6f61a0e38c46602cae97
SHA256fc35a0c9f5604f78e2c4673d815e493638819d534acc73b834bd4f9fd9d49d48
SHA5125bec9c0cf64cde95267d44b1dba299b7299a827467132400656eaf8b2225b2710a0e986d6a1e9db00f6f94b922ae6592372519a91b03230e92de26052aa5b3ca
-
Filesize
5.0MB
MD599d2656e3599ba235242dc9763b3940b
SHA12ac901d260222eed2c8d7f1cdc92ae8d11b50c7b
SHA256bb14ef332f01f1db8ce7a225adc9fe5f6ee5c4a6ffd2038478065e270080abad
SHA512af8c8fd9e842ad21feb9da2c06637dc484927714a7c562f2916e1fe4f349bf2a12fd513e750440a02280ee773a8bcaf9df0f97dba5b8cbc7d81c521adee78ce3