Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 04:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
General
-
Target
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe
-
Size
748KB
-
MD5
9fe863122619a4854e49c44024bd70ff
-
SHA1
8d329725d1e5d2b428156252a1ce5e40d349d03c
-
SHA256
f6ccbca4b85a798e2f139539019ad7f5e498c9545c5b6456c6cbf5898a5ac5d6
-
SHA512
1ab58a6da4752e9234511a527a9e522ba5d2008544e8d475a111cb7a238f5285fe83dc54e1735d28ae86192109c00c8f43c952f55d94b51b77e0d749f874f9b0
-
SSDEEP
12288:FRYPaes4XBj3zvYJV1p+MKRLehXrI4aip5QUl8SQGnuutvzeiJzLvLkGY6tEaWYm:gaKxb0JV1pGehXRfpzHyyJvV+TYm
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\msnmsgr.exe" 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msnmsgr.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msnmsgr.exe -
Processes:
msnmsgr.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msnmsgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msnmsgr.exe -
Drops file in Drivers directory 1 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exedescription ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
msnmsgr.exe9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate msnmsgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
msnmsgr.exemsnmsgr.exepid Process 2980 msnmsgr.exe 2500 msnmsgr.exe -
Processes:
msnmsgr.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msnmsgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msnmsgr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Live = "C:\\Windows\\msnmsgr.exe" 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exemsnmsgr.exedescription pid Process procid_target PID 2032 set thread context of 1204 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 30 PID 2980 set thread context of 2500 2980 msnmsgr.exe 32 -
Drops file in Windows directory 4 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exemsnmsgr.exedescription ioc Process File opened for modification C:\Windows\msnmsgr.exe 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe File opened for modification C:\Windows\ 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe File opened for modification C:\Windows\msnmsgr.exe msnmsgr.exe File created C:\Windows\msnmsgr.exe 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exemsnmsgr.exemsnmsgr.exe9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnmsgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnmsgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
msnmsgr.exe9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msnmsgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msnmsgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier msnmsgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msnmsgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exemsnmsgr.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier msnmsgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msnmsgr.exepid Process 2500 msnmsgr.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exemsnmsgr.exedescription pid Process Token: SeIncreaseQuotaPrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeSecurityPrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeSystemtimePrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeBackupPrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeRestorePrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeShutdownPrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeDebugPrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeUndockPrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeManageVolumePrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeImpersonatePrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: 33 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: 34 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: 35 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2500 msnmsgr.exe Token: SeSecurityPrivilege 2500 msnmsgr.exe Token: SeTakeOwnershipPrivilege 2500 msnmsgr.exe Token: SeLoadDriverPrivilege 2500 msnmsgr.exe Token: SeSystemProfilePrivilege 2500 msnmsgr.exe Token: SeSystemtimePrivilege 2500 msnmsgr.exe Token: SeProfSingleProcessPrivilege 2500 msnmsgr.exe Token: SeIncBasePriorityPrivilege 2500 msnmsgr.exe Token: SeCreatePagefilePrivilege 2500 msnmsgr.exe Token: SeBackupPrivilege 2500 msnmsgr.exe Token: SeRestorePrivilege 2500 msnmsgr.exe Token: SeShutdownPrivilege 2500 msnmsgr.exe Token: SeDebugPrivilege 2500 msnmsgr.exe Token: SeSystemEnvironmentPrivilege 2500 msnmsgr.exe Token: SeChangeNotifyPrivilege 2500 msnmsgr.exe Token: SeRemoteShutdownPrivilege 2500 msnmsgr.exe Token: SeUndockPrivilege 2500 msnmsgr.exe Token: SeManageVolumePrivilege 2500 msnmsgr.exe Token: SeImpersonatePrivilege 2500 msnmsgr.exe Token: SeCreateGlobalPrivilege 2500 msnmsgr.exe Token: 33 2500 msnmsgr.exe Token: 34 2500 msnmsgr.exe Token: 35 2500 msnmsgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exemsnmsgr.exemsnmsgr.exepid Process 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 2980 msnmsgr.exe 2500 msnmsgr.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exemsnmsgr.exedescription pid Process procid_target PID 2032 wrote to memory of 1204 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1204 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1204 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1204 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1204 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1204 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1204 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1204 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1204 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1204 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1204 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1204 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1204 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1204 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1204 2032 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 30 PID 1204 wrote to memory of 2980 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 31 PID 1204 wrote to memory of 2980 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 31 PID 1204 wrote to memory of 2980 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 31 PID 1204 wrote to memory of 2980 1204 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 31 PID 2980 wrote to memory of 2500 2980 msnmsgr.exe 32 PID 2980 wrote to memory of 2500 2980 msnmsgr.exe 32 PID 2980 wrote to memory of 2500 2980 msnmsgr.exe 32 PID 2980 wrote to memory of 2500 2980 msnmsgr.exe 32 PID 2980 wrote to memory of 2500 2980 msnmsgr.exe 32 PID 2980 wrote to memory of 2500 2980 msnmsgr.exe 32 PID 2980 wrote to memory of 2500 2980 msnmsgr.exe 32 PID 2980 wrote to memory of 2500 2980 msnmsgr.exe 32 PID 2980 wrote to memory of 2500 2980 msnmsgr.exe 32 PID 2980 wrote to memory of 2500 2980 msnmsgr.exe 32 PID 2980 wrote to memory of 2500 2980 msnmsgr.exe 32 PID 2980 wrote to memory of 2500 2980 msnmsgr.exe 32 PID 2980 wrote to memory of 2500 2980 msnmsgr.exe 32 PID 2980 wrote to memory of 2500 2980 msnmsgr.exe 32 PID 2980 wrote to memory of 2500 2980 msnmsgr.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\msnmsgr.exe"C:\Windows\msnmsgr.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\msnmsgr.exe"C:\Windows\msnmsgr.exe"4⤵
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2500
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\88603cb2913a7df3fbd16b5f958e6447_1defa0c0-fc04-4155-83bc-b490dbaa3679
Filesize51B
MD55fc2ac2a310f49c14d195230b91a8885
SHA190855cc11136ba31758fe33b5cf9571f9a104879
SHA256374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092
SHA512ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3
-
Filesize
748KB
MD59fe863122619a4854e49c44024bd70ff
SHA18d329725d1e5d2b428156252a1ce5e40d349d03c
SHA256f6ccbca4b85a798e2f139539019ad7f5e498c9545c5b6456c6cbf5898a5ac5d6
SHA5121ab58a6da4752e9234511a527a9e522ba5d2008544e8d475a111cb7a238f5285fe83dc54e1735d28ae86192109c00c8f43c952f55d94b51b77e0d749f874f9b0