Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 04:49
Static task
static1
Behavioral task
behavioral1
Sample
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe
-
Size
748KB
-
MD5
9fe863122619a4854e49c44024bd70ff
-
SHA1
8d329725d1e5d2b428156252a1ce5e40d349d03c
-
SHA256
f6ccbca4b85a798e2f139539019ad7f5e498c9545c5b6456c6cbf5898a5ac5d6
-
SHA512
1ab58a6da4752e9234511a527a9e522ba5d2008544e8d475a111cb7a238f5285fe83dc54e1735d28ae86192109c00c8f43c952f55d94b51b77e0d749f874f9b0
-
SSDEEP
12288:FRYPaes4XBj3zvYJV1p+MKRLehXrI4aip5QUl8SQGnuutvzeiJzLvLkGY6tEaWYm:gaKxb0JV1pGehXRfpzHyyJvV+TYm
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\msnmsgr.exe" 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msnmsgr.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msnmsgr.exe -
Processes:
msnmsgr.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msnmsgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msnmsgr.exe -
Drops file in Drivers directory 1 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exedescription ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
msnmsgr.exe9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate msnmsgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
msnmsgr.exemsnmsgr.exepid Process 3960 msnmsgr.exe 2360 msnmsgr.exe -
Processes:
msnmsgr.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msnmsgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msnmsgr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live = "C:\\Windows\\msnmsgr.exe" 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exemsnmsgr.exedescription pid Process procid_target PID 4932 set thread context of 2064 4932 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 82 PID 3960 set thread context of 2360 3960 msnmsgr.exe 84 -
Drops file in Windows directory 4 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exemsnmsgr.exedescription ioc Process File opened for modification C:\Windows\ 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe File opened for modification C:\Windows\msnmsgr.exe msnmsgr.exe File created C:\Windows\msnmsgr.exe 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe File opened for modification C:\Windows\msnmsgr.exe 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exemsnmsgr.exemsnmsgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnmsgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnmsgr.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
msnmsgr.exe9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier msnmsgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msnmsgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msnmsgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msnmsgr.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exemsnmsgr.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier msnmsgr.exe -
Modifies registry class 1 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msnmsgr.exepid Process 2360 msnmsgr.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exemsnmsgr.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeSecurityPrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeSystemtimePrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeBackupPrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeRestorePrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeShutdownPrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeDebugPrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeUndockPrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeManageVolumePrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeImpersonatePrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: 33 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: 34 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: 35 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: 36 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2360 msnmsgr.exe Token: SeSecurityPrivilege 2360 msnmsgr.exe Token: SeTakeOwnershipPrivilege 2360 msnmsgr.exe Token: SeLoadDriverPrivilege 2360 msnmsgr.exe Token: SeSystemProfilePrivilege 2360 msnmsgr.exe Token: SeSystemtimePrivilege 2360 msnmsgr.exe Token: SeProfSingleProcessPrivilege 2360 msnmsgr.exe Token: SeIncBasePriorityPrivilege 2360 msnmsgr.exe Token: SeCreatePagefilePrivilege 2360 msnmsgr.exe Token: SeBackupPrivilege 2360 msnmsgr.exe Token: SeRestorePrivilege 2360 msnmsgr.exe Token: SeShutdownPrivilege 2360 msnmsgr.exe Token: SeDebugPrivilege 2360 msnmsgr.exe Token: SeSystemEnvironmentPrivilege 2360 msnmsgr.exe Token: SeChangeNotifyPrivilege 2360 msnmsgr.exe Token: SeRemoteShutdownPrivilege 2360 msnmsgr.exe Token: SeUndockPrivilege 2360 msnmsgr.exe Token: SeManageVolumePrivilege 2360 msnmsgr.exe Token: SeImpersonatePrivilege 2360 msnmsgr.exe Token: SeCreateGlobalPrivilege 2360 msnmsgr.exe Token: 33 2360 msnmsgr.exe Token: 34 2360 msnmsgr.exe Token: 35 2360 msnmsgr.exe Token: 36 2360 msnmsgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exemsnmsgr.exemsnmsgr.exepid Process 4932 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 3960 msnmsgr.exe 2360 msnmsgr.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exemsnmsgr.exedescription pid Process procid_target PID 4932 wrote to memory of 2064 4932 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 82 PID 4932 wrote to memory of 2064 4932 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 82 PID 4932 wrote to memory of 2064 4932 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 82 PID 4932 wrote to memory of 2064 4932 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 82 PID 4932 wrote to memory of 2064 4932 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 82 PID 4932 wrote to memory of 2064 4932 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 82 PID 4932 wrote to memory of 2064 4932 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 82 PID 4932 wrote to memory of 2064 4932 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 82 PID 4932 wrote to memory of 2064 4932 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 82 PID 4932 wrote to memory of 2064 4932 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 82 PID 4932 wrote to memory of 2064 4932 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 82 PID 4932 wrote to memory of 2064 4932 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 82 PID 4932 wrote to memory of 2064 4932 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 82 PID 4932 wrote to memory of 2064 4932 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 82 PID 2064 wrote to memory of 3960 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 83 PID 2064 wrote to memory of 3960 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 83 PID 2064 wrote to memory of 3960 2064 9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe 83 PID 3960 wrote to memory of 2360 3960 msnmsgr.exe 84 PID 3960 wrote to memory of 2360 3960 msnmsgr.exe 84 PID 3960 wrote to memory of 2360 3960 msnmsgr.exe 84 PID 3960 wrote to memory of 2360 3960 msnmsgr.exe 84 PID 3960 wrote to memory of 2360 3960 msnmsgr.exe 84 PID 3960 wrote to memory of 2360 3960 msnmsgr.exe 84 PID 3960 wrote to memory of 2360 3960 msnmsgr.exe 84 PID 3960 wrote to memory of 2360 3960 msnmsgr.exe 84 PID 3960 wrote to memory of 2360 3960 msnmsgr.exe 84 PID 3960 wrote to memory of 2360 3960 msnmsgr.exe 84 PID 3960 wrote to memory of 2360 3960 msnmsgr.exe 84 PID 3960 wrote to memory of 2360 3960 msnmsgr.exe 84 PID 3960 wrote to memory of 2360 3960 msnmsgr.exe 84 PID 3960 wrote to memory of 2360 3960 msnmsgr.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9fe863122619a4854e49c44024bd70ff_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\msnmsgr.exe"C:\Windows\msnmsgr.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\msnmsgr.exe"C:\Windows\msnmsgr.exe"4⤵
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2360
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3756129449-3121373848-4276368241-1000\88603cb2913a7df3fbd16b5f958e6447_a63d6fdc-08cb-4232-ab51-76cafdcb4d96
Filesize51B
MD55fc2ac2a310f49c14d195230b91a8885
SHA190855cc11136ba31758fe33b5cf9571f9a104879
SHA256374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092
SHA512ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3
-
Filesize
748KB
MD59fe863122619a4854e49c44024bd70ff
SHA18d329725d1e5d2b428156252a1ce5e40d349d03c
SHA256f6ccbca4b85a798e2f139539019ad7f5e498c9545c5b6456c6cbf5898a5ac5d6
SHA5121ab58a6da4752e9234511a527a9e522ba5d2008544e8d475a111cb7a238f5285fe83dc54e1735d28ae86192109c00c8f43c952f55d94b51b77e0d749f874f9b0