Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 08:57
Static task
static1
Behavioral task
behavioral1
Sample
a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe
-
Size
791KB
-
MD5
a0fe55ed4b6e9f7b70c640681e7116c9
-
SHA1
5adb7ad253412cfbaefb0004fde0557449c9ce03
-
SHA256
6127a7138e021cda4e64f0bfe0ca74c1b8a66ba5840b0d9ecff7f4096d279514
-
SHA512
26c34ac7cbd7205283f95e4fc3d0208dbdac4aaf2412c54ecfec888a4bb850cae1ca32de6c2095203a7bca5c84ae923bbce66decf669837d3a4788d5e821e81f
-
SSDEEP
24576:vOESUc+MtiJ+kOsK70iFt8qBP7TH24v6:vJS+J+kO5t84P1
Malware Config
Extracted
darkcomet
JDB
robbery.no-ip.org:1338
RobEU-King
-
gencode
BUyCSukijnkZ
-
install
false
-
offline_keylogger
true
-
password
robeu
-
persistence
false
Signatures
-
Darkcomet family
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2428 attrib.exe 3000 attrib.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1552 set thread context of 2776 1552 a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe 31 PID 2776 set thread context of 1000 2776 csc.exe 35 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe attrib.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2776 csc.exe Token: SeSecurityPrivilege 2776 csc.exe Token: SeTakeOwnershipPrivilege 2776 csc.exe Token: SeLoadDriverPrivilege 2776 csc.exe Token: SeSystemProfilePrivilege 2776 csc.exe Token: SeSystemtimePrivilege 2776 csc.exe Token: SeProfSingleProcessPrivilege 2776 csc.exe Token: SeIncBasePriorityPrivilege 2776 csc.exe Token: SeCreatePagefilePrivilege 2776 csc.exe Token: SeBackupPrivilege 2776 csc.exe Token: SeRestorePrivilege 2776 csc.exe Token: SeShutdownPrivilege 2776 csc.exe Token: SeDebugPrivilege 2776 csc.exe Token: SeSystemEnvironmentPrivilege 2776 csc.exe Token: SeChangeNotifyPrivilege 2776 csc.exe Token: SeRemoteShutdownPrivilege 2776 csc.exe Token: SeUndockPrivilege 2776 csc.exe Token: SeManageVolumePrivilege 2776 csc.exe Token: SeImpersonatePrivilege 2776 csc.exe Token: SeCreateGlobalPrivilege 2776 csc.exe Token: 33 2776 csc.exe Token: 34 2776 csc.exe Token: 35 2776 csc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1552 wrote to memory of 2776 1552 a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe 31 PID 1552 wrote to memory of 2776 1552 a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe 31 PID 1552 wrote to memory of 2776 1552 a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe 31 PID 1552 wrote to memory of 2776 1552 a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe 31 PID 1552 wrote to memory of 2776 1552 a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe 31 PID 1552 wrote to memory of 2776 1552 a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe 31 PID 1552 wrote to memory of 2776 1552 a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe 31 PID 1552 wrote to memory of 2776 1552 a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe 31 PID 1552 wrote to memory of 2776 1552 a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe 31 PID 1552 wrote to memory of 2776 1552 a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe 31 PID 1552 wrote to memory of 2776 1552 a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe 31 PID 1552 wrote to memory of 2776 1552 a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe 31 PID 1552 wrote to memory of 2776 1552 a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe 31 PID 1552 wrote to memory of 2776 1552 a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe 31 PID 1552 wrote to memory of 2776 1552 a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2104 2776 csc.exe 32 PID 2776 wrote to memory of 2104 2776 csc.exe 32 PID 2776 wrote to memory of 2104 2776 csc.exe 32 PID 2776 wrote to memory of 2104 2776 csc.exe 32 PID 2776 wrote to memory of 2088 2776 csc.exe 33 PID 2776 wrote to memory of 2088 2776 csc.exe 33 PID 2776 wrote to memory of 2088 2776 csc.exe 33 PID 2776 wrote to memory of 2088 2776 csc.exe 33 PID 2776 wrote to memory of 1000 2776 csc.exe 35 PID 2776 wrote to memory of 1000 2776 csc.exe 35 PID 2776 wrote to memory of 1000 2776 csc.exe 35 PID 2776 wrote to memory of 1000 2776 csc.exe 35 PID 2776 wrote to memory of 1000 2776 csc.exe 35 PID 2776 wrote to memory of 1000 2776 csc.exe 35 PID 2104 wrote to memory of 3000 2104 cmd.exe 38 PID 2104 wrote to memory of 3000 2104 cmd.exe 38 PID 2104 wrote to memory of 3000 2104 cmd.exe 38 PID 2104 wrote to memory of 3000 2104 cmd.exe 38 PID 2088 wrote to memory of 2428 2088 cmd.exe 39 PID 2088 wrote to memory of 2428 2088 cmd.exe 39 PID 2088 wrote to memory of 2428 2088 cmd.exe 39 PID 2088 wrote to memory of 2428 2088 cmd.exe 39 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3000 attrib.exe 2428 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3000
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2428
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:1000
-
-