Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 21:10
Static task
static1
Behavioral task
behavioral1
Sample
a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe
-
Size
496KB
-
MD5
a42208c4a96c249f3d6fe39f43144f36
-
SHA1
ff90b696d74d75932e122c774a95fc4671a41d86
-
SHA256
245500ee74fd9b8b021c38be617d72261d02a6d3fb8f9402fa0a10d5a1f41f93
-
SHA512
ce1977713291c941b47a1435f55db11e18a882a2c452b1a57bc115db68206d13c7b67fd780ddd728fda20a8fa5b329218700ec6c09188f3e8b9d1e0471fa0869
-
SSDEEP
12288:tFz2y90KU7E7B8aNHaqGQnZrCIn3dTTXV2hl:tt2yZU7E7SaXGQnZuInN/XVe
Malware Config
Extracted
darkcomet
Server-AX
69.65.7.136:8808
Fdgrh5uy5ynmnm
-
gencode
LE9RG3w4nFUG
-
install
false
-
offline_keylogger
true
-
password
@closer1989
-
persistence
false
Signatures
-
Darkcomet family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 4196 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 4104 GoogleUpdate.exe 1636 GoogleUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate.exe = "C:\\Program Files (x86)\\Google\\GoogleUpdate.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4564 set thread context of 4196 4564 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 83 PID 4104 set thread context of 1636 4104 GoogleUpdate.exe 91 PID 4104 set thread context of 3124 4104 GoogleUpdate.exe 92 -
resource yara_rule behavioral2/memory/4196-13-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4196-16-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4196-18-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3124-49-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral2/memory/3124-51-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral2/memory/4196-52-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3124-54-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral2/memory/3124-55-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral2/memory/3124-56-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral2/memory/1636-57-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\GoogleUpdate.exe GoogleUpdate.exe File created C:\Program Files (x86)\Google\GoogleUpdate.exe a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdate.exe a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3124 svchost.exe Token: SeSecurityPrivilege 3124 svchost.exe Token: SeTakeOwnershipPrivilege 3124 svchost.exe Token: SeLoadDriverPrivilege 3124 svchost.exe Token: SeSystemProfilePrivilege 3124 svchost.exe Token: SeSystemtimePrivilege 3124 svchost.exe Token: SeProfSingleProcessPrivilege 3124 svchost.exe Token: SeIncBasePriorityPrivilege 3124 svchost.exe Token: SeCreatePagefilePrivilege 3124 svchost.exe Token: SeBackupPrivilege 3124 svchost.exe Token: SeRestorePrivilege 3124 svchost.exe Token: SeShutdownPrivilege 3124 svchost.exe Token: SeDebugPrivilege 3124 svchost.exe Token: SeSystemEnvironmentPrivilege 3124 svchost.exe Token: SeChangeNotifyPrivilege 3124 svchost.exe Token: SeRemoteShutdownPrivilege 3124 svchost.exe Token: SeUndockPrivilege 3124 svchost.exe Token: SeManageVolumePrivilege 3124 svchost.exe Token: SeImpersonatePrivilege 3124 svchost.exe Token: SeCreateGlobalPrivilege 3124 svchost.exe Token: 33 3124 svchost.exe Token: 34 3124 svchost.exe Token: 35 3124 svchost.exe Token: 36 3124 svchost.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe Token: SeDebugPrivilege 1636 GoogleUpdate.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4564 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 4196 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 4104 GoogleUpdate.exe 4104 GoogleUpdate.exe 1636 GoogleUpdate.exe 1636 GoogleUpdate.exe 3124 svchost.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 4564 wrote to memory of 4196 4564 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 83 PID 4564 wrote to memory of 4196 4564 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 83 PID 4564 wrote to memory of 4196 4564 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 83 PID 4564 wrote to memory of 4196 4564 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 83 PID 4564 wrote to memory of 4196 4564 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 83 PID 4564 wrote to memory of 4196 4564 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 83 PID 4564 wrote to memory of 4196 4564 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 83 PID 4564 wrote to memory of 4196 4564 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 83 PID 4196 wrote to memory of 2808 4196 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 84 PID 4196 wrote to memory of 2808 4196 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 84 PID 4196 wrote to memory of 2808 4196 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 84 PID 2808 wrote to memory of 4780 2808 cmd.exe 87 PID 2808 wrote to memory of 4780 2808 cmd.exe 87 PID 2808 wrote to memory of 4780 2808 cmd.exe 87 PID 4196 wrote to memory of 4104 4196 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 88 PID 4196 wrote to memory of 4104 4196 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 88 PID 4196 wrote to memory of 4104 4196 a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe 88 PID 4104 wrote to memory of 1636 4104 GoogleUpdate.exe 91 PID 4104 wrote to memory of 1636 4104 GoogleUpdate.exe 91 PID 4104 wrote to memory of 1636 4104 GoogleUpdate.exe 91 PID 4104 wrote to memory of 1636 4104 GoogleUpdate.exe 91 PID 4104 wrote to memory of 1636 4104 GoogleUpdate.exe 91 PID 4104 wrote to memory of 1636 4104 GoogleUpdate.exe 91 PID 4104 wrote to memory of 1636 4104 GoogleUpdate.exe 91 PID 4104 wrote to memory of 1636 4104 GoogleUpdate.exe 91 PID 4104 wrote to memory of 3124 4104 GoogleUpdate.exe 92 PID 4104 wrote to memory of 3124 4104 GoogleUpdate.exe 92 PID 4104 wrote to memory of 3124 4104 GoogleUpdate.exe 92 PID 4104 wrote to memory of 3124 4104 GoogleUpdate.exe 92 PID 4104 wrote to memory of 3124 4104 GoogleUpdate.exe 92 PID 4104 wrote to memory of 3124 4104 GoogleUpdate.exe 92 PID 4104 wrote to memory of 3124 4104 GoogleUpdate.exe 92 PID 4104 wrote to memory of 3124 4104 GoogleUpdate.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PLLXU.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdate.exe" /t REG_SZ /d "C:\Program Files (x86)\Google\GoogleUpdate.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4780
-
-
-
C:\Program Files (x86)\Google\GoogleUpdate.exe"C:\Program Files (x86)\Google\GoogleUpdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Program Files (x86)\Google\GoogleUpdate.exe"C:\Program Files (x86)\Google\GoogleUpdate.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1636
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3124
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496KB
MD5ef68597d48f2f17ce6eabcabba615015
SHA19790c4762de36c8afa3c5f7fbab72d60a2193697
SHA256424655b6dc73925958a0fdef1d6369afc989a5ab1f6f7ae48f44de78d2d28619
SHA512006926e14af4adce0a478e1175cdde231b4cef3c1199234c887c2e12f0840b621e92d7581a99235e4b130f9fbff64365e8b26a5720c8b5584673d3e15952ad8c
-
Filesize
149B
MD5230d0de063ef5fac6ddf78a06a6b4a07
SHA18bcba04b39b99467b2d96be25f0bbafb7e84c37f
SHA256fe8f149d184c56d038989c811077379d51f567d68fa7e709c32228b3e68fdd7d
SHA512057010085b093d008294df1572c82accc4118f404d0fac0a945a0966df0ffd9af33ad162821472e2842a457006551add99185fe5cb772dce61349aa11552f1d4
-
Filesize
496KB
MD5a42208c4a96c249f3d6fe39f43144f36
SHA1ff90b696d74d75932e122c774a95fc4671a41d86
SHA256245500ee74fd9b8b021c38be617d72261d02a6d3fb8f9402fa0a10d5a1f41f93
SHA512ce1977713291c941b47a1435f55db11e18a882a2c452b1a57bc115db68206d13c7b67fd780ddd728fda20a8fa5b329218700ec6c09188f3e8b9d1e0471fa0869