Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 23:20
Static task
static1
Behavioral task
behavioral1
Sample
d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
d41ed77934a8a460388fa983451e5519
-
SHA1
c320eb7eef84c885c0fa2df0bd132beca04d5a1d
-
SHA256
a883e11651dc14621a4c8659a09311b418d1d1df4f9a0f3124aae9e5530f1d53
-
SHA512
39f92fd7b9bccd1a8d01ab2207e7c46eedc172fe054bd4098c83127472059ba8332256c0e716c4381d38e8b89cd4f7e36d303d3812607150729f8baea913c04c
-
SSDEEP
24576:lD6nlaEHWNLLWB3yayyno8M2uwW4uQyQgN/b7NHOAmA+7ed6BpGPL1fq4rpr4c:lD6BHwKBiaDm2uwWfYA304Nr4
Malware Config
Signatures
-
Darkcomet family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe -
Program crash 25 IoCs
pid pid_target Process procid_target 1476 3908 WerFault.exe 81 4824 3908 WerFault.exe 81 1796 3908 WerFault.exe 81 3460 3908 WerFault.exe 81 1852 3908 WerFault.exe 81 4496 3908 WerFault.exe 81 1128 3908 WerFault.exe 81 5108 3908 WerFault.exe 81 3960 3908 WerFault.exe 81 2856 3908 WerFault.exe 81 972 3908 WerFault.exe 81 4588 3908 WerFault.exe 81 1864 3908 WerFault.exe 81 432 3908 WerFault.exe 81 4888 3908 WerFault.exe 81 732 3908 WerFault.exe 81 4248 3908 WerFault.exe 81 1432 3908 WerFault.exe 81 4928 3908 WerFault.exe 81 60 3908 WerFault.exe 81 2120 3908 WerFault.exe 81 4056 3908 WerFault.exe 81 1092 3908 WerFault.exe 81 4848 3908 WerFault.exe 81 2592 3908 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeSecurityPrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeSystemtimePrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeBackupPrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeRestorePrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeShutdownPrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeDebugPrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeUndockPrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeManageVolumePrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeImpersonatePrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: 33 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: 34 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: 35 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe Token: 36 3908 d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d41ed77934a8a460388fa983451e5519_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 3962⤵
- Program crash
PID:1476
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 4202⤵
- Program crash
PID:4824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 4282⤵
- Program crash
PID:1796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 6082⤵
- Program crash
PID:3460
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 4482⤵
- Program crash
PID:1852
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 4202⤵
- Program crash
PID:4496
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 6122⤵
- Program crash
PID:1128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 6282⤵
- Program crash
PID:5108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 6362⤵
- Program crash
PID:3960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 6082⤵
- Program crash
PID:2856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 6442⤵
- Program crash
PID:972
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 6202⤵
- Program crash
PID:4588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 4242⤵
- Program crash
PID:1864
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 5882⤵
- Program crash
PID:432
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 6202⤵
- Program crash
PID:4888
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 6242⤵
- Program crash
PID:732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 6722⤵
- Program crash
PID:4248
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 6922⤵
- Program crash
PID:1432
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 7202⤵
- Program crash
PID:4928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 7282⤵
- Program crash
PID:60
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 6882⤵
- Program crash
PID:2120
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 7362⤵
- Program crash
PID:4056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 7522⤵
- Program crash
PID:1092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 7682⤵
- Program crash
PID:4848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 8042⤵
- Program crash
PID:2592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3908 -ip 39081⤵PID:2604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3908 -ip 39081⤵PID:1032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3908 -ip 39081⤵PID:1612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3908 -ip 39081⤵PID:1536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3908 -ip 39081⤵PID:932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3908 -ip 39081⤵PID:4328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3908 -ip 39081⤵PID:2092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3908 -ip 39081⤵PID:1952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3908 -ip 39081⤵PID:2196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3908 -ip 39081⤵PID:1896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3908 -ip 39081⤵PID:1332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3908 -ip 39081⤵PID:3832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3908 -ip 39081⤵PID:4272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3908 -ip 39081⤵PID:4144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3908 -ip 39081⤵PID:1516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3908 -ip 39081⤵PID:4628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3908 -ip 39081⤵PID:864
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3908 -ip 39081⤵PID:2340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3908 -ip 39081⤵PID:636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3908 -ip 39081⤵PID:888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3908 -ip 39081⤵PID:2324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3908 -ip 39081⤵PID:1328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3908 -ip 39081⤵PID:4556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3908 -ip 39081⤵PID:1936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3908 -ip 39081⤵PID:4432