Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 23:32
Static task
static1
Behavioral task
behavioral1
Sample
d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe
-
Size
3.4MB
-
MD5
d4285e886b4d81728de778b39b211e07
-
SHA1
7c9cfafda829af1f6bac158ade9b900441d84983
-
SHA256
73f8e850ab930de45a313a06b622f999e810e6edce5e3eabc6baeb728b94cabc
-
SHA512
c1ca7f058c12348102efeec7e20177cafd71bc8b39bf10bfb084e1b2698b8a5af0ea56e2d9bb476b59ee29e0bce6bd7181ba41694f23a724c49e3978edcf501e
-
SSDEEP
98304:/jduqnnua0zdqNQoJYVVI/vQ2iUP/lAyT3N3s:/jgqnnu1zdqN/+VaQ2Hl9zNc
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\GoogleToolbar\\GoogleUpdate.exe" Output.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate GoogleUpdate.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Output.exe -
Executes dropped EXE 5 IoCs
pid Process 1408 Setup.exe 4048 Output.exe 3596 Output.exe 772 GoogleUpdate.exe 1968 GoogleUpdate.exe -
Loads dropped DLL 2 IoCs
pid Process 1408 Setup.exe 1408 Setup.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleToolbar\\GoogleUpdate.exe" Output.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleToolbar\\GoogleUpdate.exe" notepad.exe -
Drops autorun.inf file 1 TTPs 12 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification D:\Autorun.inf GoogleUpdate.exe File created F:\Autorun.inf GoogleUpdate.exe File opened for modification F:\Autorun.inf GoogleUpdate.exe File created C:\Autorun.inf Output.exe File created F:\Autorun.inf Output.exe File opened for modification F:\Autorun.inf Output.exe File opened for modification C:\Autorun.inf GoogleUpdate.exe File created D:\Autorun.inf GoogleUpdate.exe File opened for modification C:\Autorun.inf Output.exe File created D:\Autorun.inf Output.exe File opened for modification D:\Autorun.inf Output.exe File created C:\Autorun.inf GoogleUpdate.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4048 set thread context of 3596 4048 Output.exe 84 PID 772 set thread context of 1968 772 GoogleUpdate.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Output.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Output.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x0008000000023ca7-6.dat nsis_installer_1 behavioral2/files/0x0008000000023ca7-6.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GoogleUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier GoogleUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier GoogleUpdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Output.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GoogleUpdate.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier GoogleUpdate.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Output.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1968 GoogleUpdate.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3596 Output.exe Token: SeSecurityPrivilege 3596 Output.exe Token: SeTakeOwnershipPrivilege 3596 Output.exe Token: SeLoadDriverPrivilege 3596 Output.exe Token: SeSystemProfilePrivilege 3596 Output.exe Token: SeSystemtimePrivilege 3596 Output.exe Token: SeProfSingleProcessPrivilege 3596 Output.exe Token: SeIncBasePriorityPrivilege 3596 Output.exe Token: SeCreatePagefilePrivilege 3596 Output.exe Token: SeBackupPrivilege 3596 Output.exe Token: SeRestorePrivilege 3596 Output.exe Token: SeShutdownPrivilege 3596 Output.exe Token: SeDebugPrivilege 3596 Output.exe Token: SeSystemEnvironmentPrivilege 3596 Output.exe Token: SeChangeNotifyPrivilege 3596 Output.exe Token: SeRemoteShutdownPrivilege 3596 Output.exe Token: SeUndockPrivilege 3596 Output.exe Token: SeManageVolumePrivilege 3596 Output.exe Token: SeImpersonatePrivilege 3596 Output.exe Token: SeCreateGlobalPrivilege 3596 Output.exe Token: 33 3596 Output.exe Token: 34 3596 Output.exe Token: 35 3596 Output.exe Token: 36 3596 Output.exe Token: SeIncreaseQuotaPrivilege 1968 GoogleUpdate.exe Token: SeSecurityPrivilege 1968 GoogleUpdate.exe Token: SeTakeOwnershipPrivilege 1968 GoogleUpdate.exe Token: SeLoadDriverPrivilege 1968 GoogleUpdate.exe Token: SeSystemProfilePrivilege 1968 GoogleUpdate.exe Token: SeSystemtimePrivilege 1968 GoogleUpdate.exe Token: SeProfSingleProcessPrivilege 1968 GoogleUpdate.exe Token: SeIncBasePriorityPrivilege 1968 GoogleUpdate.exe Token: SeCreatePagefilePrivilege 1968 GoogleUpdate.exe Token: SeBackupPrivilege 1968 GoogleUpdate.exe Token: SeRestorePrivilege 1968 GoogleUpdate.exe Token: SeShutdownPrivilege 1968 GoogleUpdate.exe Token: SeDebugPrivilege 1968 GoogleUpdate.exe Token: SeSystemEnvironmentPrivilege 1968 GoogleUpdate.exe Token: SeChangeNotifyPrivilege 1968 GoogleUpdate.exe Token: SeRemoteShutdownPrivilege 1968 GoogleUpdate.exe Token: SeUndockPrivilege 1968 GoogleUpdate.exe Token: SeManageVolumePrivilege 1968 GoogleUpdate.exe Token: SeImpersonatePrivilege 1968 GoogleUpdate.exe Token: SeCreateGlobalPrivilege 1968 GoogleUpdate.exe Token: 33 1968 GoogleUpdate.exe Token: 34 1968 GoogleUpdate.exe Token: 35 1968 GoogleUpdate.exe Token: 36 1968 GoogleUpdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1968 GoogleUpdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3292 wrote to memory of 1408 3292 d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe 82 PID 3292 wrote to memory of 1408 3292 d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe 82 PID 3292 wrote to memory of 1408 3292 d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe 82 PID 3292 wrote to memory of 4048 3292 d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe 83 PID 3292 wrote to memory of 4048 3292 d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe 83 PID 3292 wrote to memory of 4048 3292 d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe 83 PID 4048 wrote to memory of 3596 4048 Output.exe 84 PID 4048 wrote to memory of 3596 4048 Output.exe 84 PID 4048 wrote to memory of 3596 4048 Output.exe 84 PID 4048 wrote to memory of 3596 4048 Output.exe 84 PID 4048 wrote to memory of 3596 4048 Output.exe 84 PID 4048 wrote to memory of 3596 4048 Output.exe 84 PID 4048 wrote to memory of 3596 4048 Output.exe 84 PID 4048 wrote to memory of 3596 4048 Output.exe 84 PID 4048 wrote to memory of 3596 4048 Output.exe 84 PID 4048 wrote to memory of 3596 4048 Output.exe 84 PID 4048 wrote to memory of 3596 4048 Output.exe 84 PID 4048 wrote to memory of 3596 4048 Output.exe 84 PID 4048 wrote to memory of 3596 4048 Output.exe 84 PID 4048 wrote to memory of 3596 4048 Output.exe 84 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 2156 3596 Output.exe 85 PID 3596 wrote to memory of 1440 3596 Output.exe 86 PID 3596 wrote to memory of 1440 3596 Output.exe 86 PID 3596 wrote to memory of 1440 3596 Output.exe 86 PID 3596 wrote to memory of 772 3596 Output.exe 87 PID 3596 wrote to memory of 772 3596 Output.exe 87 PID 3596 wrote to memory of 772 3596 Output.exe 87 PID 772 wrote to memory of 1968 772 GoogleUpdate.exe 88 PID 772 wrote to memory of 1968 772 GoogleUpdate.exe 88 PID 772 wrote to memory of 1968 772 GoogleUpdate.exe 88 PID 772 wrote to memory of 1968 772 GoogleUpdate.exe 88 PID 772 wrote to memory of 1968 772 GoogleUpdate.exe 88 PID 772 wrote to memory of 1968 772 GoogleUpdate.exe 88 PID 772 wrote to memory of 1968 772 GoogleUpdate.exe 88 PID 772 wrote to memory of 1968 772 GoogleUpdate.exe 88 PID 772 wrote to memory of 1968 772 GoogleUpdate.exe 88 PID 772 wrote to memory of 1968 772 GoogleUpdate.exe 88 PID 772 wrote to memory of 1968 772 GoogleUpdate.exe 88 PID 772 wrote to memory of 1968 772 GoogleUpdate.exe 88 PID 772 wrote to memory of 1968 772 GoogleUpdate.exe 88 PID 772 wrote to memory of 1968 772 GoogleUpdate.exe 88 PID 1968 wrote to memory of 1128 1968 GoogleUpdate.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1408
-
-
C:\Users\Admin\AppData\Local\Temp\Output.exe"C:\Users\Admin\AppData\Local\Temp\Output.exe"2⤵
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\Output.exe"C:\Users\Admin\AppData\Local\Temp\Output.exe"3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2156
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:1440
-
-
C:\Users\Admin\AppData\Roaming\GoogleToolbar\GoogleUpdate.exe"C:\Users\Admin\AppData\Roaming\GoogleToolbar\GoogleUpdate.exe"4⤵
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\AppData\Roaming\GoogleToolbar\GoogleUpdate.exe"C:\Users\Admin\AppData\Roaming\GoogleToolbar\GoogleUpdate.exe"5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe6⤵
- System Location Discovery: System Language Discovery
PID:1128
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
728KB
MD59c3dbd2ab74b4700c37db25700941c3d
SHA1f13b850a988924658f11b9b0a7b57f7b306edbcf
SHA25672c34b37c51263fd1661f3597e1aeb3e6383c247a5aaf1ecbf2361d0c3f7adc8
SHA51296e85901470e278d6e6d30bcc865b9710f98e6b3a17b7d824b92ed9fd8c1dddfc64bc5320247009f63646e511a067018a9f94bbadc5179caea33626c22eb24ea
-
Filesize
2.6MB
MD583d8747e88517d0b2caa0de6f51cdb0b
SHA10cd091f5b282e887e407950629c89fd808c9803c
SHA2566ddbe7bc2b9b330973353729a49532d5bfc8325ab025ef0034feb5bb8650bc2c
SHA512ee5eea6538a4076d824f7d703b1ca16ff5da8128fd544234ff44489cc253dfbdc6762205a17cd87ff1b18e88fd7f38ee16b8c44f10cd406630e4c83ddf0915c7
-
Filesize
6KB
MD513cc92f90a299f5b2b2f795d0d2e47dc
SHA1aa69ead8520876d232c6ed96021a4825e79f542f
SHA256eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb
SHA512ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3
-
Filesize
7KB
MD5a4173b381625f9f12aadb4e1cdaefdb8
SHA1cf1680c2bc970d5675adbf5e89292a97e6724713
SHA2567755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b
SHA512fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82
-
Filesize
35B
MD5934aa9eb81516482c6367fb116ec9b1f
SHA11a97f913ef76ff83b1ba87c735b597b7b7564ae6
SHA256ecb5eb3c67cb390de6fca259684385d1b839f2fa9b96c3198eb5837ebb65c609
SHA512608d4a3dffb258db8418197dbc28c5bd814ca15517b4a96e6b51a3f36da586379c724ba32f4d413cd9d155bcd47780964567860df7352f2c437de297ab30d118