Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 05:33
Behavioral task
behavioral1
Sample
d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe
-
Size
350KB
-
MD5
d0e0f6380b41345ddd15c2eaa2e1d058
-
SHA1
83c58927d06b1bb4b649797a369ed24ff422043a
-
SHA256
d6bf9497d6ceec5a40a538c2470371343318a71aa490a48ea59abac338c92473
-
SHA512
d945882062f607d3df1149a4f7d0d22115523ed9db06a057891dfa2a911c458e83ae9cade18f90227c7263596752ba1b2dd3635e300fa1cdc3e1a3475aa2376b
-
SSDEEP
6144:kD7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZTlI2hgplSZJ:kl8E4w5huat7UovONzbXw3Nh/NVR
Malware Config
Extracted
darkcomet
Guest16
zarloc.weuns.fr:1604
zarloc.dyndns.org:1604
DC_MUTEX-F54S21D
-
gencode
qzavXgkDi3Kh
-
install
false
-
offline_keylogger
true
-
password
jet'aieuconnard
-
persistence
false
Signatures
-
Darkcomet family
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2572 attrib.exe 2580 attrib.exe -
resource yara_rule behavioral1/memory/2080-0-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2080-31-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2080-32-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2080-33-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2080-34-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2080-35-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2080-36-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2080-37-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2080-38-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2080-39-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2080-40-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2080-41-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2080-42-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2080-43-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2080-44-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2080-45-0x0000000000400000-0x00000000004EB000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeSystemtimePrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeBackupPrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeRestorePrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeShutdownPrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeDebugPrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeUndockPrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeManageVolumePrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeImpersonatePrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: 33 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: 34 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe Token: 35 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2788 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2788 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2788 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2788 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2768 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 31 PID 2080 wrote to memory of 2768 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 31 PID 2080 wrote to memory of 2768 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 31 PID 2080 wrote to memory of 2768 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 31 PID 2080 wrote to memory of 2816 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 32 PID 2080 wrote to memory of 2816 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 32 PID 2080 wrote to memory of 2816 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 32 PID 2080 wrote to memory of 2816 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 32 PID 2080 wrote to memory of 2136 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 35 PID 2080 wrote to memory of 2136 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 35 PID 2080 wrote to memory of 2136 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 35 PID 2080 wrote to memory of 2136 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 35 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2080 wrote to memory of 2696 2080 d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe 36 PID 2788 wrote to memory of 2572 2788 cmd.exe 37 PID 2788 wrote to memory of 2572 2788 cmd.exe 37 PID 2788 wrote to memory of 2572 2788 cmd.exe 37 PID 2788 wrote to memory of 2572 2788 cmd.exe 37 PID 2768 wrote to memory of 2580 2768 cmd.exe 38 PID 2768 wrote to memory of 2580 2768 cmd.exe 38 PID 2768 wrote to memory of 2580 2768 cmd.exe 38 PID 2768 wrote to memory of 2580 2768 cmd.exe 38 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2572 attrib.exe 2580 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2580
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵PID:2816
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2136
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- System Location Discovery: System Language Discovery
PID:2696
-