Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 09:07
Static task
static1
Behavioral task
behavioral1
Sample
d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
d1a81adcb2b654ac92172655905d21f3
-
SHA1
76c49ad0511f2b0d2dedac0bbb37c6965f9bb419
-
SHA256
ba9ef84922ff0787de3e1c0cd23aedc711ba98694a92552941508372edadecac
-
SHA512
3cfb2409e94398b01db9dc462f0000143473e84ff67a60ec59b03b785f86e491308d22625cee36c9cd82f909e725793f70c6323f3d0b86898e4438938bec096d
-
SSDEEP
24576:saHMv6CorjqnyC8xlDG75HN8+zCD2i/x0HJ9tgPTtbN:s1vqjdC8PDeHN8+k2iKpmR
Malware Config
Signatures
-
Darkcomet family
-
Executes dropped EXE 1 IoCs
pid Process 1280 uncrypted.exe -
Loads dropped DLL 5 IoCs
pid Process 3048 d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe 3048 d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe 3048 d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe 3048 d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe 3048 d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/3048-0-0x0000000000400000-0x00000000004D3000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1280 set thread context of 2748 1280 uncrypted.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uncrypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1280 uncrypted.exe Token: SeSecurityPrivilege 1280 uncrypted.exe Token: SeTakeOwnershipPrivilege 1280 uncrypted.exe Token: SeLoadDriverPrivilege 1280 uncrypted.exe Token: SeSystemProfilePrivilege 1280 uncrypted.exe Token: SeSystemtimePrivilege 1280 uncrypted.exe Token: SeProfSingleProcessPrivilege 1280 uncrypted.exe Token: SeIncBasePriorityPrivilege 1280 uncrypted.exe Token: SeCreatePagefilePrivilege 1280 uncrypted.exe Token: SeBackupPrivilege 1280 uncrypted.exe Token: SeRestorePrivilege 1280 uncrypted.exe Token: SeShutdownPrivilege 1280 uncrypted.exe Token: SeDebugPrivilege 1280 uncrypted.exe Token: SeSystemEnvironmentPrivilege 1280 uncrypted.exe Token: SeChangeNotifyPrivilege 1280 uncrypted.exe Token: SeRemoteShutdownPrivilege 1280 uncrypted.exe Token: SeUndockPrivilege 1280 uncrypted.exe Token: SeManageVolumePrivilege 1280 uncrypted.exe Token: SeImpersonatePrivilege 1280 uncrypted.exe Token: SeCreateGlobalPrivilege 1280 uncrypted.exe Token: 33 1280 uncrypted.exe Token: 34 1280 uncrypted.exe Token: 35 1280 uncrypted.exe Token: SeIncreaseQuotaPrivilege 2748 iexplore.exe Token: SeSecurityPrivilege 2748 iexplore.exe Token: SeTakeOwnershipPrivilege 2748 iexplore.exe Token: SeLoadDriverPrivilege 2748 iexplore.exe Token: SeSystemProfilePrivilege 2748 iexplore.exe Token: SeSystemtimePrivilege 2748 iexplore.exe Token: SeProfSingleProcessPrivilege 2748 iexplore.exe Token: SeIncBasePriorityPrivilege 2748 iexplore.exe Token: SeCreatePagefilePrivilege 2748 iexplore.exe Token: SeBackupPrivilege 2748 iexplore.exe Token: SeRestorePrivilege 2748 iexplore.exe Token: SeShutdownPrivilege 2748 iexplore.exe Token: SeDebugPrivilege 2748 iexplore.exe Token: SeSystemEnvironmentPrivilege 2748 iexplore.exe Token: SeChangeNotifyPrivilege 2748 iexplore.exe Token: SeRemoteShutdownPrivilege 2748 iexplore.exe Token: SeUndockPrivilege 2748 iexplore.exe Token: SeManageVolumePrivilege 2748 iexplore.exe Token: SeImpersonatePrivilege 2748 iexplore.exe Token: SeCreateGlobalPrivilege 2748 iexplore.exe Token: 33 2748 iexplore.exe Token: 34 2748 iexplore.exe Token: 35 2748 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2748 iexplore.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3048 wrote to memory of 1280 3048 d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe 30 PID 3048 wrote to memory of 1280 3048 d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe 30 PID 3048 wrote to memory of 1280 3048 d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe 30 PID 3048 wrote to memory of 1280 3048 d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe 30 PID 1280 wrote to memory of 2748 1280 uncrypted.exe 31 PID 1280 wrote to memory of 2748 1280 uncrypted.exe 31 PID 1280 wrote to memory of 2748 1280 uncrypted.exe 31 PID 1280 wrote to memory of 2748 1280 uncrypted.exe 31 PID 1280 wrote to memory of 2748 1280 uncrypted.exe 31 PID 1280 wrote to memory of 2748 1280 uncrypted.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\uncrypted.exe"C:\Users\Admin\AppData\Local\Temp\uncrypted.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
646KB
MD50ce429b1566b4e5c48f0e0d9e4b71a1c
SHA14cb2de408e2f69a2b5d7a0e81c8d8521fb467f77
SHA2566444cd8cf8308ae4b6031e19488ed7be3ded8fc70d6c175325cc27fb4d1607ea
SHA512e32766c30e681f7ea9b1a11fd620b82ecaa3a4c5baae94d4468778081218bfac397a2336aec8b8780ed86eb0cc3fc925dfdef6fddc59a9b36d865aead1369ff5
-
Filesize
646KB
MD5023ee2c291f4576c070c573532f54bd2
SHA101302bba9bda611af668412d5ff26db6808f16fc
SHA256607c9ac33e7e133a579c5ebfbad8f70ca5c7a51bbf1dda318873f4731e016afb
SHA5124124798f529f2a2aa0c14fe144e905bda55e8cf12137a3eeb1109acd29c7cb11c64dc9a6bfe212480dfef9fd041e1e701e5af03de92ac82a140f44278d47e4c7