Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 09:07
Static task
static1
Behavioral task
behavioral1
Sample
d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
d1a81adcb2b654ac92172655905d21f3
-
SHA1
76c49ad0511f2b0d2dedac0bbb37c6965f9bb419
-
SHA256
ba9ef84922ff0787de3e1c0cd23aedc711ba98694a92552941508372edadecac
-
SHA512
3cfb2409e94398b01db9dc462f0000143473e84ff67a60ec59b03b785f86e491308d22625cee36c9cd82f909e725793f70c6323f3d0b86898e4438938bec096d
-
SSDEEP
24576:saHMv6CorjqnyC8xlDG75HN8+zCD2i/x0HJ9tgPTtbN:s1vqjdC8PDeHN8+k2iKpmR
Malware Config
Signatures
-
Darkcomet family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3516 uncrypted.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4756-0-0x0000000000400000-0x00000000004D3000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uncrypted.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3516 uncrypted.exe Token: SeSecurityPrivilege 3516 uncrypted.exe Token: SeTakeOwnershipPrivilege 3516 uncrypted.exe Token: SeLoadDriverPrivilege 3516 uncrypted.exe Token: SeSystemProfilePrivilege 3516 uncrypted.exe Token: SeSystemtimePrivilege 3516 uncrypted.exe Token: SeProfSingleProcessPrivilege 3516 uncrypted.exe Token: SeIncBasePriorityPrivilege 3516 uncrypted.exe Token: SeCreatePagefilePrivilege 3516 uncrypted.exe Token: SeBackupPrivilege 3516 uncrypted.exe Token: SeRestorePrivilege 3516 uncrypted.exe Token: SeShutdownPrivilege 3516 uncrypted.exe Token: SeDebugPrivilege 3516 uncrypted.exe Token: SeSystemEnvironmentPrivilege 3516 uncrypted.exe Token: SeChangeNotifyPrivilege 3516 uncrypted.exe Token: SeRemoteShutdownPrivilege 3516 uncrypted.exe Token: SeUndockPrivilege 3516 uncrypted.exe Token: SeManageVolumePrivilege 3516 uncrypted.exe Token: SeImpersonatePrivilege 3516 uncrypted.exe Token: SeCreateGlobalPrivilege 3516 uncrypted.exe Token: 33 3516 uncrypted.exe Token: 34 3516 uncrypted.exe Token: 35 3516 uncrypted.exe Token: 36 3516 uncrypted.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3516 uncrypted.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4756 wrote to memory of 3516 4756 d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe 82 PID 4756 wrote to memory of 3516 4756 d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe 82 PID 4756 wrote to memory of 3516 4756 d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe 82 PID 3516 wrote to memory of 3460 3516 uncrypted.exe 84 PID 3516 wrote to memory of 3460 3516 uncrypted.exe 84 PID 3516 wrote to memory of 3460 3516 uncrypted.exe 84 PID 3516 wrote to memory of 3980 3516 uncrypted.exe 85 PID 3516 wrote to memory of 3980 3516 uncrypted.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1a81adcb2b654ac92172655905d21f3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\uncrypted.exe"C:\Users\Admin\AppData\Local\Temp\uncrypted.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:3460
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:3980
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
646KB
MD50ce429b1566b4e5c48f0e0d9e4b71a1c
SHA14cb2de408e2f69a2b5d7a0e81c8d8521fb467f77
SHA2566444cd8cf8308ae4b6031e19488ed7be3ded8fc70d6c175325cc27fb4d1607ea
SHA512e32766c30e681f7ea9b1a11fd620b82ecaa3a4c5baae94d4468778081218bfac397a2336aec8b8780ed86eb0cc3fc925dfdef6fddc59a9b36d865aead1369ff5
-
Filesize
646KB
MD5023ee2c291f4576c070c573532f54bd2
SHA101302bba9bda611af668412d5ff26db6808f16fc
SHA256607c9ac33e7e133a579c5ebfbad8f70ca5c7a51bbf1dda318873f4731e016afb
SHA5124124798f529f2a2aa0c14fe144e905bda55e8cf12137a3eeb1109acd29c7cb11c64dc9a6bfe212480dfef9fd041e1e701e5af03de92ac82a140f44278d47e4c7