Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 10:26
Static task
static1
Behavioral task
behavioral1
Sample
d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
d1f834a0abe1adad23eb99e9d877e8f6
-
SHA1
06047d238c3e5ca4a56a776e03148b4aba5ec842
-
SHA256
1f665d378d61b7030eca36e761d508c5e98197d54c4b4501ea975a6682b134b2
-
SHA512
8d2c9ad9ebf47c75d6b72e95875d00428ca5476ec74dbd536a2d67af1b7ac2ec83f60cc08dbe1f8f59d2e6326b26f227c732321e744a9b666ec67fa0640e4ac5
-
SSDEEP
12288:Na6snd3as6YqYN3/Ry/NdMvQH5M8bKUA0i3PFbxNrOwcxDdArCbnIc4N/HbkGgL/:NviYDCNN5eDdArCjm0P48HZyNwcphW
Malware Config
Extracted
darkcomet
Crypted
jesusmanwoohoo.no-ip.org:1604
DC_MUTEX-EW8ANM5
-
gencode
SDj8iuYh55Bf
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2224 MTvEmAGhp.exe 3596 MTvEmAGhp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\Microphonehelper.exe" MTvEmAGhp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\Microphonehelper.exe" MTvEmAGhp.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3292 set thread context of 4148 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 85 PID 2296 set thread context of 3960 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MTvEmAGhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MTvEmAGhp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4148 vbc.exe Token: SeSecurityPrivilege 4148 vbc.exe Token: SeTakeOwnershipPrivilege 4148 vbc.exe Token: SeLoadDriverPrivilege 4148 vbc.exe Token: SeSystemProfilePrivilege 4148 vbc.exe Token: SeSystemtimePrivilege 4148 vbc.exe Token: SeProfSingleProcessPrivilege 4148 vbc.exe Token: SeIncBasePriorityPrivilege 4148 vbc.exe Token: SeCreatePagefilePrivilege 4148 vbc.exe Token: SeBackupPrivilege 4148 vbc.exe Token: SeRestorePrivilege 4148 vbc.exe Token: SeShutdownPrivilege 4148 vbc.exe Token: SeDebugPrivilege 4148 vbc.exe Token: SeSystemEnvironmentPrivilege 4148 vbc.exe Token: SeChangeNotifyPrivilege 4148 vbc.exe Token: SeRemoteShutdownPrivilege 4148 vbc.exe Token: SeUndockPrivilege 4148 vbc.exe Token: SeManageVolumePrivilege 4148 vbc.exe Token: SeImpersonatePrivilege 4148 vbc.exe Token: SeCreateGlobalPrivilege 4148 vbc.exe Token: 33 4148 vbc.exe Token: 34 4148 vbc.exe Token: 35 4148 vbc.exe Token: 36 4148 vbc.exe Token: SeDebugPrivilege 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3960 vbc.exe Token: SeSecurityPrivilege 3960 vbc.exe Token: SeTakeOwnershipPrivilege 3960 vbc.exe Token: SeLoadDriverPrivilege 3960 vbc.exe Token: SeSystemProfilePrivilege 3960 vbc.exe Token: SeSystemtimePrivilege 3960 vbc.exe Token: SeProfSingleProcessPrivilege 3960 vbc.exe Token: SeIncBasePriorityPrivilege 3960 vbc.exe Token: SeCreatePagefilePrivilege 3960 vbc.exe Token: SeBackupPrivilege 3960 vbc.exe Token: SeRestorePrivilege 3960 vbc.exe Token: SeShutdownPrivilege 3960 vbc.exe Token: SeDebugPrivilege 3960 vbc.exe Token: SeSystemEnvironmentPrivilege 3960 vbc.exe Token: SeChangeNotifyPrivilege 3960 vbc.exe Token: SeRemoteShutdownPrivilege 3960 vbc.exe Token: SeUndockPrivilege 3960 vbc.exe Token: SeManageVolumePrivilege 3960 vbc.exe Token: SeImpersonatePrivilege 3960 vbc.exe Token: SeCreateGlobalPrivilege 3960 vbc.exe Token: 33 3960 vbc.exe Token: 34 3960 vbc.exe Token: 35 3960 vbc.exe Token: 36 3960 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4148 vbc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 3292 wrote to memory of 4148 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 85 PID 3292 wrote to memory of 4148 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 85 PID 3292 wrote to memory of 4148 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 85 PID 3292 wrote to memory of 4148 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 85 PID 3292 wrote to memory of 4148 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 85 PID 3292 wrote to memory of 4148 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 85 PID 3292 wrote to memory of 4148 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 85 PID 3292 wrote to memory of 4148 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 85 PID 3292 wrote to memory of 4148 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 85 PID 3292 wrote to memory of 4148 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 85 PID 3292 wrote to memory of 4148 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 85 PID 3292 wrote to memory of 4148 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 85 PID 3292 wrote to memory of 4148 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 85 PID 3292 wrote to memory of 4148 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 85 PID 3292 wrote to memory of 2224 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 86 PID 3292 wrote to memory of 2224 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 86 PID 3292 wrote to memory of 2224 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 86 PID 3292 wrote to memory of 2296 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 87 PID 3292 wrote to memory of 2296 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 87 PID 3292 wrote to memory of 2296 3292 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 87 PID 2296 wrote to memory of 3960 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 88 PID 2296 wrote to memory of 3960 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 88 PID 2296 wrote to memory of 3960 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 88 PID 2296 wrote to memory of 3960 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 88 PID 2296 wrote to memory of 3960 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 88 PID 2296 wrote to memory of 3960 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 88 PID 2296 wrote to memory of 3960 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 88 PID 2296 wrote to memory of 3960 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 88 PID 2296 wrote to memory of 3960 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 88 PID 2296 wrote to memory of 3960 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 88 PID 2296 wrote to memory of 3960 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 88 PID 2296 wrote to memory of 3960 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 88 PID 2296 wrote to memory of 3960 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 88 PID 2296 wrote to memory of 3960 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 88 PID 2296 wrote to memory of 3596 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 89 PID 2296 wrote to memory of 3596 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 89 PID 2296 wrote to memory of 3596 2296 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4148
-
-
C:\Users\Admin\AppData\Roaming\MTvEmAGhp.exe"C:\Users\Admin\AppData\Roaming\MTvEmAGhp.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
-
C:\Users\Admin\AppData\Roaming\MTvEmAGhp.exe"C:\Users\Admin\AppData\Roaming\MTvEmAGhp.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3596
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20B
MD5b3ac9d09e3a47d5fd00c37e075a70ecb
SHA1ad14e6d0e07b00bd10d77a06d68841b20675680b
SHA2567a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432
SHA51209b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316
-
Filesize
4KB
MD55f9464c4385ac08f48cd0263278dbe0d
SHA136201364ddc828fb2127495ff7702e3fc5dbad66
SHA256958cdfbb0798de864a34c2c312fec94cc96524cda33695e459ee6d1f6cc14b13
SHA51226bb4a0e9cc4411f39ab1137dc61ea7e8b125d2234e7a355f7195812d63048d0bd785a5a85601521d24e6cd35519acda9645960307359be56da9f1ad19673667