Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 02:10
Static task
static1
Behavioral task
behavioral1
Sample
d4bee2f5a634f3b857869f6f64ee0ad7_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
d4bee2f5a634f3b857869f6f64ee0ad7_JaffaCakes118.exe
-
Size
403KB
-
MD5
d4bee2f5a634f3b857869f6f64ee0ad7
-
SHA1
2d4cda955bc6bbba8809603cb77b67f8f52f240d
-
SHA256
b97ecb6f21b036150b573f4fb698203f466830476e861b78ebdfc3783237eed5
-
SHA512
3348620d03d5d84c27c0df3fbbe0f7e9f273430b1cfff5141116fcaef94e33b40ff26f22421cb9172ca69d4a87d913be62b1057f5ba3712709ac51f991a49c61
-
SSDEEP
12288:ybxmzF9k0IZvQu85iGFoVs4ts/IHPCY35hh:ye3Lt5J2Xts/GqY3l
Malware Config
Signatures
-
Darkcomet family
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate prueva1.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation d4bee2f5a634f3b857869f6f64ee0ad7_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation BFile1.exe -
Executes dropped EXE 2 IoCs
pid Process 2916 BFile1.exe 3464 prueva1.exe -
resource yara_rule behavioral2/files/0x0007000000023cd9-25.dat upx behavioral2/memory/3464-30-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/3464-31-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/3464-32-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/3464-33-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/3464-34-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/3464-35-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/3464-36-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/3464-37-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/3464-38-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/3464-39-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/3464-40-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/3464-41-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/3464-42-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/3464-43-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/3464-44-0x0000000000400000-0x00000000004C5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BFile1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prueva1.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier prueva1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 prueva1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString prueva1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier prueva1.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier prueva1.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings rundll32.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3464 prueva1.exe Token: SeSecurityPrivilege 3464 prueva1.exe Token: SeTakeOwnershipPrivilege 3464 prueva1.exe Token: SeLoadDriverPrivilege 3464 prueva1.exe Token: SeSystemProfilePrivilege 3464 prueva1.exe Token: SeSystemtimePrivilege 3464 prueva1.exe Token: SeProfSingleProcessPrivilege 3464 prueva1.exe Token: SeIncBasePriorityPrivilege 3464 prueva1.exe Token: SeCreatePagefilePrivilege 3464 prueva1.exe Token: SeBackupPrivilege 3464 prueva1.exe Token: SeRestorePrivilege 3464 prueva1.exe Token: SeShutdownPrivilege 3464 prueva1.exe Token: SeDebugPrivilege 3464 prueva1.exe Token: SeSystemEnvironmentPrivilege 3464 prueva1.exe Token: SeChangeNotifyPrivilege 3464 prueva1.exe Token: SeRemoteShutdownPrivilege 3464 prueva1.exe Token: SeUndockPrivilege 3464 prueva1.exe Token: SeManageVolumePrivilege 3464 prueva1.exe Token: SeImpersonatePrivilege 3464 prueva1.exe Token: SeCreateGlobalPrivilege 3464 prueva1.exe Token: 33 3464 prueva1.exe Token: 34 3464 prueva1.exe Token: 35 3464 prueva1.exe Token: 36 3464 prueva1.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2916 BFile1.exe 3464 prueva1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3108 wrote to memory of 2916 3108 d4bee2f5a634f3b857869f6f64ee0ad7_JaffaCakes118.exe 83 PID 3108 wrote to memory of 2916 3108 d4bee2f5a634f3b857869f6f64ee0ad7_JaffaCakes118.exe 83 PID 3108 wrote to memory of 2916 3108 d4bee2f5a634f3b857869f6f64ee0ad7_JaffaCakes118.exe 83 PID 2916 wrote to memory of 3464 2916 BFile1.exe 85 PID 2916 wrote to memory of 3464 2916 BFile1.exe 85 PID 2916 wrote to memory of 3464 2916 BFile1.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4bee2f5a634f3b857869f6f64ee0ad7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d4bee2f5a634f3b857869f6f64ee0ad7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\BFile1.exe"C:\Users\Admin\AppData\Local\Temp\BFile1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\prueva1.exe"C:\Users\Admin\AppData\Local\Temp\prueva1.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3464
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\BFile1.exe"1⤵
- Modifies registry class
PID:3328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
334KB
MD5949f418dd76c7f5c98d0c209dd6a964d
SHA1556d8be36ee0d57e1cac38b9e23cc8a562675d56
SHA256efc98996f752ca92540fba166b9c48a6498d8eeb9016cd4ff50bb20d45e0d113
SHA51291e546db852267a63111fc4eadb624d3f846c9130391283669a5f2d274f4a951d6c63cbe33c4ccc0b5677700fba6167fe9896edf1735522f2418f6c5ae8a2efa
-
Filesize
269KB
MD5937d67e8fd1bddbba5a0f6689aaf0f39
SHA11f27be2496ea27dd85013425cfd0999fef2e990e
SHA256f2946902dd17302bc30e764793c9f03b3157461f03501b16587a99d29589da4d
SHA512d88677bb6bd7521487a41b10a9bbf44324a43cd75a89f336235583a5391fdf53d175ff944776a1cc0241b0f74bbf5bcb1acb51706e52dac9d635ef61fb5b2d3a