Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 03:38
Behavioral task
behavioral1
Sample
d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe
Resource
win7-20241023-en
General
-
Target
d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe
-
Size
488KB
-
MD5
d50fa5e455466529f262a46e8e63bf0c
-
SHA1
67504bf04196d84668e083509b10dea14dff425c
-
SHA256
98b49dda6a6fcdfa0bfd1557bff2fce72107aa383a84498ec474cba7b3b1b97d
-
SHA512
dbc6f3c0e459e2f1a07dc1b3c353af1ccc559a85cb7da5fd49296674bcb392561c093fb40622d2eedeedc1f80fcf7e55ade82efd536cf408e39cb594ff8c081d
-
SSDEEP
12288:oXLEMeIDb8lvvKb8LmPgNJo64LaWK4/RI93E9KWLHOIoS:MEMPDAvdLPNt4LVF/i93E9KiH
Malware Config
Signatures
-
Darkcomet family
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate conhost.exe -
Executes dropped EXE 2 IoCs
pid Process 2700 conhost.exe 1048 conhost.exe -
Loads dropped DLL 5 IoCs
pid Process 2940 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 2940 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 2940 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 2940 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 2940 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Console Window Host = "C:\\Users\\Admin\\AppData\\Roaming\\Console Window Host\\conhost.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2700 set thread context of 1048 2700 conhost.exe 35 -
resource yara_rule behavioral1/memory/2940-0-0x0000000000400000-0x00000000008CE000-memory.dmp upx behavioral1/memory/2940-19-0x0000000000400000-0x00000000008CE000-memory.dmp upx behavioral1/files/0x0004000000004ed7-26.dat upx behavioral1/memory/2700-43-0x0000000000400000-0x00000000008CE000-memory.dmp upx behavioral1/memory/1048-52-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-54-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2700-53-0x0000000000400000-0x00000000008CE000-memory.dmp upx behavioral1/memory/1048-49-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2940-48-0x0000000000400000-0x00000000008CE000-memory.dmp upx behavioral1/memory/1048-55-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-56-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-57-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-58-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-60-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-61-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-59-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-62-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-63-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-64-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-65-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-66-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-67-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-68-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-69-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-70-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-71-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1048-72-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language conhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language conhost.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier conhost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 conhost.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier conhost.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1048 conhost.exe Token: SeSecurityPrivilege 1048 conhost.exe Token: SeTakeOwnershipPrivilege 1048 conhost.exe Token: SeLoadDriverPrivilege 1048 conhost.exe Token: SeSystemProfilePrivilege 1048 conhost.exe Token: SeSystemtimePrivilege 1048 conhost.exe Token: SeProfSingleProcessPrivilege 1048 conhost.exe Token: SeIncBasePriorityPrivilege 1048 conhost.exe Token: SeCreatePagefilePrivilege 1048 conhost.exe Token: SeBackupPrivilege 1048 conhost.exe Token: SeRestorePrivilege 1048 conhost.exe Token: SeShutdownPrivilege 1048 conhost.exe Token: SeDebugPrivilege 1048 conhost.exe Token: SeSystemEnvironmentPrivilege 1048 conhost.exe Token: SeChangeNotifyPrivilege 1048 conhost.exe Token: SeRemoteShutdownPrivilege 1048 conhost.exe Token: SeUndockPrivilege 1048 conhost.exe Token: SeManageVolumePrivilege 1048 conhost.exe Token: SeImpersonatePrivilege 1048 conhost.exe Token: SeCreateGlobalPrivilege 1048 conhost.exe Token: 33 1048 conhost.exe Token: 34 1048 conhost.exe Token: 35 1048 conhost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2940 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 2700 conhost.exe 1048 conhost.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2940 wrote to memory of 2632 2940 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 30 PID 2940 wrote to memory of 2632 2940 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 30 PID 2940 wrote to memory of 2632 2940 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 30 PID 2940 wrote to memory of 2632 2940 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 30 PID 2632 wrote to memory of 3024 2632 cmd.exe 32 PID 2632 wrote to memory of 3024 2632 cmd.exe 32 PID 2632 wrote to memory of 3024 2632 cmd.exe 32 PID 2632 wrote to memory of 3024 2632 cmd.exe 32 PID 2940 wrote to memory of 2700 2940 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 34 PID 2940 wrote to memory of 2700 2940 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 34 PID 2940 wrote to memory of 2700 2940 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 34 PID 2940 wrote to memory of 2700 2940 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 34 PID 2700 wrote to memory of 1048 2700 conhost.exe 35 PID 2700 wrote to memory of 1048 2700 conhost.exe 35 PID 2700 wrote to memory of 1048 2700 conhost.exe 35 PID 2700 wrote to memory of 1048 2700 conhost.exe 35 PID 2700 wrote to memory of 1048 2700 conhost.exe 35 PID 2700 wrote to memory of 1048 2700 conhost.exe 35 PID 2700 wrote to memory of 1048 2700 conhost.exe 35 PID 2700 wrote to memory of 1048 2700 conhost.exe 35 PID 2700 wrote to memory of 1048 2700 conhost.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BRiAQ.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Console Window Host" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Console Window Host\conhost.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3024
-
-
-
C:\Users\Admin\AppData\Roaming\Console Window Host\conhost.exe"C:\Users\Admin\AppData\Roaming\Console Window Host\conhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Roaming\Console Window Host\conhost.exeFalse3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1048
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166B
MD5b53c663f58ae7d9528d599eacb48d312
SHA189cdc6f258de630b8982eeeb2707a1b59558c34f
SHA256a3c6a171527e43d5b477dd62819616c77741f8821b8dd89ce0344b3a0610bce9
SHA512d2041cfab9bbb0102c00e74538d51f37bc10134109794e7f88f4fc8b53c4934f6dbc40f0ca06f28d42d38502372249acc41b973205f9d000b7527666da8a2cd7
-
Filesize
488KB
MD5d50fa5e455466529f262a46e8e63bf0c
SHA167504bf04196d84668e083509b10dea14dff425c
SHA25698b49dda6a6fcdfa0bfd1557bff2fce72107aa383a84498ec474cba7b3b1b97d
SHA512dbc6f3c0e459e2f1a07dc1b3c353af1ccc559a85cb7da5fd49296674bcb392561c093fb40622d2eedeedc1f80fcf7e55ade82efd536cf408e39cb594ff8c081d