Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 03:38
Behavioral task
behavioral1
Sample
d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe
Resource
win7-20241023-en
General
-
Target
d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe
-
Size
488KB
-
MD5
d50fa5e455466529f262a46e8e63bf0c
-
SHA1
67504bf04196d84668e083509b10dea14dff425c
-
SHA256
98b49dda6a6fcdfa0bfd1557bff2fce72107aa383a84498ec474cba7b3b1b97d
-
SHA512
dbc6f3c0e459e2f1a07dc1b3c353af1ccc559a85cb7da5fd49296674bcb392561c093fb40622d2eedeedc1f80fcf7e55ade82efd536cf408e39cb594ff8c081d
-
SSDEEP
12288:oXLEMeIDb8lvvKb8LmPgNJo64LaWK4/RI93E9KWLHOIoS:MEMPDAvdLPNt4LVF/i93E9KiH
Malware Config
Signatures
-
Darkcomet family
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate conhost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1764 conhost.exe 996 conhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Console Window Host = "C:\\Users\\Admin\\AppData\\Roaming\\Console Window Host\\conhost.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1764 set thread context of 996 1764 conhost.exe 102 -
resource yara_rule behavioral2/memory/536-0-0x0000000000400000-0x00000000008CE000-memory.dmp upx behavioral2/memory/536-8-0x0000000000400000-0x00000000008CE000-memory.dmp upx behavioral2/files/0x000f000000023bb4-15.dat upx behavioral2/memory/536-23-0x0000000000400000-0x00000000008CE000-memory.dmp upx behavioral2/memory/996-29-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-26-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-30-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-34-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1764-32-0x0000000000400000-0x00000000008CE000-memory.dmp upx behavioral2/memory/996-37-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-40-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-39-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-38-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-36-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-35-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-41-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-42-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-43-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-44-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-45-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-46-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-47-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-48-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-49-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-50-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-51-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/996-52-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language conhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language conhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier conhost.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier conhost.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 996 conhost.exe Token: SeSecurityPrivilege 996 conhost.exe Token: SeTakeOwnershipPrivilege 996 conhost.exe Token: SeLoadDriverPrivilege 996 conhost.exe Token: SeSystemProfilePrivilege 996 conhost.exe Token: SeSystemtimePrivilege 996 conhost.exe Token: SeProfSingleProcessPrivilege 996 conhost.exe Token: SeIncBasePriorityPrivilege 996 conhost.exe Token: SeCreatePagefilePrivilege 996 conhost.exe Token: SeBackupPrivilege 996 conhost.exe Token: SeRestorePrivilege 996 conhost.exe Token: SeShutdownPrivilege 996 conhost.exe Token: SeDebugPrivilege 996 conhost.exe Token: SeSystemEnvironmentPrivilege 996 conhost.exe Token: SeChangeNotifyPrivilege 996 conhost.exe Token: SeRemoteShutdownPrivilege 996 conhost.exe Token: SeUndockPrivilege 996 conhost.exe Token: SeManageVolumePrivilege 996 conhost.exe Token: SeImpersonatePrivilege 996 conhost.exe Token: SeCreateGlobalPrivilege 996 conhost.exe Token: 33 996 conhost.exe Token: 34 996 conhost.exe Token: 35 996 conhost.exe Token: 36 996 conhost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 536 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 1764 conhost.exe 996 conhost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 536 wrote to memory of 1576 536 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 85 PID 536 wrote to memory of 1576 536 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 85 PID 536 wrote to memory of 1576 536 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 85 PID 1576 wrote to memory of 4420 1576 cmd.exe 88 PID 1576 wrote to memory of 4420 1576 cmd.exe 88 PID 1576 wrote to memory of 4420 1576 cmd.exe 88 PID 536 wrote to memory of 1764 536 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 101 PID 536 wrote to memory of 1764 536 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 101 PID 536 wrote to memory of 1764 536 d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe 101 PID 1764 wrote to memory of 996 1764 conhost.exe 102 PID 1764 wrote to memory of 996 1764 conhost.exe 102 PID 1764 wrote to memory of 996 1764 conhost.exe 102 PID 1764 wrote to memory of 996 1764 conhost.exe 102 PID 1764 wrote to memory of 996 1764 conhost.exe 102 PID 1764 wrote to memory of 996 1764 conhost.exe 102 PID 1764 wrote to memory of 996 1764 conhost.exe 102 PID 1764 wrote to memory of 996 1764 conhost.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d50fa5e455466529f262a46e8e63bf0c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lekHd.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Console Window Host" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Console Window Host\conhost.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4420
-
-
-
C:\Users\Admin\AppData\Roaming\Console Window Host\conhost.exe"C:\Users\Admin\AppData\Roaming\Console Window Host\conhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Roaming\Console Window Host\conhost.exeFalse3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:996
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166B
MD5b53c663f58ae7d9528d599eacb48d312
SHA189cdc6f258de630b8982eeeb2707a1b59558c34f
SHA256a3c6a171527e43d5b477dd62819616c77741f8821b8dd89ce0344b3a0610bce9
SHA512d2041cfab9bbb0102c00e74538d51f37bc10134109794e7f88f4fc8b53c4934f6dbc40f0ca06f28d42d38502372249acc41b973205f9d000b7527666da8a2cd7
-
Filesize
488KB
MD5d50fa5e455466529f262a46e8e63bf0c
SHA167504bf04196d84668e083509b10dea14dff425c
SHA25698b49dda6a6fcdfa0bfd1557bff2fce72107aa383a84498ec474cba7b3b1b97d
SHA512dbc6f3c0e459e2f1a07dc1b3c353af1ccc559a85cb7da5fd49296674bcb392561c093fb40622d2eedeedc1f80fcf7e55ade82efd536cf408e39cb594ff8c081d