Analysis
-
max time kernel
91s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 13:26
Static task
static1
Behavioral task
behavioral1
Sample
d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
d7456007a18e3ef753d878fd4b609738
-
SHA1
81943936080b6eee006281d7bb00a4ba071758ba
-
SHA256
32bf0fadc0f91e74293232f370828869df6ba1c1ce27473874eb67451bddd696
-
SHA512
d8ba24c51e57ce0cc8dadd97beb9c3edbd0cc001ace33a46b43992bd63c688f92bdb7c553c5b2b70ee647874cfc2bded0ea75649eb4d324f980f8dd589dd8666
-
SSDEEP
24576:Rg8fQRCIOE7SUI0Pz1Xd8wENGS7H/GTf3tj4aZBbIUpbT:+yQRLOQ7p5Xd8weJ/Ulj4aZFIUpv
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt32\\windowsxupdate.exe" d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" windowsxupdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" windowsxupdate.exe -
Blocks application from running via registry modification 2 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" windowsxupdate.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" windowsxupdate.exe -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsxupdate.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1116 Netsh.exe 748 Netsh.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4016 windowsxupdate.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio Device = "C:\\Users\\Admin\\AppData\\Roaming\\edgi7SPzOEr6.exe" d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Graphic Driver = "C:\\Users\\Admin\\AppData\\Roaming\\edgi7SPzOEr6.exe" d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windupdt32\\windowsxupdate.exe" d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio Device = "C:\\Users\\Admin\\AppData\\Roaming\\edgi7SPzOEr6.exe" windowsxupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Graphic Driver = "C:\\Users\\Admin\\AppData\\Roaming\\edgi7SPzOEr6.exe" windowsxupdate.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" windowsxupdate.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA windowsxupdate.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Windupdt32\windowsxupdate.exe d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Windupdt32\windowsxupdate.exe d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Windupdt32\ d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3464 set thread context of 3488 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsxupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Netsh.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeSecurityPrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeSystemtimePrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeBackupPrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeRestorePrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeShutdownPrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeDebugPrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeUndockPrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeManageVolumePrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeImpersonatePrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: 33 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: 34 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: 35 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Token: 36 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3464 wrote to memory of 1116 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 83 PID 3464 wrote to memory of 1116 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 83 PID 3464 wrote to memory of 1116 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 83 PID 3464 wrote to memory of 3488 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 84 PID 3464 wrote to memory of 3488 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 84 PID 3464 wrote to memory of 3488 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 84 PID 3464 wrote to memory of 3488 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 84 PID 3464 wrote to memory of 3488 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 84 PID 3464 wrote to memory of 3488 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 84 PID 3464 wrote to memory of 3488 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 84 PID 3464 wrote to memory of 3488 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 84 PID 3464 wrote to memory of 3488 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 84 PID 3464 wrote to memory of 3488 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 84 PID 3464 wrote to memory of 3488 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 84 PID 3464 wrote to memory of 3488 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 84 PID 3464 wrote to memory of 3488 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 84 PID 3464 wrote to memory of 3488 3464 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 84 PID 3488 wrote to memory of 4016 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 86 PID 3488 wrote to memory of 4016 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 86 PID 3488 wrote to memory of 4016 3488 d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe 86 PID 4016 wrote to memory of 748 4016 windowsxupdate.exe 88 PID 4016 wrote to memory of 748 4016 windowsxupdate.exe 88 PID 4016 wrote to memory of 748 4016 windowsxupdate.exe 88 PID 4016 wrote to memory of 884 4016 windowsxupdate.exe 87 PID 4016 wrote to memory of 884 4016 windowsxupdate.exe 87 PID 4016 wrote to memory of 884 4016 windowsxupdate.exe 87 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" windowsxupdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" windowsxupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe"1⤵
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3464 -
C:\Windows\SysWOW64\Netsh.exe"Netsh" Advfirewall set Currentprofile State off2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1116
-
-
C:\Users\Admin\AppData\Local\Temp\d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Windupdt32\windowsxupdate.exe"C:\Windows\system32\Windupdt32\windowsxupdate.exe"3⤵
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4016 -
C:\Windows\SysWOW64\Windupdt32\windowsxupdate.exe"C:\Windows\SysWOW64\Windupdt32\windowsxupdate.exe"4⤵PID:884
-
-
C:\Windows\SysWOW64\Netsh.exe"Netsh" Advfirewall set Currentprofile State off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:748
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5d7456007a18e3ef753d878fd4b609738
SHA181943936080b6eee006281d7bb00a4ba071758ba
SHA25632bf0fadc0f91e74293232f370828869df6ba1c1ce27473874eb67451bddd696
SHA512d8ba24c51e57ce0cc8dadd97beb9c3edbd0cc001ace33a46b43992bd63c688f92bdb7c553c5b2b70ee647874cfc2bded0ea75649eb4d324f980f8dd589dd8666
-
Filesize
292B
MD5419ee5be7f8b23452255119dfd809a59
SHA1f58ad3700e3c4e7ca58e33c2e7bc72ff4aeca49b
SHA2568cc549a22b58d9839c478c973f137509381ee6d01a06f00c5d0ee5ccb5943f2c
SHA512704e84b674004b7dc65501006383c8fd7d139953de0cf60bec2aa207107b44b64305463f118c87020966bd3575d002fd0a5e22905915c66af0a8d66dc7131c18