Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 10:44
Static task
static1
Behavioral task
behavioral1
Sample
d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
d9388137a0f9300f73f8df37ad58c0a0
-
SHA1
7b8d85b70c5c5be9c112f4806df8c28e28a76fd5
-
SHA256
547956561b1714de667c3ec27fc147b26cff8cc8e7b7d44b8b8c2dd5330d00f5
-
SHA512
aea1bb6d89da9bdbebd654e665c21903c54d80334e929ac0b6be4b25c60f5b4a45987c857e93fcf478ee6f4f4a82d7583541e0df0679d06d6cdc6d5dbfa0eeb8
-
SSDEEP
12288:QB8gZtTfGQ6jrHPGB6qUYRUDUXNCiVu/wjE1ymyoTfgsCwpqIWHvY4/b2XyvUOvp:QCfe9MjeBjE7swkTy67Os5jgZY3HYTa
Malware Config
Signatures
-
Darkcomet family
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2428 ctfmon.exe -
Loads dropped DLL 2 IoCs
pid Process 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2328 set thread context of 2428 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2440 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 30 PID 2328 wrote to memory of 2440 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 30 PID 2328 wrote to memory of 2440 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 30 PID 2328 wrote to memory of 2440 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 30 PID 2440 wrote to memory of 3032 2440 csc.exe 32 PID 2440 wrote to memory of 3032 2440 csc.exe 32 PID 2440 wrote to memory of 3032 2440 csc.exe 32 PID 2440 wrote to memory of 3032 2440 csc.exe 32 PID 2328 wrote to memory of 2428 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 33 PID 2328 wrote to memory of 2428 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 33 PID 2328 wrote to memory of 2428 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 33 PID 2328 wrote to memory of 2428 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 33 PID 2328 wrote to memory of 2428 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 33 PID 2328 wrote to memory of 2428 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 33 PID 2328 wrote to memory of 2428 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 33 PID 2328 wrote to memory of 2428 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 33 PID 2328 wrote to memory of 2428 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 33 PID 2328 wrote to memory of 2428 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 33 PID 2328 wrote to memory of 2428 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 33 PID 2328 wrote to memory of 2428 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 33 PID 2328 wrote to memory of 2428 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 33 PID 2328 wrote to memory of 2744 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 34 PID 2328 wrote to memory of 2744 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 34 PID 2328 wrote to memory of 2744 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 34 PID 2328 wrote to memory of 2744 2328 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 34 PID 2744 wrote to memory of 2088 2744 csc.exe 36 PID 2744 wrote to memory of 2088 2744 csc.exe 36 PID 2744 wrote to memory of 2088 2744 csc.exe 36 PID 2744 wrote to memory of 2088 2744 csc.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2lqk9l3x.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2AD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB29D.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:3032
-
-
-
C:\Users\Admin\AppData\Roaming\ctfmon.exeC:\Users\Admin\AppData\Roaming\ctfmon.exe2⤵
- Executes dropped EXE
PID:2428
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8dvbdfug.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB433.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB432.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2088
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5fd3d3d067a9c21f2c75a947f5658f21f
SHA1ab353d2a5a3d06975f75db1d485e14bad5583494
SHA256dc1512d365a210d3cf4d201340bb97fee8166210a3eb757dc370213dbe3f7fc1
SHA5121317f5a0e18fc8da30cb1a650ec13388eb7cf91d0b08e04d89f8f38a973fe1eabd247217164998490d914b5fa995bab68d7c3e7a5d8eee563998a1c33a85fa0b
-
Filesize
5KB
MD56caa3f99e75025ef86896afefebb1f93
SHA15b7207ec8be28263c3385431bfb87912fe5e2503
SHA25673fb2485ff77036111451a75bd6f0a15ff43a8d4be3fe03f695802ae76abbfd6
SHA512d0000221fb5c56444a2dbfb76951c1bc90c8db5793fdc4d72c85005e3ba0d2cd7763f512c5ffa6cfc59e25de71123ad926cd1887d712c876df3e0b5359323772
-
Filesize
1KB
MD5d7195890f2eca65eadc7b32e0057f65a
SHA15b387357037bd5f0a966b800af35f26b3e14371f
SHA25628ef46077c5a82753675c519a556d51e1ff9af4f7789b309d6f79527f3621da7
SHA512470c03a65e0042ae000bee890aadf04b8bdbcba067535d07968f418a824dd18a7421ddf0dfc304652b475bffa846160dc8f54086af3989cfb62638dc1aea9db9
-
Filesize
1KB
MD535b97469df6b60123b44c7d1d6cfbd23
SHA13b2b8daf13826ce937a455c21aa1db0de374cc09
SHA256a8f5af3246cdaab95487d5d904aa36a151189fe1cd3b25fcd720765b915653d4
SHA5127018a2d3119bbcf081e39d1ff37b84ed95d45d018de36e3a33ba66dfc45c60e4f1ee09594950d3b224ad372a27786c71b7d0e3d1b0503be21ecfdfa30cd1dd2e
-
Filesize
6KB
MD5ec02f26fb5424b5fbc9bcef4abb87993
SHA186082c6c15bdf457dcabdbab286457d0bf92b24c
SHA256321952c2c98fb6c307deff53b2534c63df40bc2739d654cdc1c02f98bc64c7b1
SHA5121de05d23a61dd39d240855559d481208eb91b034c71a331e9f70e6930473eab7a014f375446116bde627635184d6bc7340ebcfe08ee10d801b7ba5dc9ffaedb2
-
Filesize
187B
MD599e0e0282d62f07003b97288a8394959
SHA1fa09547fe60a52b3bf6615fd9df516b76c50f3ef
SHA256da7673f18f1612c0614c7060b0a3983da1fbc926b99d06f04baef6c7ca895ed4
SHA512a67a17be4e963af60f39ca310576782d1d046ee3621daf8c840b84fa010a691dc05751138970a114fecdee1c098493721b9010a74fa50c3865b3400d078afc85
-
Filesize
3KB
MD5412e1c803f61cea207aa4b53c9b4a3bb
SHA179b56c2016e0eb4e0de20ef8085dd8caa2b0a810
SHA25603928f10904ba363d8e763f42883e9c9e6a54f5514b323c48fca4ace6f8d2b71
SHA5129cb9f92cee9e2b22424c8c0f60b53143ff7799a61a06a02291102912208311fb41ea95e16a175f46fbf0cce41b2f18f4eacaa5ae60625aa0e89beec5ac299b3b
-
Filesize
187B
MD5d4e24ae0855b9e467f2c847ba6cc84e4
SHA124dbaa6caa714d2bd8253363e7207f23b90bc4cc
SHA256913a1c33cee92d19ecf6955072e98232f6041008a1fab32ed76358a66fab97b3
SHA5127c97340b7fa76ac17488e62172ae82d88e096039253aa92bb68f5ee381661285041cca6fc826c2b38537b1e70e706e29b582908d67f8bb5ff0f764c92f68e28e
-
Filesize
652B
MD573c1b1113bf5b7c6f168dbfca8295569
SHA14208f914debe678e2e597ae03858f7877747c47a
SHA256744be5e099a1f800b0cc76e06f8f307c8f96dbf9aadcd9d7122d4b517d73bff4
SHA5129cd171591db620672afc39531ba1c457da14479f1cf03e696a2038918ef2f88aa2bff29c09b9bb8e1909261dc6065972cfbec9f0d021a82e193c0cfbe92106ba
-
Filesize
652B
MD5243a6e990b6e2560f3606bc2ea122516
SHA19abf913e31125b153ae7618632ef9a960e832a32
SHA25642cfb203557abe418cb02daeeb33665f0ff07ef3a05f9328dde7266a331edbb6
SHA5122b840293837f74775712adbbff855f36d7727da2d9aca322abbd6375212b667bb66a4eb1cacd5018c24413230ed4005acc815182bf590ebb0958fac543c3f8ea
-
Filesize
1024B
MD55680aa2cc0b5884b9fc96b8a3e1379eb
SHA1912ee1aec2d6532af837a5deb3b31bc82988b864
SHA2561dd485f826b051aff3788bf3f2b7a055b62378bd3501f5d2eece9eb2b34e9999
SHA5125d4382d008de4513349f5c464e2807fd214e193b43e58e024e2fb131650c94e92dbec02aec4eae3bca9bbf2405baa1c1aaf71841a69eda6a163fd6cfb5e12aa4