Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2024 10:44
Static task
static1
Behavioral task
behavioral1
Sample
d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
d9388137a0f9300f73f8df37ad58c0a0
-
SHA1
7b8d85b70c5c5be9c112f4806df8c28e28a76fd5
-
SHA256
547956561b1714de667c3ec27fc147b26cff8cc8e7b7d44b8b8c2dd5330d00f5
-
SHA512
aea1bb6d89da9bdbebd654e665c21903c54d80334e929ac0b6be4b25c60f5b4a45987c857e93fcf478ee6f4f4a82d7583541e0df0679d06d6cdc6d5dbfa0eeb8
-
SSDEEP
12288:QB8gZtTfGQ6jrHPGB6qUYRUDUXNCiVu/wjE1ymyoTfgsCwpqIWHvY4/b2XyvUOvp:QCfe9MjeBjE7swkTy67Os5jgZY3HYTa
Malware Config
Signatures
-
Darkcomet family
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4488 ctfmon.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3668 set thread context of 4488 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 86 -
Program crash 1 IoCs
pid pid_target Process procid_target 3928 4488 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3668 wrote to memory of 1028 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 83 PID 3668 wrote to memory of 1028 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 83 PID 3668 wrote to memory of 1028 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 83 PID 1028 wrote to memory of 4436 1028 csc.exe 85 PID 1028 wrote to memory of 4436 1028 csc.exe 85 PID 1028 wrote to memory of 4436 1028 csc.exe 85 PID 3668 wrote to memory of 4488 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 86 PID 3668 wrote to memory of 4488 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 86 PID 3668 wrote to memory of 4488 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 86 PID 3668 wrote to memory of 4488 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 86 PID 3668 wrote to memory of 4488 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 86 PID 3668 wrote to memory of 4488 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 86 PID 3668 wrote to memory of 4488 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 86 PID 3668 wrote to memory of 4488 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 86 PID 3668 wrote to memory of 4488 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 86 PID 3668 wrote to memory of 4488 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 86 PID 3668 wrote to memory of 4488 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 86 PID 3668 wrote to memory of 4488 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 86 PID 3668 wrote to memory of 4488 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 86 PID 3668 wrote to memory of 4488 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 86 PID 3668 wrote to memory of 2944 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 88 PID 3668 wrote to memory of 2944 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 88 PID 3668 wrote to memory of 2944 3668 d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe 88 PID 2944 wrote to memory of 5036 2944 csc.exe 90 PID 2944 wrote to memory of 5036 2944 csc.exe 90 PID 2944 wrote to memory of 5036 2944 csc.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rzjotwqn.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F60.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8F5F.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:4436
-
-
-
C:\Users\Admin\AppData\Roaming\ctfmon.exeC:\Users\Admin\AppData\Roaming\ctfmon.exe2⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 123⤵
- Program crash
PID:3928
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jsme5xwh.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES900C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC900B.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:5036
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4488 -ip 44881⤵PID:880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5eab39a89556ff7cad4b579234d04cd40
SHA12b680792527aa22402d652941586987e59568b24
SHA256058c0ad8455b178eb5410df97e5d3c376dde1f59a344a994cd807c3ef890785c
SHA512f0d4e94aee99814f2243f093fb6da0ff87d628f8234a6286c27786c9a3208bd87b7bfb9a9097461c29b7332463ddfeaf3535d8f274057124f36aac82d91945f6
-
Filesize
1KB
MD515e06611762f37c5e86c88d63ada6690
SHA1036b5591e25ee7cfbd779dc0b51acc9a12ae25c0
SHA2562500cdcc77a4658dc41b36ba800e57cd88820b1c973010f9107bab3e714316dc
SHA512282f708ebc9a43c5f736320d3b9aa487422baa23f02fd9bcb488e5b1736704b397b6b488dc931869e5ae794c7d5efafaedc3e19fe9aa0743b7263e3ec934261d
-
Filesize
5KB
MD55fd65aeec23812ef4748346f620787c7
SHA14f49060b5fbd3a0f547fe0d7f261d479c7d9edae
SHA25698d37bb81d9a73adf173a947a065107e3e8280f1c0b9c654cde70bcdc847f3e1
SHA5122c616ee8b195fde3112f7de01c58bedbdbaf96902cd90986bdc819be9eefcf57b819cbb425a9fb52f130f9352d93b78f98be0653fc775a7a1b246d7901cd0906
-
Filesize
8KB
MD5cedd5308880d5aae54a0f515ee6b3139
SHA105ef6ee69a3d99e8a065358d7fed15a9858bd54b
SHA2565859be1b01e8d7e3952cdc83e0b1101b88ec2b30a76423a4ef77bf7153874ef7
SHA512a05eb72a37a4d711ed07eae4b4cf56ddc84a97cba65f91fee2a26ebe0d7155d876c96b2015368b5577f6d48d16c278c015cea1ca0e4902f1da79afca4042d7ba
-
Filesize
1024B
MD55680aa2cc0b5884b9fc96b8a3e1379eb
SHA1912ee1aec2d6532af837a5deb3b31bc82988b864
SHA2561dd485f826b051aff3788bf3f2b7a055b62378bd3501f5d2eece9eb2b34e9999
SHA5125d4382d008de4513349f5c464e2807fd214e193b43e58e024e2fb131650c94e92dbec02aec4eae3bca9bbf2405baa1c1aaf71841a69eda6a163fd6cfb5e12aa4
-
Filesize
652B
MD5a9576c231dfdd9ac464a514cb78b09c1
SHA1d5acf072fc6b3a67f3c80e89287253b5c33cbe6e
SHA256fe183fc467f59604a456b84c5639c641ef93aa75fbe22a99ca56913d75713e51
SHA5129962a59a4152d8cbe6eac63a58a715bb926a6766a1b514ddc46aa15a4ff60ec6227c6bb7901cc4ccacf17850091fe43e62d2459a7bbc9eadc6106e448cbd08a0
-
Filesize
652B
MD5ee0cd16f0288d29433419647c80b505d
SHA11330810d8fa4fc428b83110ec144ecd67a2da3c8
SHA25617525f7d7247258470b4c62e00d1bfbece01ce8a6ae28a69d41ad9d65bd5ddba
SHA512ba6912121a8c1e0f6bdc8cdd9e753d0b71e9a0ced18be2a05414f897fb9fec007136c892395b950b1565689f6875add6165b0c0d92c0b6077c665b20bbb79815
-
Filesize
3KB
MD5412e1c803f61cea207aa4b53c9b4a3bb
SHA179b56c2016e0eb4e0de20ef8085dd8caa2b0a810
SHA25603928f10904ba363d8e763f42883e9c9e6a54f5514b323c48fca4ace6f8d2b71
SHA5129cb9f92cee9e2b22424c8c0f60b53143ff7799a61a06a02291102912208311fb41ea95e16a175f46fbf0cce41b2f18f4eacaa5ae60625aa0e89beec5ac299b3b
-
Filesize
187B
MD5e0c8f029d081cf37a2bb9cda301e5000
SHA19553652860c5e6cbed9500592ba4f4a7d480cab2
SHA2562c424edb9f243ebe199ec89a1b89187cd6e4b0fe43818b234ae4b4b3279bca24
SHA512e6039fc4d32f4129da7586bb22eeabb8dcc360e71fbd81b2d1a8a3c960a739b02c72d604dd1e4de2f5daafde1f616bea989c6fcea627a6b5ed0294f6b90b0d32
-
Filesize
6KB
MD5ec02f26fb5424b5fbc9bcef4abb87993
SHA186082c6c15bdf457dcabdbab286457d0bf92b24c
SHA256321952c2c98fb6c307deff53b2534c63df40bc2739d654cdc1c02f98bc64c7b1
SHA5121de05d23a61dd39d240855559d481208eb91b034c71a331e9f70e6930473eab7a014f375446116bde627635184d6bc7340ebcfe08ee10d801b7ba5dc9ffaedb2
-
Filesize
187B
MD56fd16f7a742b94ffe661b13a8c8fce84
SHA1eca75aa8fa36886f482669e4d2d3213abb7a8b65
SHA256e5c85fe0ad09567480d580b0ba7896051196c2967b0dcfa62880c38cf169ec2e
SHA512ef3883562357dfb1b897f304996e6bcf187d7cdec6cc27c14dbe4d5ded1702df8f0146989b05c9d7777c9b57a066ad99be48382bee8b88d442b8f84f6fb36f21