Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 11:53
Static task
static1
Behavioral task
behavioral1
Sample
d97c83769db2a543d904501f22056290_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d97c83769db2a543d904501f22056290_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d97c83769db2a543d904501f22056290_JaffaCakes118.exe
-
Size
515KB
-
MD5
d97c83769db2a543d904501f22056290
-
SHA1
95d0d0521f7a88e9b8dc08907509799c128e77c1
-
SHA256
3e5d82b39b9212613383ae6c94094051ecfbeddbeafbf1d3a63ed23328cc6ee1
-
SHA512
270caba631ff8d054515f89a96bea3cce9abe9b3221f88388fb25bb1c5aa7bb9fb6d74cd83c2b10c0dffb29ae3bd4aeb662313c92cb6e458bc5c2d59f72298e8
-
SSDEEP
6144:M8HE5leAjqA7e7lMXh2PVtS2+SN0X5Wx8lzR0PqXcl51q45dMG4XbMg65AGdU:M8HUeAjqRGh2PLB0X5WgtRX01qzDrMBQ
Malware Config
Extracted
darkcomet
26.05
grrr.no-ip.org:1604
morans.no-ip.biz:1604
DC_MUTEX-P3CD4XX
-
gencode
D6xGbXCz58rr
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet family
-
Executes dropped EXE 3 IoCs
pid Process 2588 IMG_24467.scr 2984 IMG_24467.scr 2112 IMG_24467.scr -
Loads dropped DLL 5 IoCs
pid Process 2868 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 2868 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 2868 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 2868 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 2868 d97c83769db2a543d904501f22056290_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\IMG_24467.scr = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\IMG_24467.scr" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2328 set thread context of 2868 2328 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 31 PID 2588 set thread context of 2984 2588 IMG_24467.scr 33 PID 2588 set thread context of 2112 2588 IMG_24467.scr 34 -
resource yara_rule behavioral1/memory/2868-44-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/memory/2868-52-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/memory/2868-54-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/memory/2868-50-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/memory/2868-48-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/memory/2868-42-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/memory/2868-75-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/memory/2112-140-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2112-145-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2984-138-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/memory/2112-149-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2112-136-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2112-133-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2112-150-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2112-152-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2112-151-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2984-163-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/memory/2112-164-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2112-166-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2112-168-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2112-170-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2112-172-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2112-174-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2112-176-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2112-178-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2112-180-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d97c83769db2a543d904501f22056290_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d97c83769db2a543d904501f22056290_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMG_24467.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMG_24467.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMG_24467.scr -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2112 IMG_24467.scr Token: SeSecurityPrivilege 2112 IMG_24467.scr Token: SeTakeOwnershipPrivilege 2112 IMG_24467.scr Token: SeLoadDriverPrivilege 2112 IMG_24467.scr Token: SeSystemProfilePrivilege 2112 IMG_24467.scr Token: SeSystemtimePrivilege 2112 IMG_24467.scr Token: SeProfSingleProcessPrivilege 2112 IMG_24467.scr Token: SeIncBasePriorityPrivilege 2112 IMG_24467.scr Token: SeCreatePagefilePrivilege 2112 IMG_24467.scr Token: SeBackupPrivilege 2112 IMG_24467.scr Token: SeRestorePrivilege 2112 IMG_24467.scr Token: SeShutdownPrivilege 2112 IMG_24467.scr Token: SeDebugPrivilege 2112 IMG_24467.scr Token: SeSystemEnvironmentPrivilege 2112 IMG_24467.scr Token: SeChangeNotifyPrivilege 2112 IMG_24467.scr Token: SeRemoteShutdownPrivilege 2112 IMG_24467.scr Token: SeUndockPrivilege 2112 IMG_24467.scr Token: SeManageVolumePrivilege 2112 IMG_24467.scr Token: SeImpersonatePrivilege 2112 IMG_24467.scr Token: SeCreateGlobalPrivilege 2112 IMG_24467.scr Token: 33 2112 IMG_24467.scr Token: 34 2112 IMG_24467.scr Token: 35 2112 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr Token: SeDebugPrivilege 2984 IMG_24467.scr -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2328 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 2868 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 2588 IMG_24467.scr 2984 IMG_24467.scr 2112 IMG_24467.scr -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2868 2328 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 31 PID 2328 wrote to memory of 2868 2328 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 31 PID 2328 wrote to memory of 2868 2328 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 31 PID 2328 wrote to memory of 2868 2328 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 31 PID 2328 wrote to memory of 2868 2328 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 31 PID 2328 wrote to memory of 2868 2328 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 31 PID 2328 wrote to memory of 2868 2328 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 31 PID 2328 wrote to memory of 2868 2328 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 31 PID 2868 wrote to memory of 2588 2868 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 32 PID 2868 wrote to memory of 2588 2868 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 32 PID 2868 wrote to memory of 2588 2868 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 32 PID 2868 wrote to memory of 2588 2868 d97c83769db2a543d904501f22056290_JaffaCakes118.exe 32 PID 2588 wrote to memory of 2984 2588 IMG_24467.scr 33 PID 2588 wrote to memory of 2984 2588 IMG_24467.scr 33 PID 2588 wrote to memory of 2984 2588 IMG_24467.scr 33 PID 2588 wrote to memory of 2984 2588 IMG_24467.scr 33 PID 2588 wrote to memory of 2984 2588 IMG_24467.scr 33 PID 2588 wrote to memory of 2984 2588 IMG_24467.scr 33 PID 2588 wrote to memory of 2984 2588 IMG_24467.scr 33 PID 2588 wrote to memory of 2984 2588 IMG_24467.scr 33 PID 2588 wrote to memory of 2112 2588 IMG_24467.scr 34 PID 2588 wrote to memory of 2112 2588 IMG_24467.scr 34 PID 2588 wrote to memory of 2112 2588 IMG_24467.scr 34 PID 2588 wrote to memory of 2112 2588 IMG_24467.scr 34 PID 2588 wrote to memory of 2112 2588 IMG_24467.scr 34 PID 2588 wrote to memory of 2112 2588 IMG_24467.scr 34 PID 2588 wrote to memory of 2112 2588 IMG_24467.scr 34 PID 2588 wrote to memory of 2112 2588 IMG_24467.scr 34 PID 2984 wrote to memory of 1672 2984 IMG_24467.scr 35 PID 2984 wrote to memory of 1672 2984 IMG_24467.scr 35 PID 2984 wrote to memory of 1672 2984 IMG_24467.scr 35 PID 2984 wrote to memory of 1672 2984 IMG_24467.scr 35 PID 2984 wrote to memory of 1672 2984 IMG_24467.scr 35 PID 2984 wrote to memory of 1672 2984 IMG_24467.scr 35 PID 1672 wrote to memory of 1924 1672 bitsadmin.exe 37 PID 1672 wrote to memory of 1924 1672 bitsadmin.exe 37 PID 1672 wrote to memory of 1924 1672 bitsadmin.exe 37 PID 1672 wrote to memory of 1924 1672 bitsadmin.exe 37 PID 1924 wrote to memory of 1704 1924 cmd.exe 39 PID 1924 wrote to memory of 1704 1924 cmd.exe 39 PID 1924 wrote to memory of 1704 1924 cmd.exe 39 PID 1924 wrote to memory of 1704 1924 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\d97c83769db2a543d904501f22056290_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d97c83769db2a543d904501f22056290_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\d97c83769db2a543d904501f22056290_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d97c83769db2a543d904501f22056290_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Roaming\Windows\IMG_24467.scr"C:\Users\Admin\AppData\Roaming\Windows\IMG_24467.scr" /S3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Roaming\Windows\IMG_24467.scr"C:\Users\Admin\AppData\Roaming\Windows\IMG_24467.scr"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\TMLTH.bat" "6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMG_24467.scr" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows\IMG_24467.scr" /f7⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1704
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\IMG_24467.scr"C:\Users\Admin\AppData\Roaming\Windows\IMG_24467.scr"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2112
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e11fc853b33e10530209a4d07c03be9a
SHA1818c706ffaba371396ae85b5adf66f542eab0380
SHA25615947a94d9c163d64f7e6e0975ecdd07e8046f013f10345381a5061b5b3adba4
SHA512b86c3d718b3b99df12d1211be83307b17422e0e4f0145d72dd2341968821f348025393a71c39f8229544332ce9f5d570655791697c34370b70e138385411e2ef
-
Filesize
515KB
MD5e777c055eae5a101744575068ed31934
SHA13a22bb38d9966345a4f3d13330e34974a6d5abff
SHA256bafc3fdebd62e5a2c503abec14b9949402e9058135efbef7147c02e1d08cf3fe
SHA5126dce71f9b83710e3190c6be5b58ff75d96ba0ce0be710c93915afb5d8664e63c66f12b31f5ee411e7e7f52a00108214d48f5c02e56014b1fd6af03d9ef8d3aad