Analysis
-
max time kernel
98s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2024 20:34
Static task
static1
Behavioral task
behavioral1
Sample
db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe
-
Size
767KB
-
MD5
db6ba29deac32256e74e93de3c50bedb
-
SHA1
14ac2f72e88bc7416ded3eac0c432b8f7681a87d
-
SHA256
5a8dd6e662e77c59a4636cdbcac84f24fa11374626b47a6a8fb86cc41f340f9e
-
SHA512
e20b455226ee1511cf331aa963fdbeae06c03dd2406c65debd9b886844c88bd2d6809f72d3faaa993515bb15d45b34757d2aa7b516f2dba471110962b7de3374
-
SSDEEP
12288:vgeVQkTrvj4f5IUFsmzU0pA09K5Xv+lsqllCOfhw/Xw0cOhkgGob0nAjklPE1d8S:vZQkTf4f+UbTUv+aqlNhwPw0cOanTl+7
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\svchost.exe" vbc.exe -
Executes dropped EXE 1 IoCs
pid Process 2440 svchost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windupdt\\svchost.exe" vbc.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Windupdt\svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\Windupdt\svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1168 set thread context of 2112 1168 db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4936 cmd.exe 4296 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4296 PING.EXE -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 1168 db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2112 vbc.exe Token: SeSecurityPrivilege 2112 vbc.exe Token: SeTakeOwnershipPrivilege 2112 vbc.exe Token: SeLoadDriverPrivilege 2112 vbc.exe Token: SeSystemProfilePrivilege 2112 vbc.exe Token: SeSystemtimePrivilege 2112 vbc.exe Token: SeProfSingleProcessPrivilege 2112 vbc.exe Token: SeIncBasePriorityPrivilege 2112 vbc.exe Token: SeCreatePagefilePrivilege 2112 vbc.exe Token: SeBackupPrivilege 2112 vbc.exe Token: SeRestorePrivilege 2112 vbc.exe Token: SeShutdownPrivilege 2112 vbc.exe Token: SeDebugPrivilege 2112 vbc.exe Token: SeSystemEnvironmentPrivilege 2112 vbc.exe Token: SeChangeNotifyPrivilege 2112 vbc.exe Token: SeRemoteShutdownPrivilege 2112 vbc.exe Token: SeUndockPrivilege 2112 vbc.exe Token: SeManageVolumePrivilege 2112 vbc.exe Token: SeImpersonatePrivilege 2112 vbc.exe Token: SeCreateGlobalPrivilege 2112 vbc.exe Token: 33 2112 vbc.exe Token: 34 2112 vbc.exe Token: 35 2112 vbc.exe Token: 36 2112 vbc.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1168 wrote to memory of 2112 1168 db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe 82 PID 1168 wrote to memory of 2112 1168 db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe 82 PID 1168 wrote to memory of 2112 1168 db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe 82 PID 1168 wrote to memory of 2112 1168 db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe 82 PID 1168 wrote to memory of 2112 1168 db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe 82 PID 1168 wrote to memory of 2112 1168 db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe 82 PID 1168 wrote to memory of 2112 1168 db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe 82 PID 1168 wrote to memory of 2112 1168 db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe 82 PID 1168 wrote to memory of 2112 1168 db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe 82 PID 1168 wrote to memory of 2112 1168 db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe 82 PID 1168 wrote to memory of 2112 1168 db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe 82 PID 1168 wrote to memory of 2112 1168 db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe 82 PID 1168 wrote to memory of 2112 1168 db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe 82 PID 1168 wrote to memory of 2112 1168 db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe 82 PID 2112 wrote to memory of 2440 2112 vbc.exe 83 PID 2112 wrote to memory of 2440 2112 vbc.exe 83 PID 2112 wrote to memory of 2440 2112 vbc.exe 83 PID 2112 wrote to memory of 4936 2112 vbc.exe 85 PID 2112 wrote to memory of 4936 2112 vbc.exe 85 PID 2112 wrote to memory of 4936 2112 vbc.exe 85 PID 4936 wrote to memory of 4296 4936 cmd.exe 87 PID 4936 wrote to memory of 4296 4936 cmd.exe 87 PID 4936 wrote to memory of 4296 4936 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\db6ba29deac32256e74e93de3c50bedb_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Windupdt\svchost.exe"C:\Windows\system32\Windupdt\svchost.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2440
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4296
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34