Resubmissions
10-12-2024 23:00
241210-2y3qaatmcz 10Analysis
-
max time kernel
25s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 23:00
Static task
static1
Behavioral task
behavioral1
Sample
dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe
-
Size
532KB
-
MD5
dedd075c79305e69cf9cec3c757ecd89
-
SHA1
1e39c5446aa23168c8a549907a237c1cbf246f21
-
SHA256
bca9c9b7d76727bc66cdccd93d506b11f8784e1ffa38b1b124a4c25f75aa7b3d
-
SHA512
193dbb20c33eccaa76dcd8a501034c16e81a78e3fa260834085bf871e86fb79cbe68e756d1783ececef903f21bcc32d74d2889da3b4a3ff848e7a1f69b147c98
-
SSDEEP
12288:yboBeI1XTheTFJubyk2CK9oi/HwxH+iey27nCz:1kIthKrutMb/HtieB
Malware Config
Signatures
-
Darkcomet family
-
Executes dropped EXE 3 IoCs
pid Process 3448 svchosh.exe 872 svchosh.exe 3168 svchosh.exe -
Loads dropped DLL 7 IoCs
pid Process 3216 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 3216 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 3216 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 3216 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 3216 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 3448 svchosh.exe 3448 svchosh.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\salvia = "C:\\Users\\Admin\\AppData\\Roaming\\Bingo\\svchosh.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1488 set thread context of 3216 1488 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 31 PID 3448 set thread context of 872 3448 svchosh.exe 36 PID 3448 set thread context of 3168 3448 svchosh.exe 37 -
resource yara_rule behavioral1/memory/3216-446-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/872-886-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3168-1026-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral1/memory/3216-1029-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/872-1035-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3168-1038-0x0000000000400000-0x00000000004C9000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3168 svchosh.exe Token: SeSecurityPrivilege 3168 svchosh.exe Token: SeTakeOwnershipPrivilege 3168 svchosh.exe Token: SeLoadDriverPrivilege 3168 svchosh.exe Token: SeSystemProfilePrivilege 3168 svchosh.exe Token: SeSystemtimePrivilege 3168 svchosh.exe Token: SeProfSingleProcessPrivilege 3168 svchosh.exe Token: SeIncBasePriorityPrivilege 3168 svchosh.exe Token: SeCreatePagefilePrivilege 3168 svchosh.exe Token: SeBackupPrivilege 3168 svchosh.exe Token: SeRestorePrivilege 3168 svchosh.exe Token: SeShutdownPrivilege 3168 svchosh.exe Token: SeDebugPrivilege 3168 svchosh.exe Token: SeSystemEnvironmentPrivilege 3168 svchosh.exe Token: SeChangeNotifyPrivilege 3168 svchosh.exe Token: SeRemoteShutdownPrivilege 3168 svchosh.exe Token: SeUndockPrivilege 3168 svchosh.exe Token: SeManageVolumePrivilege 3168 svchosh.exe Token: SeImpersonatePrivilege 3168 svchosh.exe Token: SeCreateGlobalPrivilege 3168 svchosh.exe Token: 33 3168 svchosh.exe Token: 34 3168 svchosh.exe Token: 35 3168 svchosh.exe Token: SeDebugPrivilege 872 svchosh.exe Token: SeDebugPrivilege 872 svchosh.exe Token: SeDebugPrivilege 872 svchosh.exe Token: SeDebugPrivilege 872 svchosh.exe Token: SeDebugPrivilege 872 svchosh.exe Token: SeDebugPrivilege 872 svchosh.exe Token: SeDebugPrivilege 872 svchosh.exe Token: SeDebugPrivilege 872 svchosh.exe Token: SeDebugPrivilege 872 svchosh.exe Token: SeDebugPrivilege 872 svchosh.exe Token: SeDebugPrivilege 872 svchosh.exe Token: SeDebugPrivilege 872 svchosh.exe Token: SeDebugPrivilege 872 svchosh.exe Token: SeDebugPrivilege 872 svchosh.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1488 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 3216 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 3448 svchosh.exe 872 svchosh.exe 3168 svchosh.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1488 wrote to memory of 3216 1488 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 31 PID 1488 wrote to memory of 3216 1488 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 31 PID 1488 wrote to memory of 3216 1488 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 31 PID 1488 wrote to memory of 3216 1488 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 31 PID 1488 wrote to memory of 3216 1488 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 31 PID 1488 wrote to memory of 3216 1488 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 31 PID 1488 wrote to memory of 3216 1488 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 31 PID 1488 wrote to memory of 3216 1488 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 31 PID 3216 wrote to memory of 3372 3216 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 32 PID 3216 wrote to memory of 3372 3216 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 32 PID 3216 wrote to memory of 3372 3216 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 32 PID 3216 wrote to memory of 3372 3216 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 32 PID 3372 wrote to memory of 3424 3372 cmd.exe 34 PID 3372 wrote to memory of 3424 3372 cmd.exe 34 PID 3372 wrote to memory of 3424 3372 cmd.exe 34 PID 3372 wrote to memory of 3424 3372 cmd.exe 34 PID 3216 wrote to memory of 3448 3216 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 35 PID 3216 wrote to memory of 3448 3216 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 35 PID 3216 wrote to memory of 3448 3216 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 35 PID 3216 wrote to memory of 3448 3216 dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe 35 PID 3448 wrote to memory of 872 3448 svchosh.exe 36 PID 3448 wrote to memory of 872 3448 svchosh.exe 36 PID 3448 wrote to memory of 872 3448 svchosh.exe 36 PID 3448 wrote to memory of 872 3448 svchosh.exe 36 PID 3448 wrote to memory of 872 3448 svchosh.exe 36 PID 3448 wrote to memory of 872 3448 svchosh.exe 36 PID 3448 wrote to memory of 872 3448 svchosh.exe 36 PID 3448 wrote to memory of 872 3448 svchosh.exe 36 PID 3448 wrote to memory of 3168 3448 svchosh.exe 37 PID 3448 wrote to memory of 3168 3448 svchosh.exe 37 PID 3448 wrote to memory of 3168 3448 svchosh.exe 37 PID 3448 wrote to memory of 3168 3448 svchosh.exe 37 PID 3448 wrote to memory of 3168 3448 svchosh.exe 37 PID 3448 wrote to memory of 3168 3448 svchosh.exe 37 PID 3448 wrote to memory of 3168 3448 svchosh.exe 37 PID 3448 wrote to memory of 3168 3448 svchosh.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dedd075c79305e69cf9cec3c757ecd89_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\VIMIG.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "salvia" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Bingo\svchosh.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3424
-
-
-
C:\Users\Admin\AppData\Roaming\Bingo\svchosh.exe"C:\Users\Admin\AppData\Roaming\Bingo\svchosh.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Roaming\Bingo\svchosh.exe"C:\Users\Admin\AppData\Roaming\Bingo\svchosh.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:872
-
-
C:\Users\Admin\AppData\Roaming\Bingo\svchosh.exe"C:\Users\Admin\AppData\Roaming\Bingo\svchosh.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3168
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141B
MD550e2930e5364be50ded453c36cf8dc0c
SHA15a6fbcea7a0b92a45b5b6ce7dea636105cffb281
SHA25612e43e4d68acf87c9ab972b889ce0902c06651b227e2ef374c68876644f018fd
SHA512cf1320bb060d103a0b518cef8fbd06d8ea7f175349c267b42933c5637faaae2b48c573139b115ad44dadda28e8f61db72df9a55d426462175b167076e78aa087
-
Filesize
532KB
MD51b3bfa4a745aea2581f3489a61a19520
SHA12411051ec9190dd86714e1e2d47353037029828c
SHA256f7b9e230cfe70d223dc553df7d55556abdf88a8f7a8394e6ecc44f3a0482f56e
SHA5121791a5a8a8023003f680b2bd230b10d4c9fc1aec47128f3ff05ddf677364c4dda6f84388d029ce44be16945a3d447741a4d514dab7a1b3c0b4298d4bea78a565