Analysis
-
max time kernel
149s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 19:20
Static task
static1
Behavioral task
behavioral1
Sample
de4827e4879fc14a65133478895bf742_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
de4827e4879fc14a65133478895bf742_JaffaCakes118.exe
-
Size
766KB
-
MD5
de4827e4879fc14a65133478895bf742
-
SHA1
38ca0f794976147b3cb56e5bddebe292ce3b11c9
-
SHA256
125aa1a042a5b5fd47979b612930348bfd2bc03cc8a7198535a576439a78a0c2
-
SHA512
4bca18d80bcf8b8c946d3d8878b3e3a1c2725c20c41d51b38c138255810eaa329b2968c561cc3efca0a0dc063a646c53ab4b580f27c2d8b50320bb44e4abf90e
-
SSDEEP
12288:/Muo3R2vENhB8JnOA2IVyhXF132N1eNSVUt29MW2SdKO8VdsJkl7+G07FKH83bqM:/lo3R2vcB8JOAg1gNAgOI912SgZVdsJB
Malware Config
Signatures
-
Darkcomet family
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe.exe -
Executes dropped EXE 2 IoCs
pid Process 2844 JavaLoader.exe 2348 server.exe.exe -
Loads dropped DLL 3 IoCs
pid Process 2420 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 2420 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 2420 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaLoader = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempalbert\\JavaLoader.exe" JavaLoader.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2844-28-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2844-29-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2844-30-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2844-31-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2844-35-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2844-38-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2844-41-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2348 set thread context of 2816 2348 server.exe.exe 31 -
resource yara_rule behavioral1/files/0x0008000000016ae9-3.dat upx behavioral1/memory/2420-7-0x0000000003B10000-0x0000000003BD1000-memory.dmp upx behavioral1/memory/2844-16-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2844-28-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2844-29-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2844-30-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2844-31-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2844-35-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2844-38-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2844-41-0x0000000000400000-0x00000000004C1000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JavaLoader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de4827e4879fc14a65133478895bf742_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2844 JavaLoader.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2348 server.exe.exe Token: SeSecurityPrivilege 2348 server.exe.exe Token: SeTakeOwnershipPrivilege 2348 server.exe.exe Token: SeLoadDriverPrivilege 2348 server.exe.exe Token: SeSystemProfilePrivilege 2348 server.exe.exe Token: SeSystemtimePrivilege 2348 server.exe.exe Token: SeProfSingleProcessPrivilege 2348 server.exe.exe Token: SeIncBasePriorityPrivilege 2348 server.exe.exe Token: SeCreatePagefilePrivilege 2348 server.exe.exe Token: SeBackupPrivilege 2348 server.exe.exe Token: SeRestorePrivilege 2348 server.exe.exe Token: SeShutdownPrivilege 2348 server.exe.exe Token: SeDebugPrivilege 2348 server.exe.exe Token: SeSystemEnvironmentPrivilege 2348 server.exe.exe Token: SeChangeNotifyPrivilege 2348 server.exe.exe Token: SeRemoteShutdownPrivilege 2348 server.exe.exe Token: SeUndockPrivilege 2348 server.exe.exe Token: SeManageVolumePrivilege 2348 server.exe.exe Token: SeImpersonatePrivilege 2348 server.exe.exe Token: SeCreateGlobalPrivilege 2348 server.exe.exe Token: 33 2348 server.exe.exe Token: 34 2348 server.exe.exe Token: 35 2348 server.exe.exe Token: SeIncreaseQuotaPrivilege 2816 explorer.exe Token: SeSecurityPrivilege 2816 explorer.exe Token: SeTakeOwnershipPrivilege 2816 explorer.exe Token: SeLoadDriverPrivilege 2816 explorer.exe Token: SeSystemProfilePrivilege 2816 explorer.exe Token: SeSystemtimePrivilege 2816 explorer.exe Token: SeProfSingleProcessPrivilege 2816 explorer.exe Token: SeIncBasePriorityPrivilege 2816 explorer.exe Token: SeCreatePagefilePrivilege 2816 explorer.exe Token: SeBackupPrivilege 2816 explorer.exe Token: SeRestorePrivilege 2816 explorer.exe Token: SeShutdownPrivilege 2816 explorer.exe Token: SeDebugPrivilege 2816 explorer.exe Token: SeSystemEnvironmentPrivilege 2816 explorer.exe Token: SeChangeNotifyPrivilege 2816 explorer.exe Token: SeRemoteShutdownPrivilege 2816 explorer.exe Token: SeUndockPrivilege 2816 explorer.exe Token: SeManageVolumePrivilege 2816 explorer.exe Token: SeImpersonatePrivilege 2816 explorer.exe Token: SeCreateGlobalPrivilege 2816 explorer.exe Token: 33 2816 explorer.exe Token: 34 2816 explorer.exe Token: 35 2816 explorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2420 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 2420 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 2816 explorer.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2844 2420 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 29 PID 2420 wrote to memory of 2844 2420 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 29 PID 2420 wrote to memory of 2844 2420 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 29 PID 2420 wrote to memory of 2844 2420 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 29 PID 2420 wrote to memory of 2348 2420 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2348 2420 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2348 2420 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2348 2420 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 30 PID 2348 wrote to memory of 2816 2348 server.exe.exe 31 PID 2348 wrote to memory of 2816 2348 server.exe.exe 31 PID 2348 wrote to memory of 2816 2348 server.exe.exe 31 PID 2348 wrote to memory of 2816 2348 server.exe.exe 31 PID 2348 wrote to memory of 2816 2348 server.exe.exe 31 PID 2348 wrote to memory of 2816 2348 server.exe.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\de4827e4879fc14a65133478895bf742_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\de4827e4879fc14a65133478895bf742_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\tempalbert\JavaLoader.exe"C:\Users\Admin\AppData\Local\Temp\tempalbert\JavaLoader.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2844
-
-
C:\Users\Admin\AppData\Local\Temp\tempalbert\server.exe.exe"C:\Users\Admin\AppData\Local\Temp\tempalbert\server.exe.exe"2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2816
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
689KB
MD5f181ed8dd601359cff4dcd71b2a6cc9d
SHA19b5a92fb3f2d94c0d04e75d89d22d22735917a27
SHA2563347899c9d721adda6a5f8fcd2ce5e359bce11a981d86abc2c29b64dc11ac3a2
SHA512f440afd187e05952f758584febc731dc420acb66e7eddb8fe6d40d8ffacdd376b2e56314fab4195f9401bfb70bf1a10fa726f2aa12a1bef29e925c70222467be
-
Filesize
374KB
MD50e51f8e356ed9c7a511bf905c68d505d
SHA132d3943307dadd37d4e7814ca338153ed445bde7
SHA25629917695214d5c69e2e26ceb28242b38f4ebd93370b7e00acf2aaebb5c23094f
SHA512ee817ccb13b8a4dcf609f89529f4790d3357cd764fefc228d3d7262c0d366b3a49f3a3ec09d0dc4e6debebdf402f95181b661d1ed196b501b9ae6e78dddac042