Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 19:20
Static task
static1
Behavioral task
behavioral1
Sample
de4827e4879fc14a65133478895bf742_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
de4827e4879fc14a65133478895bf742_JaffaCakes118.exe
-
Size
766KB
-
MD5
de4827e4879fc14a65133478895bf742
-
SHA1
38ca0f794976147b3cb56e5bddebe292ce3b11c9
-
SHA256
125aa1a042a5b5fd47979b612930348bfd2bc03cc8a7198535a576439a78a0c2
-
SHA512
4bca18d80bcf8b8c946d3d8878b3e3a1c2725c20c41d51b38c138255810eaa329b2968c561cc3efca0a0dc063a646c53ab4b580f27c2d8b50320bb44e4abf90e
-
SSDEEP
12288:/Muo3R2vENhB8JnOA2IVyhXF132N1eNSVUt29MW2SdKO8VdsJkl7+G07FKH83bqM:/lo3R2vcB8JOAg1gNAgOI912SgZVdsJB
Malware Config
Signatures
-
Darkcomet family
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation de4827e4879fc14a65133478895bf742_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3904 JavaLoader.exe 3788 server.exe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaLoader = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempalbert\\JavaLoader.exe" JavaLoader.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3904-29-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/3904-30-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/3904-32-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/3904-33-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/3904-34-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/3904-35-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/3904-36-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/3904-37-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/3904-38-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/3904-39-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/3904-40-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/3904-41-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/3904-42-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/3904-43-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/3904-44-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3788 set thread context of 4860 3788 server.exe.exe 85 -
resource yara_rule behavioral2/files/0x0032000000023b84-5.dat upx behavioral2/memory/3904-14-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3904-29-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3904-30-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3904-32-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3904-33-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3904-34-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3904-35-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3904-36-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3904-37-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3904-38-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3904-39-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3904-40-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3904-41-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3904-42-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3904-43-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3904-44-0x0000000000400000-0x00000000004C1000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de4827e4879fc14a65133478895bf742_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JavaLoader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3904 JavaLoader.exe 3904 JavaLoader.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3788 server.exe.exe Token: SeSecurityPrivilege 3788 server.exe.exe Token: SeTakeOwnershipPrivilege 3788 server.exe.exe Token: SeLoadDriverPrivilege 3788 server.exe.exe Token: SeSystemProfilePrivilege 3788 server.exe.exe Token: SeSystemtimePrivilege 3788 server.exe.exe Token: SeProfSingleProcessPrivilege 3788 server.exe.exe Token: SeIncBasePriorityPrivilege 3788 server.exe.exe Token: SeCreatePagefilePrivilege 3788 server.exe.exe Token: SeBackupPrivilege 3788 server.exe.exe Token: SeRestorePrivilege 3788 server.exe.exe Token: SeShutdownPrivilege 3788 server.exe.exe Token: SeDebugPrivilege 3788 server.exe.exe Token: SeSystemEnvironmentPrivilege 3788 server.exe.exe Token: SeChangeNotifyPrivilege 3788 server.exe.exe Token: SeRemoteShutdownPrivilege 3788 server.exe.exe Token: SeUndockPrivilege 3788 server.exe.exe Token: SeManageVolumePrivilege 3788 server.exe.exe Token: SeImpersonatePrivilege 3788 server.exe.exe Token: SeCreateGlobalPrivilege 3788 server.exe.exe Token: 33 3788 server.exe.exe Token: 34 3788 server.exe.exe Token: 35 3788 server.exe.exe Token: 36 3788 server.exe.exe Token: SeIncreaseQuotaPrivilege 4860 explorer.exe Token: SeSecurityPrivilege 4860 explorer.exe Token: SeTakeOwnershipPrivilege 4860 explorer.exe Token: SeLoadDriverPrivilege 4860 explorer.exe Token: SeSystemProfilePrivilege 4860 explorer.exe Token: SeSystemtimePrivilege 4860 explorer.exe Token: SeProfSingleProcessPrivilege 4860 explorer.exe Token: SeIncBasePriorityPrivilege 4860 explorer.exe Token: SeCreatePagefilePrivilege 4860 explorer.exe Token: SeBackupPrivilege 4860 explorer.exe Token: SeRestorePrivilege 4860 explorer.exe Token: SeShutdownPrivilege 4860 explorer.exe Token: SeDebugPrivilege 4860 explorer.exe Token: SeSystemEnvironmentPrivilege 4860 explorer.exe Token: SeChangeNotifyPrivilege 4860 explorer.exe Token: SeRemoteShutdownPrivilege 4860 explorer.exe Token: SeUndockPrivilege 4860 explorer.exe Token: SeManageVolumePrivilege 4860 explorer.exe Token: SeImpersonatePrivilege 4860 explorer.exe Token: SeCreateGlobalPrivilege 4860 explorer.exe Token: 33 4860 explorer.exe Token: 34 4860 explorer.exe Token: 35 4860 explorer.exe Token: 36 4860 explorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5004 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 5004 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 4860 explorer.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 5004 wrote to memory of 3904 5004 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 83 PID 5004 wrote to memory of 3904 5004 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 83 PID 5004 wrote to memory of 3904 5004 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 83 PID 5004 wrote to memory of 3788 5004 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 84 PID 5004 wrote to memory of 3788 5004 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 84 PID 5004 wrote to memory of 3788 5004 de4827e4879fc14a65133478895bf742_JaffaCakes118.exe 84 PID 3788 wrote to memory of 4860 3788 server.exe.exe 85 PID 3788 wrote to memory of 4860 3788 server.exe.exe 85 PID 3788 wrote to memory of 4860 3788 server.exe.exe 85 PID 3788 wrote to memory of 4860 3788 server.exe.exe 85 PID 3788 wrote to memory of 4860 3788 server.exe.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\de4827e4879fc14a65133478895bf742_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\de4827e4879fc14a65133478895bf742_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\tempalbert\JavaLoader.exe"C:\Users\Admin\AppData\Local\Temp\tempalbert\JavaLoader.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3904
-
-
C:\Users\Admin\AppData\Local\Temp\tempalbert\server.exe.exe"C:\Users\Admin\AppData\Local\Temp\tempalbert\server.exe.exe"2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4860
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
374KB
MD50e51f8e356ed9c7a511bf905c68d505d
SHA132d3943307dadd37d4e7814ca338153ed445bde7
SHA25629917695214d5c69e2e26ceb28242b38f4ebd93370b7e00acf2aaebb5c23094f
SHA512ee817ccb13b8a4dcf609f89529f4790d3357cd764fefc228d3d7262c0d366b3a49f3a3ec09d0dc4e6debebdf402f95181b661d1ed196b501b9ae6e78dddac042
-
Filesize
689KB
MD5f181ed8dd601359cff4dcd71b2a6cc9d
SHA19b5a92fb3f2d94c0d04e75d89d22d22735917a27
SHA2563347899c9d721adda6a5f8fcd2ce5e359bce11a981d86abc2c29b64dc11ac3a2
SHA512f440afd187e05952f758584febc731dc420acb66e7eddb8fe6d40d8ffacdd376b2e56314fab4195f9401bfb70bf1a10fa726f2aa12a1bef29e925c70222467be