Analysis
-
max time kernel
94s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 01:25
Static task
static1
Behavioral task
behavioral1
Sample
df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe
-
Size
737KB
-
MD5
df59496ce9d9eba8bfc447c066650a04
-
SHA1
845003070ae7d41c5770dc7805f9d880ed525f56
-
SHA256
c6fda4c45f1df9cbcc6054256dbe73fd89a332fc8ff8552347c46a6dc364da97
-
SHA512
eb39eefadcdb7856c4bd44cc9079c1d84093e4fc6fb3ef94a7438d24b5d3b7eaba6c5b6a8a2c81ca3ea79493e3809d611b76add347b72447935040ddbecf066b
-
SSDEEP
12288:sJmHQJV+Q9zFIs9i3s7Q6jcIaVCc+ZfSpCzrxXUd42/RhSGnfMPxvCVEwVZCJg:sJm+zOsg3snE4c+ZfSp0rxXO42pAcK5e
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" vbc.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vbc.exe -
Executes dropped EXE 1 IoCs
pid Process 3716 winupdate.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" vbc.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Windupdt\winupdate.exe vbc.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe vbc.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 224 set thread context of 2036 224 df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3016 PING.EXE -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier vbc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3016 PING.EXE -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2036 vbc.exe Token: SeSecurityPrivilege 2036 vbc.exe Token: SeTakeOwnershipPrivilege 2036 vbc.exe Token: SeLoadDriverPrivilege 2036 vbc.exe Token: SeSystemProfilePrivilege 2036 vbc.exe Token: SeSystemtimePrivilege 2036 vbc.exe Token: SeProfSingleProcessPrivilege 2036 vbc.exe Token: SeIncBasePriorityPrivilege 2036 vbc.exe Token: SeCreatePagefilePrivilege 2036 vbc.exe Token: SeBackupPrivilege 2036 vbc.exe Token: SeRestorePrivilege 2036 vbc.exe Token: SeShutdownPrivilege 2036 vbc.exe Token: SeDebugPrivilege 2036 vbc.exe Token: SeSystemEnvironmentPrivilege 2036 vbc.exe Token: SeChangeNotifyPrivilege 2036 vbc.exe Token: SeRemoteShutdownPrivilege 2036 vbc.exe Token: SeUndockPrivilege 2036 vbc.exe Token: SeManageVolumePrivilege 2036 vbc.exe Token: SeImpersonatePrivilege 2036 vbc.exe Token: SeCreateGlobalPrivilege 2036 vbc.exe Token: 33 2036 vbc.exe Token: 34 2036 vbc.exe Token: 35 2036 vbc.exe Token: 36 2036 vbc.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 224 wrote to memory of 2036 224 df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe 83 PID 224 wrote to memory of 2036 224 df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe 83 PID 224 wrote to memory of 2036 224 df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe 83 PID 224 wrote to memory of 2036 224 df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe 83 PID 224 wrote to memory of 2036 224 df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe 83 PID 224 wrote to memory of 2036 224 df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe 83 PID 224 wrote to memory of 2036 224 df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe 83 PID 224 wrote to memory of 2036 224 df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe 83 PID 224 wrote to memory of 2036 224 df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe 83 PID 224 wrote to memory of 2036 224 df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe 83 PID 224 wrote to memory of 2036 224 df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe 83 PID 224 wrote to memory of 2036 224 df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe 83 PID 224 wrote to memory of 2036 224 df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe 83 PID 224 wrote to memory of 2036 224 df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe 83 PID 2036 wrote to memory of 3716 2036 vbc.exe 84 PID 2036 wrote to memory of 3716 2036 vbc.exe 84 PID 2036 wrote to memory of 3716 2036 vbc.exe 84 PID 2036 wrote to memory of 1516 2036 vbc.exe 86 PID 2036 wrote to memory of 1516 2036 vbc.exe 86 PID 2036 wrote to memory of 1516 2036 vbc.exe 86 PID 1516 wrote to memory of 3016 1516 cmd.exe 88 PID 1516 wrote to memory of 3016 1516 cmd.exe 88 PID 1516 wrote to memory of 3016 1516 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\df59496ce9d9eba8bfc447c066650a04_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3716
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 24⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3016
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88B
MD511491174307d3a99e5edd729b3b1ff46
SHA1744a9594fc8475b2c04096a32e3857815ffdd904
SHA256dd71402bd0ec44d23af6658268190eb241b5bc8393c61176abc2c06d9a13d666
SHA512b77d6cf0e446b34dd5c22ec8fb8e0f1db52f78773723c4aa88d1a05b6abfaee5a9aafabf328096bc87d4f9c5b83c9dea7f9a6038cc15105ad3f25efaa175ff0e
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34