Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 11:13
Behavioral task
behavioral1
Sample
e61c5bc99fd2b158ac4ea799ea64568a_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
e61c5bc99fd2b158ac4ea799ea64568a_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
e61c5bc99fd2b158ac4ea799ea64568a
-
SHA1
a5a97266dd2b5f1d2f3328c04efbc1b4e6fec0f1
-
SHA256
03118049958123e881a7e4731221e0690bdd49e1a624f4a989683c7ab363be80
-
SHA512
73f021eebcd0a1195b06bf360fdb6b62815cecabc750a80dc5b3c0a3133bd944e8dfab9a45eec89633ba25fa6415e00b61db2012eaf1a0e3549a534e54e238cb
-
SSDEEP
24576:kYi0aeKVUQBoGotjrJX9cpTDCdr/lR2C29slZFwvt2ST3VnNnvIWUE:kYiLeK7VotjrJX9c1Ct/P2CksDFwvt2o
Malware Config
Extracted
darkcomet
Absolute3
emile2012.no-ip.info:1337
DCMIN_MUTEX-ZZUD73J
-
gencode
tz3FGhkXWDV3
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft driver agent.vbs e61c5bc99fd2b158ac4ea799ea64568a_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2616 patcher.exe 1920 patcher.exe -
Loads dropped DLL 8 IoCs
pid Process 2240 e61c5bc99fd2b158ac4ea799ea64568a_JaffaCakes118.exe 2616 patcher.exe 2616 patcher.exe 2616 patcher.exe 2616 patcher.exe 1920 patcher.exe 1920 patcher.exe 1920 patcher.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2616 set thread context of 1920 2616 patcher.exe 32 -
resource yara_rule behavioral1/memory/2240-0-0x0000000000400000-0x00000000007AE000-memory.dmp upx behavioral1/memory/2240-3-0x0000000000400000-0x00000000007AE000-memory.dmp upx behavioral1/files/0x0009000000016d3f-13.dat upx behavioral1/memory/2240-16-0x0000000000400000-0x00000000007AE000-memory.dmp upx behavioral1/memory/2616-19-0x0000000000400000-0x00000000007AE000-memory.dmp upx behavioral1/memory/2616-22-0x0000000000400000-0x00000000007AE000-memory.dmp upx behavioral1/memory/2616-24-0x0000000000400000-0x00000000007AE000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e61c5bc99fd2b158ac4ea799ea64568a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1920 patcher.exe Token: SeSecurityPrivilege 1920 patcher.exe Token: SeTakeOwnershipPrivilege 1920 patcher.exe Token: SeLoadDriverPrivilege 1920 patcher.exe Token: SeSystemProfilePrivilege 1920 patcher.exe Token: SeSystemtimePrivilege 1920 patcher.exe Token: SeProfSingleProcessPrivilege 1920 patcher.exe Token: SeIncBasePriorityPrivilege 1920 patcher.exe Token: SeCreatePagefilePrivilege 1920 patcher.exe Token: SeBackupPrivilege 1920 patcher.exe Token: SeRestorePrivilege 1920 patcher.exe Token: SeShutdownPrivilege 1920 patcher.exe Token: SeDebugPrivilege 1920 patcher.exe Token: SeSystemEnvironmentPrivilege 1920 patcher.exe Token: SeChangeNotifyPrivilege 1920 patcher.exe Token: SeRemoteShutdownPrivilege 1920 patcher.exe Token: SeUndockPrivilege 1920 patcher.exe Token: SeManageVolumePrivilege 1920 patcher.exe Token: SeImpersonatePrivilege 1920 patcher.exe Token: SeCreateGlobalPrivilege 1920 patcher.exe Token: 33 1920 patcher.exe Token: 34 1920 patcher.exe Token: 35 1920 patcher.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1920 patcher.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2616 2240 e61c5bc99fd2b158ac4ea799ea64568a_JaffaCakes118.exe 30 PID 2240 wrote to memory of 2616 2240 e61c5bc99fd2b158ac4ea799ea64568a_JaffaCakes118.exe 30 PID 2240 wrote to memory of 2616 2240 e61c5bc99fd2b158ac4ea799ea64568a_JaffaCakes118.exe 30 PID 2240 wrote to memory of 2616 2240 e61c5bc99fd2b158ac4ea799ea64568a_JaffaCakes118.exe 30 PID 2240 wrote to memory of 2616 2240 e61c5bc99fd2b158ac4ea799ea64568a_JaffaCakes118.exe 30 PID 2240 wrote to memory of 2616 2240 e61c5bc99fd2b158ac4ea799ea64568a_JaffaCakes118.exe 30 PID 2240 wrote to memory of 2616 2240 e61c5bc99fd2b158ac4ea799ea64568a_JaffaCakes118.exe 30 PID 2616 wrote to memory of 1920 2616 patcher.exe 32 PID 2616 wrote to memory of 1920 2616 patcher.exe 32 PID 2616 wrote to memory of 1920 2616 patcher.exe 32 PID 2616 wrote to memory of 1920 2616 patcher.exe 32 PID 2616 wrote to memory of 1920 2616 patcher.exe 32 PID 2616 wrote to memory of 1920 2616 patcher.exe 32 PID 2616 wrote to memory of 1920 2616 patcher.exe 32 PID 2616 wrote to memory of 1920 2616 patcher.exe 32 PID 2616 wrote to memory of 1920 2616 patcher.exe 32 PID 2616 wrote to memory of 1920 2616 patcher.exe 32 PID 2616 wrote to memory of 1920 2616 patcher.exe 32 PID 2616 wrote to memory of 1920 2616 patcher.exe 32 PID 2616 wrote to memory of 1920 2616 patcher.exe 32 PID 2616 wrote to memory of 1920 2616 patcher.exe 32 PID 2616 wrote to memory of 1920 2616 patcher.exe 32 PID 2616 wrote to memory of 1920 2616 patcher.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e61c5bc99fd2b158ac4ea799ea64568a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e61c5bc99fd2b158ac4ea799ea64568a_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Roaming\Skype\patcher.exe"C:\Users\Admin\AppData\Roaming\Skype\patcher.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Roaming\Skype\patcher.exe"C:\Users\Admin\AppData\Roaming\Skype\patcher.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1920
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5e61c5bc99fd2b158ac4ea799ea64568a
SHA1a5a97266dd2b5f1d2f3328c04efbc1b4e6fec0f1
SHA25603118049958123e881a7e4731221e0690bdd49e1a624f4a989683c7ab363be80
SHA51273f021eebcd0a1195b06bf360fdb6b62815cecabc750a80dc5b3c0a3133bd944e8dfab9a45eec89633ba25fa6415e00b61db2012eaf1a0e3549a534e54e238cb