Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 20:12
Static task
static1
Behavioral task
behavioral1
Sample
e81433472610bfe2bc3e320fad7d8d8e_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e81433472610bfe2bc3e320fad7d8d8e_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e81433472610bfe2bc3e320fad7d8d8e_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
e81433472610bfe2bc3e320fad7d8d8e
-
SHA1
0241912ba1137572d87d9f3a46ee82ab5774bed6
-
SHA256
00675c83d0755b1a4d28954d4426e5155127956f364e26676795e7109c27fdb8
-
SHA512
17a584b687be02c6cd35b9846b28bad01c5e8f0769aa1b51c76595d9cea90c03e182d597c8355d35b05980904cb1eb52202e12c8053defc56461f7b8041b0a15
-
SSDEEP
24576:v2O/GlZSB1ytVKPLtsq9w6GGLiqGpY4MSZyN301n7g6zwm4m53Sb2T:lCnKh7zF7GpYdSZyl45kFm53SyT
Malware Config
Extracted
darkcomet
ALL-BROWSER
root.socialmediaservices.co:1299
DC_MUTEX-E0HY7V3
-
gencode
zSHmPMnVaR8K
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet family
-
Executes dropped EXE 2 IoCs
pid Process 2448 OSVXU.exe 1376 OSVXU.exe -
Loads dropped DLL 2 IoCs
pid Process 2952 WScript.exe 2448 OSVXU.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ULQLL = "C:\\Users\\Admin\\ULQLL\\start.vbs" OSVXU.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1376 set thread context of 1684 1376 OSVXU.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e81433472610bfe2bc3e320fad7d8d8e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSVXU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSVXU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1684 RegSvcs.exe Token: SeSecurityPrivilege 1684 RegSvcs.exe Token: SeTakeOwnershipPrivilege 1684 RegSvcs.exe Token: SeLoadDriverPrivilege 1684 RegSvcs.exe Token: SeSystemProfilePrivilege 1684 RegSvcs.exe Token: SeSystemtimePrivilege 1684 RegSvcs.exe Token: SeProfSingleProcessPrivilege 1684 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1684 RegSvcs.exe Token: SeCreatePagefilePrivilege 1684 RegSvcs.exe Token: SeBackupPrivilege 1684 RegSvcs.exe Token: SeRestorePrivilege 1684 RegSvcs.exe Token: SeShutdownPrivilege 1684 RegSvcs.exe Token: SeDebugPrivilege 1684 RegSvcs.exe Token: SeSystemEnvironmentPrivilege 1684 RegSvcs.exe Token: SeChangeNotifyPrivilege 1684 RegSvcs.exe Token: SeRemoteShutdownPrivilege 1684 RegSvcs.exe Token: SeUndockPrivilege 1684 RegSvcs.exe Token: SeManageVolumePrivilege 1684 RegSvcs.exe Token: SeImpersonatePrivilege 1684 RegSvcs.exe Token: SeCreateGlobalPrivilege 1684 RegSvcs.exe Token: 33 1684 RegSvcs.exe Token: 34 1684 RegSvcs.exe Token: 35 1684 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1684 RegSvcs.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2584 wrote to memory of 2952 2584 e81433472610bfe2bc3e320fad7d8d8e_JaffaCakes118.exe 30 PID 2584 wrote to memory of 2952 2584 e81433472610bfe2bc3e320fad7d8d8e_JaffaCakes118.exe 30 PID 2584 wrote to memory of 2952 2584 e81433472610bfe2bc3e320fad7d8d8e_JaffaCakes118.exe 30 PID 2584 wrote to memory of 2952 2584 e81433472610bfe2bc3e320fad7d8d8e_JaffaCakes118.exe 30 PID 2584 wrote to memory of 2952 2584 e81433472610bfe2bc3e320fad7d8d8e_JaffaCakes118.exe 30 PID 2584 wrote to memory of 2952 2584 e81433472610bfe2bc3e320fad7d8d8e_JaffaCakes118.exe 30 PID 2584 wrote to memory of 2952 2584 e81433472610bfe2bc3e320fad7d8d8e_JaffaCakes118.exe 30 PID 2952 wrote to memory of 2448 2952 WScript.exe 31 PID 2952 wrote to memory of 2448 2952 WScript.exe 31 PID 2952 wrote to memory of 2448 2952 WScript.exe 31 PID 2952 wrote to memory of 2448 2952 WScript.exe 31 PID 2952 wrote to memory of 2448 2952 WScript.exe 31 PID 2952 wrote to memory of 2448 2952 WScript.exe 31 PID 2952 wrote to memory of 2448 2952 WScript.exe 31 PID 2448 wrote to memory of 1376 2448 OSVXU.exe 32 PID 2448 wrote to memory of 1376 2448 OSVXU.exe 32 PID 2448 wrote to memory of 1376 2448 OSVXU.exe 32 PID 2448 wrote to memory of 1376 2448 OSVXU.exe 32 PID 2448 wrote to memory of 1376 2448 OSVXU.exe 32 PID 2448 wrote to memory of 1376 2448 OSVXU.exe 32 PID 2448 wrote to memory of 1376 2448 OSVXU.exe 32 PID 1376 wrote to memory of 1684 1376 OSVXU.exe 34 PID 1376 wrote to memory of 1684 1376 OSVXU.exe 34 PID 1376 wrote to memory of 1684 1376 OSVXU.exe 34 PID 1376 wrote to memory of 1684 1376 OSVXU.exe 34 PID 1376 wrote to memory of 1684 1376 OSVXU.exe 34 PID 1376 wrote to memory of 1684 1376 OSVXU.exe 34 PID 1376 wrote to memory of 1684 1376 OSVXU.exe 34 PID 1376 wrote to memory of 1684 1376 OSVXU.exe 34 PID 1376 wrote to memory of 1684 1376 OSVXU.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\e81433472610bfe2bc3e320fad7d8d8e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e81433472610bfe2bc3e320fad7d8d8e_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\ULQLL\3562.vbs" 62652⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\ULQLL\OSVXU.exe"C:\Users\Admin\ULQLL\OSVXU.exe" 439536.BML3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\ULQLL\OSVXU.exeOSVXU.exe QIYEPTDB.dat4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1684
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56B
MD597e33d391fbe0c466c2288cc5801865a
SHA12c6789ae06e1ff97b85c16adcf5111c4e593010c
SHA256dec8338a7781e676346b4978f9da1566c0eac25a07bb7a050ebdef140f05b3af
SHA51281fa9c02b63dde3f13d8b93d621a4356e8abb31668a448762e2d706d414caa4fe60c3214880dedb07ea71b6ffda705e10f77403984df38f11ccf5642225eb191
-
Filesize
27KB
MD5b95e0aa565c8ec1767df78ee2dd3f58f
SHA1958a94768cc7b6dd121cb09de321a268855f68c8
SHA25646828d17f9805bed556f49138e33bedd82168fc5a2d979dfc9b3375cc7953e96
SHA512f3e2db711b7742c968e5de1cce46a6441f14bcdbff92b4a78b93d8ffea66d210fccb09992a2e5f7a5d6c19efa6b20e8172256f553aa47825eb4d5afb3cf22dfd
-
Filesize
4.2MB
MD5410dbd8aa871489eeae5eb6cbdd11069
SHA11bfafd8a6737302f84c160904934c63b89da9e67
SHA256db277e431b120ece87093d56abe893ee197f1cbd30a256f1818b885aca6d288d
SHA512d7b3791e361085e7e79d340420e84f625d0d8a16187384db84d945a174106d327a8acf0c1ce9e035a8d615162ebf1c9c5eea174492b65aee362a559ab1bad01b
-
Filesize
658KB
MD584252d2c621db160c79b476d07647a1a
SHA1f40898afa9d41f82936d4b4f00065b6194d6c2ff
SHA2565d04a189c0d0c2154ecda8d3979cb77a20b4a105eb564cd0a212d8a8d900cb90
SHA512fd88eef63c932fadf5529d836a05cbe68aa238f2ec60c10568be790663812f8ff619484295dcd88f347b0ea6dbabf9e1cdc5850ab2a828099afa7f3e74ae810c
-
Filesize
27KB
MD5bfb677cb7d545cee1bdf4a4c8d447791
SHA15733fee4ac03c60a1da99539b2b176c54d127b0b
SHA256598eeeebeec23de2cd54cb36067e4f319e0637b31f8aaf0e7714175b4a7c08b7
SHA51250ac5cd11427d62f7b18c894f5b3da1d28795915dc1d29ba709ce3311689df69d40265184ae3b1f202cd26dcbf29bbba121bb9c204b036837d072c01843e3c85
-
Filesize
259KB
MD5aedf4ee1fb012e295ec0d0ee2b90e0e6
SHA165d2dd0de2aa4750dd8fa1e0578985bb33b94843
SHA256eaf2fa194bb80fc44360fa7bcede0cba0393f8a45e9592ab0b395c01e0b157c8
SHA5120e8a9d38370894d3b8afc1385642f5b12e8916e5b4795eac275ab8a53e3a3c3c4c2a65e679a220c382ac5375b9e7a4ff0eac674304fdd60401b9132c2f50220b
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59