Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 08:19
Behavioral task
behavioral1
Sample
f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe
-
Size
658KB
-
MD5
f81fb0b6d27a21a39d307ed5fe4d6392
-
SHA1
1fe9b25118f4fb5a91fa32fb169814722743d642
-
SHA256
3dea9945d8c34546030f549869b1915a5c364e9f90258f308cc63a51829a3972
-
SHA512
baee82575a95c00e47f70783a76ccd034aebbe950a079df9898e88dc71eaf6283afcf8d089eea8c871841a286f8a5ff5ae9c64d3cd9e2b4c9db8f4233cda92fe
-
SSDEEP
12288:q9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hX:mZ1xuVVjfFoynPaVBUR8f+kN10EBZ
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-QZ7LPZR
-
gencode
J7dahVwc2S9Z
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet family
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeSecurityPrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeSystemtimePrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeBackupPrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeRestorePrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeShutdownPrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeDebugPrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeUndockPrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeManageVolumePrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeImpersonatePrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: 33 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: 34 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: 35 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe Token: 36 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3772 f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f81fb0b6d27a21a39d307ed5fe4d6392_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3772