Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 03:54
Static task
static1
Behavioral task
behavioral1
Sample
f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
f9fdd0d68dc69aabb134e1821171de5f
-
SHA1
727a86e1c524f0525539fbf70c22e7e9873de24a
-
SHA256
1513469d47432259a0f44fa5279c294cb020eb41bd90dc2e7044d6ecb0845729
-
SHA512
f90b67febe72caaae8f6a6fa994c689ff27eca0137aedd7cce4d754ad2023e92d6d28dc13a618322a112cc49924f82aee02da9fc5fff572bc6775f5f29ce14ad
-
SSDEEP
12288:f/Bv17kMLTTTdfIX1y6hgpcKiaqb7MybKbeLSVNIYntkypxCJfFSzk+wDvCXP56a:ddshJMXiJo7jWy8a1VXiNhbnQ+
Malware Config
Signatures
-
Darkcomet family
-
Executes dropped EXE 1 IoCs
pid Process 4748 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Roaming\\f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe" f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3580 set thread context of 4748 3580 f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4748 svchost.exe Token: SeSecurityPrivilege 4748 svchost.exe Token: SeTakeOwnershipPrivilege 4748 svchost.exe Token: SeLoadDriverPrivilege 4748 svchost.exe Token: SeSystemProfilePrivilege 4748 svchost.exe Token: SeSystemtimePrivilege 4748 svchost.exe Token: SeProfSingleProcessPrivilege 4748 svchost.exe Token: SeIncBasePriorityPrivilege 4748 svchost.exe Token: SeCreatePagefilePrivilege 4748 svchost.exe Token: SeBackupPrivilege 4748 svchost.exe Token: SeRestorePrivilege 4748 svchost.exe Token: SeShutdownPrivilege 4748 svchost.exe Token: SeDebugPrivilege 4748 svchost.exe Token: SeSystemEnvironmentPrivilege 4748 svchost.exe Token: SeChangeNotifyPrivilege 4748 svchost.exe Token: SeRemoteShutdownPrivilege 4748 svchost.exe Token: SeUndockPrivilege 4748 svchost.exe Token: SeManageVolumePrivilege 4748 svchost.exe Token: SeImpersonatePrivilege 4748 svchost.exe Token: SeCreateGlobalPrivilege 4748 svchost.exe Token: 33 4748 svchost.exe Token: 34 4748 svchost.exe Token: 35 4748 svchost.exe Token: 36 4748 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3580 wrote to memory of 4748 3580 f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe 83 PID 3580 wrote to memory of 4748 3580 f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe 83 PID 3580 wrote to memory of 4748 3580 f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe 83 PID 3580 wrote to memory of 4748 3580 f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe 83 PID 3580 wrote to memory of 4748 3580 f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe 83 PID 3580 wrote to memory of 4748 3580 f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe 83 PID 3580 wrote to memory of 4748 3580 f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe 83 PID 3580 wrote to memory of 4748 3580 f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe 83 PID 3580 wrote to memory of 4748 3580 f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe 83 PID 3580 wrote to memory of 4748 3580 f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe 83 PID 3580 wrote to memory of 4748 3580 f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe 83 PID 3580 wrote to memory of 4748 3580 f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe 83 PID 3580 wrote to memory of 4748 3580 f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe 83 PID 3580 wrote to memory of 4748 3580 f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f9fdd0d68dc69aabb134e1821171de5f_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
Network
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request136.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request241.42.69.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request9h0s7.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request169.117.168.52.in-addr.arpaIN PTRResponse
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
72 B 158 B 1 1
DNS Request
136.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
71 B 145 B 1 1
DNS Request
241.42.69.40.in-addr.arpa
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
61 B 121 B 1 1
DNS Request
9h0s7.no-ip.org
-
73 B 147 B 1 1
DNS Request
169.117.168.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34