Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-01-2025 11:05
Behavioral task
behavioral1
Sample
JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe
Resource
win7-20241010-en
windows7-x64
19 signatures
150 seconds
General
-
Target
JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe
-
Size
662KB
-
MD5
79561dd776a9ec5ea22c9df7997bf560
-
SHA1
6dff8283b606ccd2c07dd155b1c73757f7b42118
-
SHA256
9d00399ea9a0775f34a84f7743cda023b1bac8aacfccd214ad933c5b045bb4dd
-
SHA512
38f9653d0d92a64bea6d8a6f015382a4f5d79415ae66517d7da0f61f9120e6909ea092d6d7dfdcae79c121b8ae2fdd67af14b3ffd11a6cefb60d2aaf01f1b311
-
SSDEEP
12288:o3OpvNW4a76S/Ddon/m09bbYlIaaMcE2YGhq3vo1RnfAvIESJgoE26yc/RFv:eOA4aWNn/m09fKIaaBEtWq3A1Ov8Jgbr
Malware Config
Extracted
Family
darkcomet
Botnet
roditeli
C2
84.109.80.244:1604
Mutex
DC_MUTEX-Z6PTE5A
Attributes
-
InstallPath
winlogon.exe
-
gencode
TtoBEMYiC0cu
-
install
true
-
offline_keylogger
true
-
password
55257012
-
persistence
true
-
reg_key
Microsoft
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winlogon.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2184 attrib.exe 1632 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe -
Deletes itself 1 IoCs
pid Process 3712 notepad.exe -
Executes dropped EXE 1 IoCs
pid Process 5024 winlogon.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5024 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeSecurityPrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeTakeOwnershipPrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeLoadDriverPrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeSystemProfilePrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeSystemtimePrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeProfSingleProcessPrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeIncBasePriorityPrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeCreatePagefilePrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeBackupPrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeRestorePrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeShutdownPrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeDebugPrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeSystemEnvironmentPrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeChangeNotifyPrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeRemoteShutdownPrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeUndockPrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeManageVolumePrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeImpersonatePrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeCreateGlobalPrivilege 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: 33 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: 34 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: 35 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: 36 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe Token: SeIncreaseQuotaPrivilege 5024 winlogon.exe Token: SeSecurityPrivilege 5024 winlogon.exe Token: SeTakeOwnershipPrivilege 5024 winlogon.exe Token: SeLoadDriverPrivilege 5024 winlogon.exe Token: SeSystemProfilePrivilege 5024 winlogon.exe Token: SeSystemtimePrivilege 5024 winlogon.exe Token: SeProfSingleProcessPrivilege 5024 winlogon.exe Token: SeIncBasePriorityPrivilege 5024 winlogon.exe Token: SeCreatePagefilePrivilege 5024 winlogon.exe Token: SeBackupPrivilege 5024 winlogon.exe Token: SeRestorePrivilege 5024 winlogon.exe Token: SeShutdownPrivilege 5024 winlogon.exe Token: SeDebugPrivilege 5024 winlogon.exe Token: SeSystemEnvironmentPrivilege 5024 winlogon.exe Token: SeChangeNotifyPrivilege 5024 winlogon.exe Token: SeRemoteShutdownPrivilege 5024 winlogon.exe Token: SeUndockPrivilege 5024 winlogon.exe Token: SeManageVolumePrivilege 5024 winlogon.exe Token: SeImpersonatePrivilege 5024 winlogon.exe Token: SeCreateGlobalPrivilege 5024 winlogon.exe Token: 33 5024 winlogon.exe Token: 34 5024 winlogon.exe Token: 35 5024 winlogon.exe Token: 36 5024 winlogon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5024 winlogon.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 4736 wrote to memory of 5020 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 83 PID 4736 wrote to memory of 5020 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 83 PID 4736 wrote to memory of 5020 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 83 PID 4736 wrote to memory of 772 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 85 PID 4736 wrote to memory of 772 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 85 PID 4736 wrote to memory of 772 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 85 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 4736 wrote to memory of 3712 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 86 PID 5020 wrote to memory of 2184 5020 cmd.exe 88 PID 5020 wrote to memory of 2184 5020 cmd.exe 88 PID 5020 wrote to memory of 2184 5020 cmd.exe 88 PID 772 wrote to memory of 1632 772 cmd.exe 89 PID 772 wrote to memory of 1632 772 cmd.exe 89 PID 772 wrote to memory of 1632 772 cmd.exe 89 PID 4736 wrote to memory of 5024 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 90 PID 4736 wrote to memory of 5024 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 90 PID 4736 wrote to memory of 5024 4736 JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe 90 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 PID 5024 wrote to memory of 3132 5024 winlogon.exe 91 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2184 attrib.exe 1632 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_79561dd776a9ec5ea22c9df7997bf560.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2184
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1632
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3712
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- System Location Discovery: System Language Discovery
PID:3132
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
662KB
MD579561dd776a9ec5ea22c9df7997bf560
SHA16dff8283b606ccd2c07dd155b1c73757f7b42118
SHA2569d00399ea9a0775f34a84f7743cda023b1bac8aacfccd214ad933c5b045bb4dd
SHA51238f9653d0d92a64bea6d8a6f015382a4f5d79415ae66517d7da0f61f9120e6909ea092d6d7dfdcae79c121b8ae2fdd67af14b3ffd11a6cefb60d2aaf01f1b311