Analysis
-
max time kernel
111s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
26/02/2025, 12:11
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_25d94481f4967537d4b75902827e1948.exe
Resource
win7-20240729-en
General
-
Target
JaffaCakes118_25d94481f4967537d4b75902827e1948.exe
-
Size
1.1MB
-
MD5
25d94481f4967537d4b75902827e1948
-
SHA1
71f72e4679f9918c506b6479870ebf5701d418dc
-
SHA256
69ec29e540120ba091110e2ff51bddd3b67c5de8eb466959d2bb24316f5e813c
-
SHA512
608af79380dc6bfb0c42ab07f99346ca0fc1a2ff338382b9ab0de9b359e0165720f08b0e81538eacd5a0a97fef968994253f1f3fdc88ad20cd63fcb11a0cf2ca
-
SSDEEP
12288:JMmG1c2JW3zHBkdTYHvCicPmvpItUBLZsJ7KLctBhhoeThzvF1pVQ2KO43s9ub45:JCZV+jBItRTVF1dNqhH7jmbyU+ergU
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-46MKRG6
-
InstallPath
Windupdt\winupdate.exe
-
gencode
SsSbby=wZDXq
-
install
true
-
offline_keylogger
true
-
password
dreamh4ck
-
persistence
true
-
reg_key
winupdater
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" vbc.exe -
Executes dropped EXE 1 IoCs
pid Process 3672 winupdate.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3252 set thread context of 1432 3252 JaffaCakes118_25d94481f4967537d4b75902827e1948.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_25d94481f4967537d4b75902827e1948.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3780 cmd.exe 4852 PING.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4852 PING.EXE -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1432 vbc.exe Token: SeSecurityPrivilege 1432 vbc.exe Token: SeTakeOwnershipPrivilege 1432 vbc.exe Token: SeLoadDriverPrivilege 1432 vbc.exe Token: SeSystemProfilePrivilege 1432 vbc.exe Token: SeSystemtimePrivilege 1432 vbc.exe Token: SeProfSingleProcessPrivilege 1432 vbc.exe Token: SeIncBasePriorityPrivilege 1432 vbc.exe Token: SeCreatePagefilePrivilege 1432 vbc.exe Token: SeBackupPrivilege 1432 vbc.exe Token: SeRestorePrivilege 1432 vbc.exe Token: SeShutdownPrivilege 1432 vbc.exe Token: SeDebugPrivilege 1432 vbc.exe Token: SeSystemEnvironmentPrivilege 1432 vbc.exe Token: SeChangeNotifyPrivilege 1432 vbc.exe Token: SeRemoteShutdownPrivilege 1432 vbc.exe Token: SeUndockPrivilege 1432 vbc.exe Token: SeManageVolumePrivilege 1432 vbc.exe Token: SeImpersonatePrivilege 1432 vbc.exe Token: SeCreateGlobalPrivilege 1432 vbc.exe Token: 33 1432 vbc.exe Token: 34 1432 vbc.exe Token: 35 1432 vbc.exe Token: 36 1432 vbc.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3252 wrote to memory of 1432 3252 JaffaCakes118_25d94481f4967537d4b75902827e1948.exe 86 PID 3252 wrote to memory of 1432 3252 JaffaCakes118_25d94481f4967537d4b75902827e1948.exe 86 PID 3252 wrote to memory of 1432 3252 JaffaCakes118_25d94481f4967537d4b75902827e1948.exe 86 PID 3252 wrote to memory of 1432 3252 JaffaCakes118_25d94481f4967537d4b75902827e1948.exe 86 PID 3252 wrote to memory of 1432 3252 JaffaCakes118_25d94481f4967537d4b75902827e1948.exe 86 PID 3252 wrote to memory of 1432 3252 JaffaCakes118_25d94481f4967537d4b75902827e1948.exe 86 PID 3252 wrote to memory of 1432 3252 JaffaCakes118_25d94481f4967537d4b75902827e1948.exe 86 PID 3252 wrote to memory of 1432 3252 JaffaCakes118_25d94481f4967537d4b75902827e1948.exe 86 PID 3252 wrote to memory of 1432 3252 JaffaCakes118_25d94481f4967537d4b75902827e1948.exe 86 PID 3252 wrote to memory of 1432 3252 JaffaCakes118_25d94481f4967537d4b75902827e1948.exe 86 PID 3252 wrote to memory of 1432 3252 JaffaCakes118_25d94481f4967537d4b75902827e1948.exe 86 PID 3252 wrote to memory of 1432 3252 JaffaCakes118_25d94481f4967537d4b75902827e1948.exe 86 PID 3252 wrote to memory of 1432 3252 JaffaCakes118_25d94481f4967537d4b75902827e1948.exe 86 PID 3252 wrote to memory of 1432 3252 JaffaCakes118_25d94481f4967537d4b75902827e1948.exe 86 PID 1432 wrote to memory of 3672 1432 vbc.exe 88 PID 1432 wrote to memory of 3672 1432 vbc.exe 88 PID 1432 wrote to memory of 3672 1432 vbc.exe 88 PID 1432 wrote to memory of 3780 1432 vbc.exe 90 PID 1432 wrote to memory of 3780 1432 vbc.exe 90 PID 1432 wrote to memory of 3780 1432 vbc.exe 90 PID 3780 wrote to memory of 4852 3780 cmd.exe 92 PID 3780 wrote to memory of 4852 3780 cmd.exe 92 PID 3780 wrote to memory of 4852 3780 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25d94481f4967537d4b75902827e1948.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25d94481f4967537d4b75902827e1948.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3672
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4852
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34