Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28/02/2025, 03:20
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe
-
Size
315KB
-
MD5
31412729528ff5bc80c5582bbe784628
-
SHA1
26bc7dc6a6d763a96925f41f34d78ca6157ee4fc
-
SHA256
1e1fe04cd20a5b8b47be1188c98ce2979b4c56257967f3bff3218a194b9d5efb
-
SHA512
3628cc231e19dfaa66466d17b02db07967cad08068a57e002c4bd070490232d2450848ac0d2fa900553f108abc8ef0691c11b2109b5034ba21014790e072847b
-
SSDEEP
6144:LSTv34CFfifD2gVKVTQQ249HZ52KTh9XKOCgLJacj5/AZtRsO:LEPXgr8VMQDT52WXKq9fj5/AZjv
Malware Config
Extracted
darkcomet
Guest16
fugitif.no-ip.org:2702
DC_MUTEX-GJKJZWL
-
InstallPath
driver\winupdate.exe
-
gencode
EQ=TzK#norn1
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
winupdater
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\driver\\winupdate.exe" JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe -
Windows security bypass 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Executes dropped EXE 3 IoCs
pid Process 2700 winupdate.exe 2032 winupdate.exe 2972 winupdate.exe -
Windows security modification 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\driver\\winupdate.exe" JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2308 set thread context of 2196 2308 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 31 PID 2196 set thread context of 2864 2196 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 32 PID 2700 set thread context of 2032 2700 winupdate.exe 35 PID 2032 set thread context of 2972 2032 winupdate.exe 36 -
resource yara_rule behavioral1/memory/2864-19-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2864-20-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2864-18-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2864-14-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2864-12-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2864-24-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2864-27-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2864-25-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2864-26-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2864-29-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2864-42-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2700-49-0x0000000000020000-0x000000000002C000-memory.dmp upx behavioral1/memory/2972-70-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-72-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-74-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-71-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-75-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-78-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-79-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-77-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-76-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-81-0x0000000000020000-0x000000000002C000-memory.dmp upx behavioral1/memory/2972-82-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-83-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-84-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-85-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-86-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-87-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-88-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-89-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-90-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-91-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-92-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeSecurityPrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeTakeOwnershipPrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeLoadDriverPrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeSystemProfilePrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeSystemtimePrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeProfSingleProcessPrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeIncBasePriorityPrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeCreatePagefilePrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeBackupPrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeRestorePrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeShutdownPrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeDebugPrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeSystemEnvironmentPrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeChangeNotifyPrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeRemoteShutdownPrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeUndockPrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeManageVolumePrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeImpersonatePrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeCreateGlobalPrivilege 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: 33 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: 34 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: 35 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe Token: SeIncreaseQuotaPrivilege 2972 winupdate.exe Token: SeSecurityPrivilege 2972 winupdate.exe Token: SeTakeOwnershipPrivilege 2972 winupdate.exe Token: SeLoadDriverPrivilege 2972 winupdate.exe Token: SeSystemProfilePrivilege 2972 winupdate.exe Token: SeSystemtimePrivilege 2972 winupdate.exe Token: SeProfSingleProcessPrivilege 2972 winupdate.exe Token: SeIncBasePriorityPrivilege 2972 winupdate.exe Token: SeCreatePagefilePrivilege 2972 winupdate.exe Token: SeBackupPrivilege 2972 winupdate.exe Token: SeRestorePrivilege 2972 winupdate.exe Token: SeShutdownPrivilege 2972 winupdate.exe Token: SeDebugPrivilege 2972 winupdate.exe Token: SeSystemEnvironmentPrivilege 2972 winupdate.exe Token: SeChangeNotifyPrivilege 2972 winupdate.exe Token: SeRemoteShutdownPrivilege 2972 winupdate.exe Token: SeUndockPrivilege 2972 winupdate.exe Token: SeManageVolumePrivilege 2972 winupdate.exe Token: SeImpersonatePrivilege 2972 winupdate.exe Token: SeCreateGlobalPrivilege 2972 winupdate.exe Token: 33 2972 winupdate.exe Token: 34 2972 winupdate.exe Token: 35 2972 winupdate.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2308 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 2196 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 2700 winupdate.exe 2032 winupdate.exe 2972 winupdate.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2196 2308 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 31 PID 2308 wrote to memory of 2196 2308 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 31 PID 2308 wrote to memory of 2196 2308 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 31 PID 2308 wrote to memory of 2196 2308 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 31 PID 2308 wrote to memory of 2196 2308 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 31 PID 2308 wrote to memory of 2196 2308 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 31 PID 2308 wrote to memory of 2196 2308 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 31 PID 2308 wrote to memory of 2196 2308 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 31 PID 2308 wrote to memory of 2196 2308 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 31 PID 2196 wrote to memory of 2864 2196 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 32 PID 2196 wrote to memory of 2864 2196 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 32 PID 2196 wrote to memory of 2864 2196 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 32 PID 2196 wrote to memory of 2864 2196 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 32 PID 2196 wrote to memory of 2864 2196 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 32 PID 2196 wrote to memory of 2864 2196 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 32 PID 2196 wrote to memory of 2864 2196 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 32 PID 2196 wrote to memory of 2864 2196 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 32 PID 2864 wrote to memory of 2812 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 33 PID 2864 wrote to memory of 2812 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 33 PID 2864 wrote to memory of 2812 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 33 PID 2864 wrote to memory of 2812 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 33 PID 2864 wrote to memory of 2700 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 34 PID 2864 wrote to memory of 2700 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 34 PID 2864 wrote to memory of 2700 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 34 PID 2864 wrote to memory of 2700 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 34 PID 2864 wrote to memory of 2700 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 34 PID 2864 wrote to memory of 2700 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 34 PID 2864 wrote to memory of 2700 2864 JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe 34 PID 2700 wrote to memory of 2032 2700 winupdate.exe 35 PID 2700 wrote to memory of 2032 2700 winupdate.exe 35 PID 2700 wrote to memory of 2032 2700 winupdate.exe 35 PID 2700 wrote to memory of 2032 2700 winupdate.exe 35 PID 2700 wrote to memory of 2032 2700 winupdate.exe 35 PID 2700 wrote to memory of 2032 2700 winupdate.exe 35 PID 2700 wrote to memory of 2032 2700 winupdate.exe 35 PID 2700 wrote to memory of 2032 2700 winupdate.exe 35 PID 2700 wrote to memory of 2032 2700 winupdate.exe 35 PID 2700 wrote to memory of 2032 2700 winupdate.exe 35 PID 2700 wrote to memory of 2032 2700 winupdate.exe 35 PID 2700 wrote to memory of 2032 2700 winupdate.exe 35 PID 2032 wrote to memory of 2972 2032 winupdate.exe 36 PID 2032 wrote to memory of 2972 2032 winupdate.exe 36 PID 2032 wrote to memory of 2972 2032 winupdate.exe 36 PID 2032 wrote to memory of 2972 2032 winupdate.exe 36 PID 2032 wrote to memory of 2972 2032 winupdate.exe 36 PID 2032 wrote to memory of 2972 2032 winupdate.exe 36 PID 2032 wrote to memory of 2972 2032 winupdate.exe 36 PID 2032 wrote to memory of 2972 2032 winupdate.exe 36 PID 2032 wrote to memory of 2972 2032 winupdate.exe 36 PID 2032 wrote to memory of 2972 2032 winupdate.exe 36 PID 2032 wrote to memory of 2972 2032 winupdate.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31412729528ff5bc80c5582bbe784628.exe3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:2812
-
-
C:\driver\winupdate.exe"C:\driver\winupdate.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\driver\winupdate.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\driver\winupdate.exe6⤵
- Modifies firewall policy service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
315KB
MD531412729528ff5bc80c5582bbe784628
SHA126bc7dc6a6d763a96925f41f34d78ca6157ee4fc
SHA2561e1fe04cd20a5b8b47be1188c98ce2979b4c56257967f3bff3218a194b9d5efb
SHA5123628cc231e19dfaa66466d17b02db07967cad08068a57e002c4bd070490232d2450848ac0d2fa900553f108abc8ef0691c11b2109b5034ba21014790e072847b