Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/02/2025, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe
-
Size
749KB
-
MD5
33ecc627f63b589e7ff67c248d1ec3cf
-
SHA1
8a2a93ff1553cf2450c9eca7842d8b118b5554a5
-
SHA256
453976d3f2a82bb38764809e037bd2cb845a3e190d0de31d7c145fc9d6fc5246
-
SHA512
5636ac89275f9faa37c25aea1fd0216e493a637e9635361e4575429ee06875441b44b6f8f236d427577f22fa24d3caef8ec4f9499bc1adf27e049869156f6632
-
SSDEEP
12288:5wnH/+HdB63tW/xWp2yS2Y+WiB2R4phHNWVXwGnT9E4ysep+YVtVFQ/f3Fz:iHKdcW5H2Y+WiB2RCWtxT9EnsfYVtTQH
Malware Config
Extracted
darkcomet
Guest16
freakyland.no-ip.biz:84
DC_MUTEX-F54S21D
-
gencode
$z2GzzGzm=iD
-
install
false
-
offline_keylogger
false
-
persistence
false
Signatures
-
Darkcomet family
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2424 set thread context of 2444 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe 28 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeSecurityPrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeTakeOwnershipPrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeLoadDriverPrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeSystemProfilePrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeSystemtimePrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeProfSingleProcessPrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeIncBasePriorityPrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeCreatePagefilePrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeBackupPrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeRestorePrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeShutdownPrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeDebugPrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeSystemEnvironmentPrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeChangeNotifyPrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeRemoteShutdownPrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeUndockPrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeManageVolumePrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeImpersonatePrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: SeCreateGlobalPrivilege 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: 33 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: 34 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe Token: 35 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2424 wrote to memory of 2444 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe 28 PID 2424 wrote to memory of 2444 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe 28 PID 2424 wrote to memory of 2444 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe 28 PID 2424 wrote to memory of 2444 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe 28 PID 2424 wrote to memory of 2444 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe 28 PID 2424 wrote to memory of 2444 2424 JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe"1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5c4e9f32138049dc7f8eebacb9bc6a4e7
SHA1effb1b364002580fc2a25c8f64afc80f3184af6f
SHA2567f3cbefaf8f0f7dab5a28fe6c16ab34816b8e568db29aa7b875fbf37a2d526fb
SHA512cfaa70d563d597e8aa0d37d1312aa820b19a6967767e545a2c4241fb8a91679ad6132fda781edd3581e369e42f162881e849ffbcd81c7b15128fecdb3d263ffa
-
Filesize
2KB
MD5e5825b207e27fcfa469128e6d910fca2
SHA15260aa28ff74d3c172f54d338bf8eaa24b87d947
SHA25608b5e8c1e7d50025320dd7ffaac4939b1398100b46217eff50fcdcbb612b3e0d
SHA512349c508f2e4de22f6a2c2b69ccadf5c15d240d64bcdddd437f0722ccafa0e2a8d499c8e9c360a4cd845eba645dcd4c448b4e34b34323b9020f5b9f6f07e77dbd