Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
01/03/2025, 03:58
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe
-
Size
802KB
-
MD5
3696b0bc52372480786fc82e9a40ee3a
-
SHA1
5abc4082d640549636a1874a1e370d2ccd66e428
-
SHA256
331ee2f4d2b3be0e3b88cf223b43313104c030659607fed74dd8c43ffcdab88d
-
SHA512
fca575df857de0b2df8b4219f095dd9f1c742130637296916e0fd87ed9f59c9473a58b0fb8efe23a258d6a2a64c311fcdff422fe04c9aaed67eb1cb6aeb5ad06
-
SSDEEP
12288:DPikU7IOvVeFoZq6jlb+kvwKzTe6bJ17VLQTx:DPikUJvL5vw89b2
Malware Config
Extracted
darkcomet
Guest16
billonairgamble.serveblog.net:1806
DC_MUTEX-6K0ZM1M
-
gencode
PivnwSb2eiUN
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet family
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4252 attrib.exe 3068 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation Winserv.exe -
Executes dropped EXE 1 IoCs
pid Process 3004 Winserv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hostnet = "C:\\Users\\Admin\\AppData\\Roaming\\hostnet.exe" JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3380 set thread context of 3004 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Winserv.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3004 Winserv.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe Token: SeIncreaseQuotaPrivilege 3004 Winserv.exe Token: SeSecurityPrivilege 3004 Winserv.exe Token: SeTakeOwnershipPrivilege 3004 Winserv.exe Token: SeLoadDriverPrivilege 3004 Winserv.exe Token: SeSystemProfilePrivilege 3004 Winserv.exe Token: SeSystemtimePrivilege 3004 Winserv.exe Token: SeProfSingleProcessPrivilege 3004 Winserv.exe Token: SeIncBasePriorityPrivilege 3004 Winserv.exe Token: SeCreatePagefilePrivilege 3004 Winserv.exe Token: SeBackupPrivilege 3004 Winserv.exe Token: SeRestorePrivilege 3004 Winserv.exe Token: SeShutdownPrivilege 3004 Winserv.exe Token: SeDebugPrivilege 3004 Winserv.exe Token: SeSystemEnvironmentPrivilege 3004 Winserv.exe Token: SeChangeNotifyPrivilege 3004 Winserv.exe Token: SeRemoteShutdownPrivilege 3004 Winserv.exe Token: SeUndockPrivilege 3004 Winserv.exe Token: SeManageVolumePrivilege 3004 Winserv.exe Token: SeImpersonatePrivilege 3004 Winserv.exe Token: SeCreateGlobalPrivilege 3004 Winserv.exe Token: 33 3004 Winserv.exe Token: 34 3004 Winserv.exe Token: 35 3004 Winserv.exe Token: 36 3004 Winserv.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3004 Winserv.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 3380 wrote to memory of 3004 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe 93 PID 3380 wrote to memory of 3004 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe 93 PID 3380 wrote to memory of 3004 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe 93 PID 3380 wrote to memory of 3004 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe 93 PID 3380 wrote to memory of 3004 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe 93 PID 3380 wrote to memory of 3004 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe 93 PID 3380 wrote to memory of 3004 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe 93 PID 3380 wrote to memory of 3004 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe 93 PID 3380 wrote to memory of 3004 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe 93 PID 3380 wrote to memory of 3004 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe 93 PID 3380 wrote to memory of 3004 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe 93 PID 3380 wrote to memory of 3004 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe 93 PID 3380 wrote to memory of 3004 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe 93 PID 3380 wrote to memory of 3004 3380 JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe 93 PID 3004 wrote to memory of 1748 3004 Winserv.exe 94 PID 3004 wrote to memory of 1748 3004 Winserv.exe 94 PID 3004 wrote to memory of 1748 3004 Winserv.exe 94 PID 3004 wrote to memory of 4424 3004 Winserv.exe 95 PID 3004 wrote to memory of 4424 3004 Winserv.exe 95 PID 3004 wrote to memory of 4424 3004 Winserv.exe 95 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 3004 wrote to memory of 704 3004 Winserv.exe 96 PID 4424 wrote to memory of 3068 4424 cmd.exe 99 PID 4424 wrote to memory of 3068 4424 cmd.exe 99 PID 4424 wrote to memory of 3068 4424 cmd.exe 99 PID 1748 wrote to memory of 4252 1748 cmd.exe 100 PID 1748 wrote to memory of 4252 1748 cmd.exe 100 PID 1748 wrote to memory of 4252 1748 cmd.exe 100 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3068 attrib.exe 4252 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3696b0bc52372480786fc82e9a40ee3a.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\AppLaunch\Winserv.exeC:\Users\Admin\AppData\Local\Temp\\AppLaunch\Winserv.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\AppLaunch\Winserv.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\AppLaunch\Winserv.exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4252
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\AppLaunch" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\AppLaunch" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3068
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- System Location Discovery: System Language Discovery
PID:704
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34