Analysis
-
max time kernel
15s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/03/2025, 04:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
General
-
Target
JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe
-
Size
830KB
-
MD5
36a2e0b03acc09b7d7bde9ecbc29884a
-
SHA1
f7fb16c7db12ab0f459c1d257bd8633971ac4ec2
-
SHA256
7ebbc6ba5361d4824e880c9dd7196066b480555d731fb10f9c90a7060eb8808c
-
SHA512
83c5e1c667bba2699c05efd9f23d5201859d6b79f55b2ade025de5831e36eff15cd8bf4278329c8011d6a7d40fd82b013da97a8406dc6420e0718a9c0f9b48f5
-
SSDEEP
12288:hAWFyFMup2DnS6VrFYj7fjYDl0d6KxDTe4eHfIWM9HjbuW/7fPHZOem:CIuMk2DnS6VrQ2gDTrebM9HjV/bPHlm
Malware Config
Extracted
Family
darkcomet
Botnet
victima
C2
testers28.no-ip.org:1111
Mutex
DC_MUTEX-1GF3HUC
Attributes
-
InstallPath
JavaRE\bin\Java.exe
-
gencode
CiJev6UZ6jH*
-
install
true
-
offline_keylogger
true
-
password
1234
-
persistence
false
-
reg_key
Java
rc4.plain
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\JavaRE\\bin\\Java.exe" JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe -
Deletes itself 2 IoCs
pid Process 3064 cmd.exe 3064 cmd.exe -
Executes dropped EXE 4 IoCs
pid Process 3048 Java.exe 2652 Java.exe 3048 Java.exe 2652 Java.exe -
Loads dropped DLL 6 IoCs
pid Process 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 3048 Java.exe 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 3048 Java.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\JavaRE\\bin\\Java.exe" JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1868 set thread context of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 3048 set thread context of 2652 3048 Java.exe 36 PID 1868 set thread context of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 3048 set thread context of 2652 3048 Java.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Java.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Java.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3064 cmd.exe 2736 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2736 PING.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeSecurityPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeTakeOwnershipPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeLoadDriverPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeSystemProfilePrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeSystemtimePrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeProfSingleProcessPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeIncBasePriorityPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeCreatePagefilePrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeBackupPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeRestorePrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeShutdownPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeDebugPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeSystemEnvironmentPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeChangeNotifyPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeRemoteShutdownPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeUndockPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeManageVolumePrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeImpersonatePrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeCreateGlobalPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: 33 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: 34 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: 35 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeIncreaseQuotaPrivilege 2652 Java.exe Token: SeSecurityPrivilege 2652 Java.exe Token: SeTakeOwnershipPrivilege 2652 Java.exe Token: SeLoadDriverPrivilege 2652 Java.exe Token: SeSystemProfilePrivilege 2652 Java.exe Token: SeSystemtimePrivilege 2652 Java.exe Token: SeProfSingleProcessPrivilege 2652 Java.exe Token: SeIncBasePriorityPrivilege 2652 Java.exe Token: SeCreatePagefilePrivilege 2652 Java.exe Token: SeBackupPrivilege 2652 Java.exe Token: SeRestorePrivilege 2652 Java.exe Token: SeShutdownPrivilege 2652 Java.exe Token: SeDebugPrivilege 2652 Java.exe Token: SeSystemEnvironmentPrivilege 2652 Java.exe Token: SeChangeNotifyPrivilege 2652 Java.exe Token: SeRemoteShutdownPrivilege 2652 Java.exe Token: SeUndockPrivilege 2652 Java.exe Token: SeManageVolumePrivilege 2652 Java.exe Token: SeImpersonatePrivilege 2652 Java.exe Token: SeCreateGlobalPrivilege 2652 Java.exe Token: 33 2652 Java.exe Token: 34 2652 Java.exe Token: 35 2652 Java.exe Token: SeIncreaseQuotaPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeSecurityPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeTakeOwnershipPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeLoadDriverPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeSystemProfilePrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeSystemtimePrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeProfSingleProcessPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeIncBasePriorityPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeCreatePagefilePrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeBackupPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeRestorePrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeShutdownPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeDebugPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeSystemEnvironmentPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeChangeNotifyPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeRemoteShutdownPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeUndockPrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe Token: SeManageVolumePrivilege 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 3048 Java.exe 2652 Java.exe 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 3048 Java.exe 2652 Java.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1792 wrote to memory of 3048 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 32 PID 1792 wrote to memory of 3048 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 32 PID 1792 wrote to memory of 3048 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 32 PID 1792 wrote to memory of 3048 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 32 PID 1792 wrote to memory of 3064 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 33 PID 1792 wrote to memory of 3064 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 33 PID 1792 wrote to memory of 3064 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 33 PID 1792 wrote to memory of 3064 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 33 PID 3064 wrote to memory of 2736 3064 cmd.exe 35 PID 3064 wrote to memory of 2736 3064 cmd.exe 35 PID 3064 wrote to memory of 2736 3064 cmd.exe 35 PID 3064 wrote to memory of 2736 3064 cmd.exe 35 PID 3048 wrote to memory of 2652 3048 Java.exe 36 PID 3048 wrote to memory of 2652 3048 Java.exe 36 PID 3048 wrote to memory of 2652 3048 Java.exe 36 PID 3048 wrote to memory of 2652 3048 Java.exe 36 PID 3048 wrote to memory of 2652 3048 Java.exe 36 PID 3048 wrote to memory of 2652 3048 Java.exe 36 PID 3048 wrote to memory of 2652 3048 Java.exe 36 PID 3048 wrote to memory of 2652 3048 Java.exe 36 PID 3048 wrote to memory of 2652 3048 Java.exe 36 PID 3048 wrote to memory of 2652 3048 Java.exe 36 PID 3048 wrote to memory of 2652 3048 Java.exe 36 PID 3048 wrote to memory of 2652 3048 Java.exe 36 PID 3048 wrote to memory of 2652 3048 Java.exe 36 PID 3048 wrote to memory of 2652 3048 Java.exe 36 PID 3048 wrote to memory of 2652 3048 Java.exe 36 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1868 wrote to memory of 1792 1868 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 31 PID 1792 wrote to memory of 3048 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 32 PID 1792 wrote to memory of 3048 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 32 PID 1792 wrote to memory of 3048 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 32 PID 1792 wrote to memory of 3048 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 32 PID 1792 wrote to memory of 3064 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 33 PID 1792 wrote to memory of 3064 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 33 PID 1792 wrote to memory of 3064 1792 JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\JavaRE\bin\Java.exe"C:\JavaRE\bin\Java.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\JavaRE\bin\Java.exe"C:\JavaRE\bin\Java.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2652
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2736
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
830KB
MD536a2e0b03acc09b7d7bde9ecbc29884a
SHA1f7fb16c7db12ab0f459c1d257bd8633971ac4ec2
SHA2567ebbc6ba5361d4824e880c9dd7196066b480555d731fb10f9c90a7060eb8808c
SHA51283c5e1c667bba2699c05efd9f23d5201859d6b79f55b2ade025de5831e36eff15cd8bf4278329c8011d6a7d40fd82b013da97a8406dc6420e0718a9c0f9b48f5