Analysis
-
max time kernel
144s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
01/03/2025, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_3763edd1e6ad1bf573bc2d2190649a2c.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_3763edd1e6ad1bf573bc2d2190649a2c.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_3763edd1e6ad1bf573bc2d2190649a2c.exe
-
Size
952KB
-
MD5
3763edd1e6ad1bf573bc2d2190649a2c
-
SHA1
9a9b772cdf1bbc1b9e4ada8435b9aa09f1a32cde
-
SHA256
0684e126c70d34320ccae8547ebf1b4bb1aaf230f94c92d6c56e4877ffcec136
-
SHA512
cacf3b0ad57193003b12e3e2409010280ae8f6fae8a84244ca0d9d97769a128fb27f0acec423e0f267461b4958df2b1736bb34d561e65898c1c2f7263d7a0ecd
-
SSDEEP
24576:xfibWwLVMG7wJxnl7lQBX1GPZEuePxSt4YpqUQezetrO5:Rsji7lIlGBMPE1pqUQezuS5
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-F54S21D
-
gencode
P+ihDzmkisV�
-
install
false
-
offline_keylogger
false
-
password
123456
-
persistence
false
Signatures
-
Darkcomet family
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" SELING~1.EXE -
Windows security bypass 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SELING~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SELING~1.EXE -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate SELING~1.EXE -
Executes dropped EXE 1 IoCs
pid Process 2792 SELING~1.EXE -
Loads dropped DLL 3 IoCs
pid Process 2904 JaffaCakes118_3763edd1e6ad1bf573bc2d2190649a2c.exe 2904 JaffaCakes118_3763edd1e6ad1bf573bc2d2190649a2c.exe 2792 SELING~1.EXE -
Windows security modification 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SELING~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SELING~1.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" JaffaCakes118_3763edd1e6ad1bf573bc2d2190649a2c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_3763edd1e6ad1bf573bc2d2190649a2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SELING~1.EXE -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SELING~1.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SELING~1.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier SELING~1.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier SELING~1.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier SELING~1.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1984 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1984 vlc.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2792 SELING~1.EXE Token: SeSecurityPrivilege 2792 SELING~1.EXE Token: SeTakeOwnershipPrivilege 2792 SELING~1.EXE Token: SeLoadDriverPrivilege 2792 SELING~1.EXE Token: SeSystemProfilePrivilege 2792 SELING~1.EXE Token: SeSystemtimePrivilege 2792 SELING~1.EXE Token: SeProfSingleProcessPrivilege 2792 SELING~1.EXE Token: SeIncBasePriorityPrivilege 2792 SELING~1.EXE Token: SeCreatePagefilePrivilege 2792 SELING~1.EXE Token: SeBackupPrivilege 2792 SELING~1.EXE Token: SeRestorePrivilege 2792 SELING~1.EXE Token: SeShutdownPrivilege 2792 SELING~1.EXE Token: SeDebugPrivilege 2792 SELING~1.EXE Token: SeSystemEnvironmentPrivilege 2792 SELING~1.EXE Token: SeChangeNotifyPrivilege 2792 SELING~1.EXE Token: SeRemoteShutdownPrivilege 2792 SELING~1.EXE Token: SeUndockPrivilege 2792 SELING~1.EXE Token: SeManageVolumePrivilege 2792 SELING~1.EXE Token: SeImpersonatePrivilege 2792 SELING~1.EXE Token: SeCreateGlobalPrivilege 2792 SELING~1.EXE Token: 33 2792 SELING~1.EXE Token: 34 2792 SELING~1.EXE Token: 35 2792 SELING~1.EXE Token: 33 1984 vlc.exe Token: SeIncBasePriorityPrivilege 1984 vlc.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 1984 vlc.exe 1984 vlc.exe 1984 vlc.exe 1984 vlc.exe 1984 vlc.exe 1984 vlc.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 1984 vlc.exe 1984 vlc.exe 1984 vlc.exe 1984 vlc.exe 1984 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1984 vlc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2792 2904 JaffaCakes118_3763edd1e6ad1bf573bc2d2190649a2c.exe 30 PID 2904 wrote to memory of 2792 2904 JaffaCakes118_3763edd1e6ad1bf573bc2d2190649a2c.exe 30 PID 2904 wrote to memory of 2792 2904 JaffaCakes118_3763edd1e6ad1bf573bc2d2190649a2c.exe 30 PID 2904 wrote to memory of 2792 2904 JaffaCakes118_3763edd1e6ad1bf573bc2d2190649a2c.exe 30 PID 2904 wrote to memory of 2792 2904 JaffaCakes118_3763edd1e6ad1bf573bc2d2190649a2c.exe 30 PID 2904 wrote to memory of 2792 2904 JaffaCakes118_3763edd1e6ad1bf573bc2d2190649a2c.exe 30 PID 2904 wrote to memory of 2792 2904 JaffaCakes118_3763edd1e6ad1bf573bc2d2190649a2c.exe 30 PID 2792 wrote to memory of 1984 2792 SELING~1.EXE 31 PID 2792 wrote to memory of 1984 2792 SELING~1.EXE 31 PID 2792 wrote to memory of 1984 2792 SELING~1.EXE 31 PID 2792 wrote to memory of 1984 2792 SELING~1.EXE 31 PID 2792 wrote to memory of 1984 2792 SELING~1.EXE 31 PID 2792 wrote to memory of 1984 2792 SELING~1.EXE 31 PID 2792 wrote to memory of 1984 2792 SELING~1.EXE 31 PID 2792 wrote to memory of 2868 2792 SELING~1.EXE 32 PID 2792 wrote to memory of 2868 2792 SELING~1.EXE 32 PID 2792 wrote to memory of 2868 2792 SELING~1.EXE 32 PID 2792 wrote to memory of 2868 2792 SELING~1.EXE 32 PID 2792 wrote to memory of 2868 2792 SELING~1.EXE 32 PID 2792 wrote to memory of 2868 2792 SELING~1.EXE 32 PID 2792 wrote to memory of 2868 2792 SELING~1.EXE 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3763edd1e6ad1bf573bc2d2190649a2c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3763edd1e6ad1bf573bc2d2190649a2c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SELING~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SELING~1.EXE2⤵
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\BEETHOVEN'S SYMPHONY NO. 9 (SCHERZO).WMA"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1984
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\BEETHOVEN'S SYMPHONY NO. 9 (SCHERZO).WMA"3⤵PID:2868
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
599KB
MD5f2271fe569c058dc724d9b9e53811e31
SHA1ea276fc14127875413ac387f017bd2291a987f4b
SHA256bf0074851e2435a255b512e502b831ed2c456774971f8fc57004d597769364a6
SHA512c324428534f64879aa17b190206e538066308486d95e9fa1b8b7238bc79067042717c232034ef8926376b72d3123be169852b05bfe58c7f69887245d91e5b53d
-
Filesize
1.3MB
MD57e6451294f60b01af6b01716d961ff3d
SHA1fd077d9fdee7976d9f4b3f1fc34e0d8b26113382
SHA256385d12c46e7efe1715a7a24c2091f38c6a87f6b2abaa13371b5c0307a0c1eb46
SHA5122995724a78d0cd69d21dbf616c589ae80171a905a36ece9da3990b3b33c1619d7d7bfa905137c8221ede7a3ac2d545879ae607786e2cc0cf1ba460f071d138b0