Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
03/03/2025, 05:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_451942957a3e12859c8e7072e5567b7b.exe
Resource
win7-20241023-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_451942957a3e12859c8e7072e5567b7b.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
JaffaCakes118_451942957a3e12859c8e7072e5567b7b.exe
-
Size
922KB
-
MD5
451942957a3e12859c8e7072e5567b7b
-
SHA1
9b1cdd121d6042f92d340232df09d5e335f707f7
-
SHA256
e458c0a05be86989e24bbb05802b11f6314991c937eb56069bcc019e3953dfcf
-
SHA512
9f239945f9c6dc63bead66c20abbe1b2acfadf3a38aaa81fcbc611dc0dddce4c9a551737e0d8a63d31e7048655f60e7614918be707d7b1214ac9c003a0f867b3
-
SSDEEP
24576:BalaUV3mShJfVh8yalaUVamSh5fVh8DxwiOCjch+c:4aUV20JfVhUaUVB05fVhUxwgsl
Malware Config
Extracted
Family
darkcomet
Botnet
marine01
C2
securehost.no-ip.org:1324
Mutex
DC_MUTEX-W06YWJM
Attributes
-
InstallPath
system32\winlogonsrv64.exe
-
gencode
N=FC-U4TtLwv
-
install
true
-
offline_keylogger
true
-
password
cybergatefr33k()()bw""bZ!
-
persistence
true
-
reg_key
Winlogonsrv64
rc4.plain
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\system32\\winlogonsrv64.exe" Generated.exe -
Windows security bypass 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Generated.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation JaffaCakes118_451942957a3e12859c8e7072e5567b7b.exe Key value queried \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation Generated.exe -
Executes dropped EXE 1 IoCs
pid Process 4872 Generated.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogonsrv64 = "C:\\system32\\winlogonsrv64.exe" Generated.exe Set value (str) \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogonsrv64 = "C:\\system32\\winlogonsrv64.exe" notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4872 set thread context of 1732 4872 Generated.exe 97 -
resource yara_rule behavioral2/files/0x000b000000023c32-12.dat upx behavioral2/memory/4872-15-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/memory/1732-31-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/memory/1732-29-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/memory/1732-33-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/memory/4872-32-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/memory/1732-34-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/memory/1732-38-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/memory/1732-37-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/memory/1732-36-0x0000000013140000-0x000000001322D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Generated.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_451942957a3e12859c8e7072e5567b7b.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Generated.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Generated.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Generated.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Generated.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Generated.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings Generated.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1988 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1732 explorer.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4872 Generated.exe Token: SeSecurityPrivilege 4872 Generated.exe Token: SeTakeOwnershipPrivilege 4872 Generated.exe Token: SeLoadDriverPrivilege 4872 Generated.exe Token: SeSystemProfilePrivilege 4872 Generated.exe Token: SeSystemtimePrivilege 4872 Generated.exe Token: SeProfSingleProcessPrivilege 4872 Generated.exe Token: SeIncBasePriorityPrivilege 4872 Generated.exe Token: SeCreatePagefilePrivilege 4872 Generated.exe Token: SeBackupPrivilege 4872 Generated.exe Token: SeRestorePrivilege 4872 Generated.exe Token: SeShutdownPrivilege 4872 Generated.exe Token: SeDebugPrivilege 4872 Generated.exe Token: SeSystemEnvironmentPrivilege 4872 Generated.exe Token: SeChangeNotifyPrivilege 4872 Generated.exe Token: SeRemoteShutdownPrivilege 4872 Generated.exe Token: SeUndockPrivilege 4872 Generated.exe Token: SeManageVolumePrivilege 4872 Generated.exe Token: SeImpersonatePrivilege 4872 Generated.exe Token: SeCreateGlobalPrivilege 4872 Generated.exe Token: 33 4872 Generated.exe Token: 34 4872 Generated.exe Token: 35 4872 Generated.exe Token: 36 4872 Generated.exe Token: SeIncreaseQuotaPrivilege 1732 explorer.exe Token: SeSecurityPrivilege 1732 explorer.exe Token: SeTakeOwnershipPrivilege 1732 explorer.exe Token: SeLoadDriverPrivilege 1732 explorer.exe Token: SeSystemProfilePrivilege 1732 explorer.exe Token: SeSystemtimePrivilege 1732 explorer.exe Token: SeProfSingleProcessPrivilege 1732 explorer.exe Token: SeIncBasePriorityPrivilege 1732 explorer.exe Token: SeCreatePagefilePrivilege 1732 explorer.exe Token: SeBackupPrivilege 1732 explorer.exe Token: SeRestorePrivilege 1732 explorer.exe Token: SeShutdownPrivilege 1732 explorer.exe Token: SeDebugPrivilege 1732 explorer.exe Token: SeSystemEnvironmentPrivilege 1732 explorer.exe Token: SeChangeNotifyPrivilege 1732 explorer.exe Token: SeRemoteShutdownPrivilege 1732 explorer.exe Token: SeUndockPrivilege 1732 explorer.exe Token: SeManageVolumePrivilege 1732 explorer.exe Token: SeImpersonatePrivilege 1732 explorer.exe Token: SeCreateGlobalPrivilege 1732 explorer.exe Token: 33 1732 explorer.exe Token: 34 1732 explorer.exe Token: 35 1732 explorer.exe Token: 36 1732 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1732 explorer.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 392 wrote to memory of 4872 392 JaffaCakes118_451942957a3e12859c8e7072e5567b7b.exe 89 PID 392 wrote to memory of 4872 392 JaffaCakes118_451942957a3e12859c8e7072e5567b7b.exe 89 PID 392 wrote to memory of 4872 392 JaffaCakes118_451942957a3e12859c8e7072e5567b7b.exe 89 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 3320 4872 Generated.exe 90 PID 4872 wrote to memory of 1988 4872 Generated.exe 96 PID 4872 wrote to memory of 1988 4872 Generated.exe 96 PID 4872 wrote to memory of 1988 4872 Generated.exe 96 PID 4872 wrote to memory of 1732 4872 Generated.exe 97 PID 4872 wrote to memory of 1732 4872 Generated.exe 97 PID 4872 wrote to memory of 1732 4872 Generated.exe 97 PID 4872 wrote to memory of 1732 4872 Generated.exe 97 PID 4872 wrote to memory of 1732 4872 Generated.exe 97 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98 PID 1732 wrote to memory of 5096 1732 explorer.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_451942957a3e12859c8e7072e5567b7b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_451942957a3e12859c8e7072e5567b7b.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Local\Temp\Generated.exe"C:\Users\Admin\AppData\Local\Temp\Generated.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3320
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\UNINSTALL.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1988
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Windows security bypass
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe4⤵
- System Location Discovery: System Language Discovery
PID:5096
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341KB
MD50a3b8c55cab2e19518ff5bb0bc33106b
SHA181751c0b2ce5adbe01f6045154028a23978b67f1
SHA256d5af5e20ea4c19ac1155ef4488a0e2e41266e111c41e7edbe643aa73f64bc39b
SHA5121b7a4c3193279956378d26cfe0ec2fb647e995a52362aaf17dcf07887da64025405b51fbbc190bd8697425dd07f5fdf0f488fe35e5004187060b6d470896d319
-
Filesize
40B
MD540ff21eb875ff52131dbb271de7257fc
SHA1d99af161efbde2d19173c043b222e4655a95a10b
SHA256f7f8cd5f5a0869a9f42c2ddacdfc300d2177c1efecf2baeea46674284a249502
SHA5126cb19da344b6857c4685f52b5574df47230303c1e33a8dc11c3bef5502ac67d212b50f47cfb964b089256b4434ac5db1e3b8e54f138a449b84e28bab8804eb8b