Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/03/2025, 18:23
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe
-
Size
776KB
-
MD5
9130dd0587c5be70b699cfbe209e37a6
-
SHA1
4a5c9cec82a10f0f65d2db1e67d51fe6c3c180d2
-
SHA256
fecacc482aeecf02f74ec6c031edf49f8be5617479e45f1c83a76c994124cb17
-
SHA512
a0935f541e75f3dc6b344e3792a8cf60544aa0eca3545b79cfa7154827f00c141752ff75cc781ac7bef9a9054eceda64fe55b9e0f013b1dc07300eee381db681
-
SSDEEP
12288:kt8zTwMhjTJwk3VwlA5K3MMfU4lh0rt3zefBYsN7jLQU+wjG7SOm:kqwqjTJwk3WlAF4ErtjeZ9N7iwjGGOm
Malware Config
Extracted
darkcomet
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-9HRGXF8
-
gencode
xv$#w2ngcpPV
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1044 set thread context of 1728 1044 JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1728 cvtres.exe Token: SeSecurityPrivilege 1728 cvtres.exe Token: SeTakeOwnershipPrivilege 1728 cvtres.exe Token: SeLoadDriverPrivilege 1728 cvtres.exe Token: SeSystemProfilePrivilege 1728 cvtres.exe Token: SeSystemtimePrivilege 1728 cvtres.exe Token: SeProfSingleProcessPrivilege 1728 cvtres.exe Token: SeIncBasePriorityPrivilege 1728 cvtres.exe Token: SeCreatePagefilePrivilege 1728 cvtres.exe Token: SeBackupPrivilege 1728 cvtres.exe Token: SeRestorePrivilege 1728 cvtres.exe Token: SeShutdownPrivilege 1728 cvtres.exe Token: SeDebugPrivilege 1728 cvtres.exe Token: SeSystemEnvironmentPrivilege 1728 cvtres.exe Token: SeChangeNotifyPrivilege 1728 cvtres.exe Token: SeRemoteShutdownPrivilege 1728 cvtres.exe Token: SeUndockPrivilege 1728 cvtres.exe Token: SeManageVolumePrivilege 1728 cvtres.exe Token: SeImpersonatePrivilege 1728 cvtres.exe Token: SeCreateGlobalPrivilege 1728 cvtres.exe Token: 33 1728 cvtres.exe Token: 34 1728 cvtres.exe Token: 35 1728 cvtres.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1728 cvtres.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1044 wrote to memory of 1728 1044 JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe 31 PID 1044 wrote to memory of 1728 1044 JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe 31 PID 1044 wrote to memory of 1728 1044 JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe 31 PID 1044 wrote to memory of 1728 1044 JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe 31 PID 1044 wrote to memory of 1728 1044 JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe 31 PID 1044 wrote to memory of 1728 1044 JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe 31 PID 1044 wrote to memory of 1728 1044 JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe 31 PID 1044 wrote to memory of 1728 1044 JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe 31 PID 1044 wrote to memory of 1728 1044 JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe 31 PID 1044 wrote to memory of 1728 1044 JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe 31 PID 1044 wrote to memory of 1728 1044 JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe 31 PID 1044 wrote to memory of 1728 1044 JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe 31 PID 1044 wrote to memory of 1728 1044 JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe 31 PID 1728 wrote to memory of 1156 1728 cvtres.exe 32 PID 1728 wrote to memory of 1156 1728 cvtres.exe 32 PID 1728 wrote to memory of 1156 1728 cvtres.exe 32 PID 1728 wrote to memory of 1156 1728 cvtres.exe 32 PID 1728 wrote to memory of 2664 1728 cvtres.exe 33 PID 1728 wrote to memory of 2664 1728 cvtres.exe 33 PID 1728 wrote to memory of 2664 1728 cvtres.exe 33 PID 1728 wrote to memory of 2664 1728 cvtres.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9130dd0587c5be70b699cfbe209e37a6.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:1156
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:2664
-
-