Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29/03/2025, 17:52
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe
-
Size
902KB
-
MD5
8f54fb212d78920e037e2955bf6b454b
-
SHA1
10901b97e5388b53a5d0f611f21760730d0207d5
-
SHA256
9e2c30c43202b34750a786441451ee0daa6b01dbcf6092e4987daf32fdf61088
-
SHA512
be857da48c0de4f1ff29be364b75e161a6c3c8cf4bcdaac635a57429bf75f5affab27b456c269781cbd2cb559440b9e7eb6f546d09626858d18555586b4a96c8
-
SSDEEP
12288:qzEJ/nmBx/rEp5PNoGVhUSwmcCfv+F/RoouiGsR+a:2Snsrw1TV2pCO/RxuZha
Malware Config
Extracted
darkcomet
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
Extracted
darkcomet
squeal
myronsqueal.no-ip.biz:1610
DC_MUTEX-CQWEFBJ
-
gencode
2jkoKMSjkGrH
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet family
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe -
Executes dropped EXE 2 IoCs
pid Process 2852 vbc.exe 2860 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe -
Loads dropped DLL 3 IoCs
pid Process 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1996 set thread context of 2852 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2852 vbc.exe Token: SeSecurityPrivilege 2852 vbc.exe Token: SeTakeOwnershipPrivilege 2852 vbc.exe Token: SeLoadDriverPrivilege 2852 vbc.exe Token: SeSystemProfilePrivilege 2852 vbc.exe Token: SeSystemtimePrivilege 2852 vbc.exe Token: SeProfSingleProcessPrivilege 2852 vbc.exe Token: SeIncBasePriorityPrivilege 2852 vbc.exe Token: SeCreatePagefilePrivilege 2852 vbc.exe Token: SeBackupPrivilege 2852 vbc.exe Token: SeRestorePrivilege 2852 vbc.exe Token: SeShutdownPrivilege 2852 vbc.exe Token: SeDebugPrivilege 2852 vbc.exe Token: SeSystemEnvironmentPrivilege 2852 vbc.exe Token: SeChangeNotifyPrivilege 2852 vbc.exe Token: SeRemoteShutdownPrivilege 2852 vbc.exe Token: SeUndockPrivilege 2852 vbc.exe Token: SeManageVolumePrivilege 2852 vbc.exe Token: SeImpersonatePrivilege 2852 vbc.exe Token: SeCreateGlobalPrivilege 2852 vbc.exe Token: 33 2852 vbc.exe Token: 34 2852 vbc.exe Token: 35 2852 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2852 vbc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1996 wrote to memory of 2852 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 29 PID 1996 wrote to memory of 2852 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 29 PID 1996 wrote to memory of 2852 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 29 PID 1996 wrote to memory of 2852 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 29 PID 1996 wrote to memory of 2852 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 29 PID 1996 wrote to memory of 2852 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 29 PID 1996 wrote to memory of 2852 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 29 PID 1996 wrote to memory of 2852 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 29 PID 1996 wrote to memory of 2852 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 29 PID 1996 wrote to memory of 2852 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 29 PID 1996 wrote to memory of 2852 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 29 PID 1996 wrote to memory of 2852 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 29 PID 1996 wrote to memory of 2852 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 29 PID 1996 wrote to memory of 2884 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 30 PID 1996 wrote to memory of 2884 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 30 PID 1996 wrote to memory of 2884 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 30 PID 1996 wrote to memory of 2884 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 30 PID 2884 wrote to memory of 3048 2884 vbc.exe 32 PID 2884 wrote to memory of 3048 2884 vbc.exe 32 PID 2884 wrote to memory of 3048 2884 vbc.exe 32 PID 2884 wrote to memory of 3048 2884 vbc.exe 32 PID 1996 wrote to memory of 2860 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 33 PID 1996 wrote to memory of 2860 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 33 PID 1996 wrote to memory of 2860 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 33 PID 1996 wrote to memory of 2860 1996 JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\plugtemp\vbc.exeC:\Users\Admin\AppData\Local\Temp\\plugtemp\vbc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u-b3bqax.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ADC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7ADB.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:3048
-
-
-
C:\Users\Admin\AppData\Roaming\JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe"C:\Users\Admin\AppData\Roaming\JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ea876be9ddb9979e33e547cd02b80163
SHA102d70381c594be6ec05e0897895e7b3bcda57974
SHA256c1079e1a2a45ce85e6a434e98238bb063b40827c89de2801d449f2976c4d9b43
SHA512e933c7b4e6328e4e7f3dc8df84f53a4e803b76f1c59753f69ca7e69750101f9c7aafb928fb95418a4e93b42c576bb77c0d2421d57d8a2432ea93c68607ab3224
-
Filesize
338B
MD580e101703238d5b7001f997e3c9d1600
SHA17b51bc16b1b3045d45bbe1065f34f53e0a2a5845
SHA25654621975248f58d5d1230dac98cc55e768a9d0e7c696e8836200fcb44213c60c
SHA512bd7a2ebc6bed8fd27e514b60a486d3518da589cbe22a5970c0ee8d33785b1dc58916b28e2c6a0a62386c3cda40dab99b6fc99ed9766b084337be1d5da1abc12f
-
Filesize
235B
MD5024f6f85a3b9dd4f32fbebea837b4676
SHA117d39c08d4169247c8117e7dc080c76ecf390265
SHA2560939b5731974cde74a154575fffaa530cf4325b9deb27dd7a0de6626e038be52
SHA5125bc2f996d5aa4b33d85fc2b82950217dbdd6ab2980a74a1d5eba6ecb9fb562625edb400e30840274ecb0246970f4e81ffb5aa5c6f0cf86e07ceb07a20bb90405
-
Filesize
804B
MD5784d8e0338a82ceea694340022a2019b
SHA1cee7f494f9775545526949df7fff0b96f87b0624
SHA25669c9417b53d11bffeff04c93cbe2b80d33d5fbc875ea168dd54a5c633367cd88
SHA512d3906e9fd49fcdbf4f7613ba3dca568f42c076ed5ac3b33131e57cb07f5d38f8f7ee43115c543879dd84f3439e5ffd661cd386c04b2d331b2dc0a2f6466d6cc2
-
Filesize
902KB
MD58f54fb212d78920e037e2955bf6b454b
SHA110901b97e5388b53a5d0f611f21760730d0207d5
SHA2569e2c30c43202b34750a786441451ee0daa6b01dbcf6092e4987daf32fdf61088
SHA512be857da48c0de4f1ff29be364b75e161a6c3c8cf4bcdaac635a57429bf75f5affab27b456c269781cbd2cb559440b9e7eb6f546d09626858d18555586b4a96c8
-
Filesize
6KB
MD5c8f361faf5f8bcb413ccffb89da2f07a
SHA14eba40e68e5cee3bff4f9adfe23062138c297185
SHA25670394bebbde50472c18d8c76dc527d984d02eba24553c2166c51583a0019a0b0
SHA5127bd6b28e2afbeca45e5b31d499ba9cd027af159186eb52b242822c8f8e45634500e29d09f63319705a2ff6434e95ff503132f12c11e34b6e7a44b1a62e9ad83d
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98