Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 18:13
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe
-
Size
1.0MB
-
MD5
9084424159e638db3a727adc8c382a3a
-
SHA1
dda3efb1bb6317d8e01cf449ef925238ed7661e8
-
SHA256
49b4b9c30d919d1ecf4f901b55fe8919543b2ac772bd3c392bdbbd925782d350
-
SHA512
281e9f430d7268a225c6615129185a342033666fbf6a8f6977afd9039c49bae8e9201081897ddd694279c901cac2d79430e95f65a0eb314ce0b7b71676790f4c
-
SSDEEP
24576:b11zIys+b2LikSnBPohHC6ND8CM/fkDmTeOt8JV:/fsBSnkC6a/cKTeL
Malware Config
Extracted
darkcomet
evo9
benzin.no-ip.biz:101
DC_MUTEX-67Y778R
-
gencode
7jY�m7/C145k
-
install
false
-
offline_keylogger
true
-
password
1111
-
persistence
false
Signatures
-
Darkcomet family
-
Executes dropped EXE 2 IoCs
pid Process 4164 Processname.exe 4160 Processname.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\3 DEN VIDEO VREMENA.txt.sda.exe" JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5168 set thread context of 4164 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 87 PID 5168 set thread context of 4160 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Processname.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Processname.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4164 Processname.exe Token: SeSecurityPrivilege 4164 Processname.exe Token: SeTakeOwnershipPrivilege 4164 Processname.exe Token: SeLoadDriverPrivilege 4164 Processname.exe Token: SeSystemProfilePrivilege 4164 Processname.exe Token: SeSystemtimePrivilege 4164 Processname.exe Token: SeProfSingleProcessPrivilege 4164 Processname.exe Token: SeIncBasePriorityPrivilege 4164 Processname.exe Token: SeCreatePagefilePrivilege 4164 Processname.exe Token: SeBackupPrivilege 4164 Processname.exe Token: SeRestorePrivilege 4164 Processname.exe Token: SeShutdownPrivilege 4164 Processname.exe Token: SeDebugPrivilege 4164 Processname.exe Token: SeSystemEnvironmentPrivilege 4164 Processname.exe Token: SeChangeNotifyPrivilege 4164 Processname.exe Token: SeRemoteShutdownPrivilege 4164 Processname.exe Token: SeUndockPrivilege 4164 Processname.exe Token: SeManageVolumePrivilege 4164 Processname.exe Token: SeImpersonatePrivilege 4164 Processname.exe Token: SeCreateGlobalPrivilege 4164 Processname.exe Token: 33 4164 Processname.exe Token: 34 4164 Processname.exe Token: 35 4164 Processname.exe Token: 36 4164 Processname.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4164 Processname.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 5168 wrote to memory of 4164 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 87 PID 5168 wrote to memory of 4164 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 87 PID 5168 wrote to memory of 4164 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 87 PID 5168 wrote to memory of 4164 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 87 PID 5168 wrote to memory of 4164 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 87 PID 5168 wrote to memory of 4164 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 87 PID 5168 wrote to memory of 4164 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 87 PID 5168 wrote to memory of 4164 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 87 PID 5168 wrote to memory of 4164 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 87 PID 5168 wrote to memory of 4164 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 87 PID 5168 wrote to memory of 4164 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 87 PID 5168 wrote to memory of 4164 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 87 PID 5168 wrote to memory of 4164 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 87 PID 5168 wrote to memory of 4164 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 87 PID 5168 wrote to memory of 4160 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 88 PID 5168 wrote to memory of 4160 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 88 PID 5168 wrote to memory of 4160 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 88 PID 5168 wrote to memory of 4160 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 88 PID 5168 wrote to memory of 4160 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 88 PID 5168 wrote to memory of 4160 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 88 PID 5168 wrote to memory of 4160 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 88 PID 5168 wrote to memory of 4160 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 88 PID 5168 wrote to memory of 4160 5168 JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9084424159e638db3a727adc8c382a3a.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5168 -
C:\Users\Admin\AppData\Roaming\Processname.exeC:\Users\Admin\AppData\Roaming\Processname.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4164
-
-
C:\Users\Admin\AppData\Roaming\Processname.exeC:\Users\Admin\AppData\Roaming\Processname.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\3 DEN VIDEO VREMENA.txt.sda.exe1⤵PID:464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ad846e189dca2d7f91e65f36db8ae4e6
SHA13e48f1009087a28d598b9b4a8be3b16c1323e2a0
SHA256bac8590d10b1ddb0df7cfaeaafbd011a82caf57de3bba0a5c40556c5f634c0f7
SHA512f984e761a890460ce8e31f33017ecb4e268c478f215072d9920658c456ac56b0260d82fda50148252d6c7cb882d519dfaf38aa3814698c3f597f851af8588e3b