Analysis
-
max time kernel
1s -
max time network
4s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/03/2025, 19:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe
Resource
win7-20240903-en
5 signatures
150 seconds
General
-
Target
JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe
-
Size
501KB
-
MD5
94ec8fdf1581f256ea078ee520e2666e
-
SHA1
61cbc6e9652f435b7a524e22726bb25aa5ad507d
-
SHA256
1fe23f2a3cae5c252fce011484c5e25f545bb6b45b4f28fd73901ebe2bafccf8
-
SHA512
662bfba1f73c910473a93ee24b73e631c1cb0b40774a12a8d503259a5d87d22a4b380151558215a169b241bd6aa5f9ad92b39a257181bcae82af6a4d45c025a7
-
SSDEEP
12288:7FEuFzdodXf3wxH5fKy86zgbAL5EDWeSizzA78LH0tDsBQJ:7FPzdo1f3aH5VTga5EDoiPA4L0XJ
Malware Config
Extracted
Family
darkcomet
Attributes
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
rc4.plain
Signatures
-
Darkcomet family
-
Uses the VBS compiler for execution 1 TTPs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1284 wrote to memory of 1592 1284 JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe 28 PID 1284 wrote to memory of 1592 1284 JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe 28 PID 1284 wrote to memory of 1592 1284 JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe 28 PID 1284 wrote to memory of 1592 1284 JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe 28 PID 1284 wrote to memory of 1592 1284 JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe 28 PID 1284 wrote to memory of 1592 1284 JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe 28 PID 1284 wrote to memory of 1592 1284 JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe 28 PID 1284 wrote to memory of 1592 1284 JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵PID:1592
-