Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 05:39
Behavioral task
behavioral1
Sample
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
-
Size
650KB
-
MD5
18fb8efcf5d20eee45ac7b65d4adcba8
-
SHA1
0e9e982364df02f61ae38598b9bae7fdf88cedce
-
SHA256
09da8c179c90ad0b2f8813465e2c17154b08be99f31601591adb68b54acaa014
-
SHA512
a07d98e70d50371c7ffb4e313a0e5985757cbe7a98f5db511c356ef577f49682236180ee394feb5844b26b551ce9b79b7eda15d1265a0ee33671936e8364611b
-
SSDEEP
12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+5:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+GI
Malware Config
Extracted
darkcomet
Trojan -Anto
79.44.153.226:1604
192.168.1.12:1604
127.0.0.1:1604
pazzo90.no-ip.org:1604
DC_MUTEX-1ZU7GL5
-
InstallPath
Microsoft.exe
-
gencode
fcbHLDnEBLN6
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
cvhost
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe" 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2124 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
Microsoft.exepid process 2784 Microsoft.exe -
Loads dropped DLL 2 IoCs
Processes:
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exepid process 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exeMicrosoft.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe" 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe" Microsoft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exeMicrosoft.exedescription pid process Token: SeIncreaseQuotaPrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeSecurityPrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeSystemtimePrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeBackupPrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeRestorePrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeShutdownPrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeDebugPrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeUndockPrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeManageVolumePrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeImpersonatePrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: 33 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: 34 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: 35 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2784 Microsoft.exe Token: SeSecurityPrivilege 2784 Microsoft.exe Token: SeTakeOwnershipPrivilege 2784 Microsoft.exe Token: SeLoadDriverPrivilege 2784 Microsoft.exe Token: SeSystemProfilePrivilege 2784 Microsoft.exe Token: SeSystemtimePrivilege 2784 Microsoft.exe Token: SeProfSingleProcessPrivilege 2784 Microsoft.exe Token: SeIncBasePriorityPrivilege 2784 Microsoft.exe Token: SeCreatePagefilePrivilege 2784 Microsoft.exe Token: SeBackupPrivilege 2784 Microsoft.exe Token: SeRestorePrivilege 2784 Microsoft.exe Token: SeShutdownPrivilege 2784 Microsoft.exe Token: SeDebugPrivilege 2784 Microsoft.exe Token: SeSystemEnvironmentPrivilege 2784 Microsoft.exe Token: SeChangeNotifyPrivilege 2784 Microsoft.exe Token: SeRemoteShutdownPrivilege 2784 Microsoft.exe Token: SeUndockPrivilege 2784 Microsoft.exe Token: SeManageVolumePrivilege 2784 Microsoft.exe Token: SeImpersonatePrivilege 2784 Microsoft.exe Token: SeCreateGlobalPrivilege 2784 Microsoft.exe Token: 33 2784 Microsoft.exe Token: 34 2784 Microsoft.exe Token: 35 2784 Microsoft.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Microsoft.exepid process 2784 Microsoft.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.execmd.exedescription pid process target process PID 2200 wrote to memory of 2124 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe cmd.exe PID 2200 wrote to memory of 2124 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe cmd.exe PID 2200 wrote to memory of 2124 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe cmd.exe PID 2200 wrote to memory of 2124 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe cmd.exe PID 2124 wrote to memory of 2316 2124 cmd.exe PING.EXE PID 2124 wrote to memory of 2316 2124 cmd.exe PING.EXE PID 2124 wrote to memory of 2316 2124 cmd.exe PING.EXE PID 2124 wrote to memory of 2316 2124 cmd.exe PING.EXE PID 2200 wrote to memory of 2784 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Microsoft.exe PID 2200 wrote to memory of 2784 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Microsoft.exe PID 2200 wrote to memory of 2784 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Microsoft.exe PID 2200 wrote to memory of 2784 2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Microsoft.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 43⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft.exe"C:\Users\Admin\AppData\Roaming\Microsoft.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\Microsoft.exeFilesize
650KB
MD518fb8efcf5d20eee45ac7b65d4adcba8
SHA10e9e982364df02f61ae38598b9bae7fdf88cedce
SHA25609da8c179c90ad0b2f8813465e2c17154b08be99f31601591adb68b54acaa014
SHA512a07d98e70d50371c7ffb4e313a0e5985757cbe7a98f5db511c356ef577f49682236180ee394feb5844b26b551ce9b79b7eda15d1265a0ee33671936e8364611b
-
memory/2200-0-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/2200-12-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2784-13-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2784-14-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2784-15-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2784-17-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2784-19-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2784-21-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2784-23-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2784-25-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB