Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 05:39
Behavioral task
behavioral1
Sample
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
-
Size
650KB
-
MD5
18fb8efcf5d20eee45ac7b65d4adcba8
-
SHA1
0e9e982364df02f61ae38598b9bae7fdf88cedce
-
SHA256
09da8c179c90ad0b2f8813465e2c17154b08be99f31601591adb68b54acaa014
-
SHA512
a07d98e70d50371c7ffb4e313a0e5985757cbe7a98f5db511c356ef577f49682236180ee394feb5844b26b551ce9b79b7eda15d1265a0ee33671936e8364611b
-
SSDEEP
12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+5:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+GI
Malware Config
Extracted
darkcomet
Trojan -Anto
79.44.153.226:1604
192.168.1.12:1604
127.0.0.1:1604
pazzo90.no-ip.org:1604
DC_MUTEX-1ZU7GL5
-
InstallPath
Microsoft.exe
-
gencode
fcbHLDnEBLN6
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
cvhost
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe" 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
Microsoft.exepid process 4364 Microsoft.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exeMicrosoft.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cvhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe" 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cvhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe" Microsoft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exeMicrosoft.exedescription pid process Token: SeIncreaseQuotaPrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeSecurityPrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeSystemtimePrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeBackupPrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeRestorePrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeShutdownPrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeDebugPrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeUndockPrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeManageVolumePrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeImpersonatePrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: 33 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: 34 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: 35 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: 36 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4364 Microsoft.exe Token: SeSecurityPrivilege 4364 Microsoft.exe Token: SeTakeOwnershipPrivilege 4364 Microsoft.exe Token: SeLoadDriverPrivilege 4364 Microsoft.exe Token: SeSystemProfilePrivilege 4364 Microsoft.exe Token: SeSystemtimePrivilege 4364 Microsoft.exe Token: SeProfSingleProcessPrivilege 4364 Microsoft.exe Token: SeIncBasePriorityPrivilege 4364 Microsoft.exe Token: SeCreatePagefilePrivilege 4364 Microsoft.exe Token: SeBackupPrivilege 4364 Microsoft.exe Token: SeRestorePrivilege 4364 Microsoft.exe Token: SeShutdownPrivilege 4364 Microsoft.exe Token: SeDebugPrivilege 4364 Microsoft.exe Token: SeSystemEnvironmentPrivilege 4364 Microsoft.exe Token: SeChangeNotifyPrivilege 4364 Microsoft.exe Token: SeRemoteShutdownPrivilege 4364 Microsoft.exe Token: SeUndockPrivilege 4364 Microsoft.exe Token: SeManageVolumePrivilege 4364 Microsoft.exe Token: SeImpersonatePrivilege 4364 Microsoft.exe Token: SeCreateGlobalPrivilege 4364 Microsoft.exe Token: 33 4364 Microsoft.exe Token: 34 4364 Microsoft.exe Token: 35 4364 Microsoft.exe Token: 36 4364 Microsoft.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Microsoft.exepid process 4364 Microsoft.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.execmd.exedescription pid process target process PID 2948 wrote to memory of 1324 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe cmd.exe PID 2948 wrote to memory of 1324 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe cmd.exe PID 2948 wrote to memory of 1324 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe cmd.exe PID 1324 wrote to memory of 3304 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 3304 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 3304 1324 cmd.exe PING.EXE PID 2948 wrote to memory of 4364 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Microsoft.exe PID 2948 wrote to memory of 4364 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Microsoft.exe PID 2948 wrote to memory of 4364 2948 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe Microsoft.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 43⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft.exe"C:\Users\Admin\AppData\Roaming\Microsoft.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft.exeFilesize
650KB
MD518fb8efcf5d20eee45ac7b65d4adcba8
SHA10e9e982364df02f61ae38598b9bae7fdf88cedce
SHA25609da8c179c90ad0b2f8813465e2c17154b08be99f31601591adb68b54acaa014
SHA512a07d98e70d50371c7ffb4e313a0e5985757cbe7a98f5db511c356ef577f49682236180ee394feb5844b26b551ce9b79b7eda15d1265a0ee33671936e8364611b
-
memory/2948-0-0x0000000002270000-0x0000000002271000-memory.dmpFilesize
4KB
-
memory/2948-62-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4364-63-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/4364-64-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4364-65-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4364-66-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4364-68-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4364-70-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4364-75-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB