Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 04:04
Static task
static1
Behavioral task
behavioral1
Sample
1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe
-
Size
481KB
-
MD5
1df0c7c729ccdc49e0fc71819412132a
-
SHA1
ecebd81250c6b16e35d3924a4c39f3c3dd453f90
-
SHA256
a1de09c8da8de9a7c9c82714862048aadcc3871092215a974ad5fbad3abca818
-
SHA512
6c568d367881071bfba3cc9139358283e0c172c36574cb7c6106b45865b447f6fa023cf88f1a47356f2c3b01c12c0c8fa67c982515c569664cd386f1dcba0de5
-
SSDEEP
12288:avqCFCIMdZwuPTkKfVyBltKPsxBVr0Qho:QTCHFkKfcvKPs5oQho
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-4HXZTX0
-
gencode
k01PruSfoVRz
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exepid process 2764 1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
Processes:
1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\PSAPI.DLL 1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe File created C:\Windows\SysWOW64\PSAPI.DLL 1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\unicows.dll 1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe File created C:\Windows\SysWOW64\unicows.dll 1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3064 2764 WerFault.exe 1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exedescription pid process target process PID 2764 wrote to memory of 3064 2764 1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe WerFault.exe PID 2764 wrote to memory of 3064 2764 1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe WerFault.exe PID 2764 wrote to memory of 3064 2764 1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe WerFault.exe PID 2764 wrote to memory of 3064 2764 1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 2762⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\SysWOW64\unicows.dllFilesize
240KB
MD5006401678cfbccbcb97e405e2f83d2fa
SHA10976db1b5b9aa69e77fa25c35c8189e3ef851ffc
SHA256a491c11f667fda3fb3311f6221bca15e4da159df4c12f7a7a0cfbf99f2b7c60b
SHA512ef24dd6c6781c843a9730622f44d260e8db4fc365726aa918805d336c1f25659cf43df7400efd4307da3cca54c2e9c4f4cfbf3c10d974d37a4033c9624cc8d92
-
memory/2764-2-0x00000000002E0000-0x000000000031E000-memory.dmpFilesize
248KB
-
memory/2764-4-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB
-
memory/2764-5-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB