Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 08:37
Static task
static1
Behavioral task
behavioral1
Sample
21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe
-
Size
346KB
-
MD5
21ba5dec8e7d7021a398190eda82c90a
-
SHA1
212fea82dca086308043dbc27c17791b8aae5863
-
SHA256
e80730c033226893146971da32d924fd368df56a340523c03752c92e971e317f
-
SHA512
cfb5c1ba3e5f1d296cc0e6fd2c036e9f9bb907da2fc82b7d636d9e837d79b6fccf8e1b41a98d4da91916f58a658708b6b19626e7a0c9729b351c9df26ba77957
-
SSDEEP
6144:kScwMXuUrdIHwfBrvGv8PC4SMhroCaBbONqDFenq64WXy2w4wjvX1KID52kz:kSpordIibPC4SMX74Fiqj5P1D5
Malware Config
Extracted
darkcomet
Guest16
smr9.no-ip.org:1604
DC_MUTEX-G4HJPCR
-
InstallPath
MSDCSC\lsass
-
gencode
4RT1F8YxjhmW
-
install
true
-
offline_keylogger
false
-
password
123456
-
persistence
true
-
reg_key
lsass
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\lsass" 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/3192-1-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3192-0-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3192-6-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3192-8-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3192-7-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3192-4-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3192-3-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3192-24-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "C:\\MSDCSC\\lsass" 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exedescription pid process target process PID 4608 set thread context of 3192 4608 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exedescription pid process Token: SeIncreaseQuotaPrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeSecurityPrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeSystemtimePrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeBackupPrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeRestorePrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeShutdownPrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeDebugPrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeUndockPrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeManageVolumePrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeImpersonatePrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: 33 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: 34 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: 35 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe Token: 36 3192 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exedescription pid process target process PID 4608 wrote to memory of 3192 4608 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe PID 4608 wrote to memory of 3192 4608 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe PID 4608 wrote to memory of 3192 4608 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe PID 4608 wrote to memory of 3192 4608 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe PID 4608 wrote to memory of 3192 4608 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe PID 4608 wrote to memory of 3192 4608 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe PID 4608 wrote to memory of 3192 4608 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe PID 4608 wrote to memory of 3192 4608 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe 21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\21ba5dec8e7d7021a398190eda82c90a_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSDCSC\lsassFilesize
346KB
MD521ba5dec8e7d7021a398190eda82c90a
SHA1212fea82dca086308043dbc27c17791b8aae5863
SHA256e80730c033226893146971da32d924fd368df56a340523c03752c92e971e317f
SHA512cfb5c1ba3e5f1d296cc0e6fd2c036e9f9bb907da2fc82b7d636d9e837d79b6fccf8e1b41a98d4da91916f58a658708b6b19626e7a0c9729b351c9df26ba77957
-
memory/3192-1-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3192-0-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3192-6-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3192-8-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3192-7-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3192-4-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3192-3-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3192-24-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4608-5-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB