Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 05:16
Behavioral task
behavioral1
Sample
24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
-
Size
650KB
-
MD5
24c1e5d419b0eecccc15a74b7c56edeb
-
SHA1
d67d5dea6e2d3bba041a59b9b60c877ac25931c0
-
SHA256
8974b93e1437e29d027c8e69c22b4d95b81fa541db02a9848d73a3ae3c231511
-
SHA512
e72e93f3d5910a231fb4c6b1cf4e6a5b11e929cca76fdf15a4df890c569d59314a64d3ab5bb4f5be004331a870ef303a099c045d94db5e68b1794b613db12986
-
SSDEEP
12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+c:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+GJ
Malware Config
Extracted
darkcomet
JAVAappDrBy1
epiclegit.no-ip.biz:1337
DC_MUTEX-V0B2QA6
-
InstallPath
Java\JavawsJRE06.exe
-
gencode
kCoeYQ87hhHK
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
JavaUpdater
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Java\\JavawsJRE06.exe" 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
JavawsJRE06.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile JavawsJRE06.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JavawsJRE06.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" JavawsJRE06.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
JavawsJRE06.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" JavawsJRE06.exe -
Processes:
JavawsJRE06.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JavawsJRE06.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JavawsJRE06.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1408 attrib.exe 740 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
JavawsJRE06.exepid process 1968 JavawsJRE06.exe -
Processes:
JavawsJRE06.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JavawsJRE06.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JavawsJRE06.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exeJavawsJRE06.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Java\\JavawsJRE06.exe" 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Java\\JavawsJRE06.exe" JavawsJRE06.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exeJavawsJRE06.exedescription pid process Token: SeIncreaseQuotaPrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeSecurityPrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeLoadDriverPrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeSystemProfilePrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeSystemtimePrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeBackupPrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeRestorePrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeShutdownPrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeDebugPrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeUndockPrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeManageVolumePrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeImpersonatePrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: 33 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: 34 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: 35 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: 36 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1968 JavawsJRE06.exe Token: SeSecurityPrivilege 1968 JavawsJRE06.exe Token: SeTakeOwnershipPrivilege 1968 JavawsJRE06.exe Token: SeLoadDriverPrivilege 1968 JavawsJRE06.exe Token: SeSystemProfilePrivilege 1968 JavawsJRE06.exe Token: SeSystemtimePrivilege 1968 JavawsJRE06.exe Token: SeProfSingleProcessPrivilege 1968 JavawsJRE06.exe Token: SeIncBasePriorityPrivilege 1968 JavawsJRE06.exe Token: SeCreatePagefilePrivilege 1968 JavawsJRE06.exe Token: SeBackupPrivilege 1968 JavawsJRE06.exe Token: SeRestorePrivilege 1968 JavawsJRE06.exe Token: SeShutdownPrivilege 1968 JavawsJRE06.exe Token: SeDebugPrivilege 1968 JavawsJRE06.exe Token: SeSystemEnvironmentPrivilege 1968 JavawsJRE06.exe Token: SeChangeNotifyPrivilege 1968 JavawsJRE06.exe Token: SeRemoteShutdownPrivilege 1968 JavawsJRE06.exe Token: SeUndockPrivilege 1968 JavawsJRE06.exe Token: SeManageVolumePrivilege 1968 JavawsJRE06.exe Token: SeImpersonatePrivilege 1968 JavawsJRE06.exe Token: SeCreateGlobalPrivilege 1968 JavawsJRE06.exe Token: 33 1968 JavawsJRE06.exe Token: 34 1968 JavawsJRE06.exe Token: 35 1968 JavawsJRE06.exe Token: 36 1968 JavawsJRE06.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
JavawsJRE06.exepid process 1968 JavawsJRE06.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.execmd.execmd.execmd.exedescription pid process target process PID 5088 wrote to memory of 4604 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe cmd.exe PID 5088 wrote to memory of 4604 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe cmd.exe PID 5088 wrote to memory of 4604 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe cmd.exe PID 5088 wrote to memory of 4724 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe cmd.exe PID 5088 wrote to memory of 4724 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe cmd.exe PID 5088 wrote to memory of 4724 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe cmd.exe PID 5088 wrote to memory of 4296 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe cmd.exe PID 5088 wrote to memory of 4296 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe cmd.exe PID 5088 wrote to memory of 4296 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe cmd.exe PID 5088 wrote to memory of 1968 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe JavawsJRE06.exe PID 5088 wrote to memory of 1968 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe JavawsJRE06.exe PID 5088 wrote to memory of 1968 5088 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe JavawsJRE06.exe PID 4604 wrote to memory of 1408 4604 cmd.exe attrib.exe PID 4604 wrote to memory of 1408 4604 cmd.exe attrib.exe PID 4604 wrote to memory of 1408 4604 cmd.exe attrib.exe PID 4724 wrote to memory of 740 4724 cmd.exe attrib.exe PID 4724 wrote to memory of 740 4724 cmd.exe attrib.exe PID 4724 wrote to memory of 740 4724 cmd.exe attrib.exe PID 4296 wrote to memory of 3952 4296 cmd.exe PING.EXE PID 4296 wrote to memory of 3952 4296 cmd.exe PING.EXE PID 4296 wrote to memory of 3952 4296 cmd.exe PING.EXE -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1408 attrib.exe 740 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 43⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Java\JavawsJRE06.exe"C:\Users\Admin\AppData\Roaming\Java\JavawsJRE06.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4308,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Java\JavawsJRE06.exeFilesize
650KB
MD524c1e5d419b0eecccc15a74b7c56edeb
SHA1d67d5dea6e2d3bba041a59b9b60c877ac25931c0
SHA2568974b93e1437e29d027c8e69c22b4d95b81fa541db02a9848d73a3ae3c231511
SHA512e72e93f3d5910a231fb4c6b1cf4e6a5b11e929cca76fdf15a4df890c569d59314a64d3ab5bb4f5be004331a870ef303a099c045d94db5e68b1794b613db12986
-
memory/1968-15-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/1968-16-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1968-17-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1968-20-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1968-22-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1968-25-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1968-29-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/5088-0-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/5088-14-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB