Analysis
-
max time kernel
143s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe
-
Size
6.7MB
-
MD5
1b6b13653278e38989a3ab4025a69a97
-
SHA1
4d9573df4054a6cfc2d2d3ea91876368a95e405a
-
SHA256
1b75e1edeb875c5218baebebc304a5acab2de18c8970506d4fb0dfcae2ef13c4
-
SHA512
7b9e554a6414f1751addce0b158bfbc107f772c13e6dd52d16989f0f33c0afabe11a4d854afe2614166401cdffdf77564b79db894f2f61556cb91dc5525f325b
-
SSDEEP
196608:nwk9Yh8IRzdq9DK+C/J4X3hDzFLcje2x1Rzf+Qkc5OsHuyDjKa:nw79q9DdCJ41Geu1Rzf+lA7uyDjKa
Malware Config
Extracted
darkcomet
Guest16
andreprivet.ddns.net:1604
DC_MUTEX-RWR5U28
-
InstallPath
zh-PH\WWAHost.exe
-
gencode
WolGzuCR4Xlr
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
WAHost
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
po.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\zh-PH\\WWAHost.exe" po.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
WWAHost.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile WWAHost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" WWAHost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" WWAHost.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 2000 attrib.exe 1968 attrib.exe -
Executes dropped EXE 3 IoCs
Processes:
11.exepo.exeWWAHost.exepid Process 2508 11.exe 2792 po.exe 1780 WWAHost.exe -
Loads dropped DLL 8 IoCs
Processes:
cmd.exe11.exepo.exepid Process 2592 cmd.exe 2508 11.exe 2508 11.exe 2508 11.exe 2508 11.exe 2508 11.exe 2792 po.exe 2792 po.exe -
Processes:
resource yara_rule behavioral1/files/0x000a00000001445e-28.dat upx behavioral1/memory/2792-46-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2508-43-0x00000000031E0000-0x0000000003297000-memory.dmp upx behavioral1/memory/2508-35-0x00000000031E0000-0x0000000003297000-memory.dmp upx behavioral1/memory/1780-60-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2792-103-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-109-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-110-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
po.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WAHost = "C:\\Windows\\system32\\zh-PH\\WWAHost.exe" po.exe -
Drops file in System32 directory 3 IoCs
Processes:
po.exedescription ioc Process File created C:\Windows\SysWOW64\zh-PH\WWAHost.exe po.exe File opened for modification C:\Windows\SysWOW64\zh-PH\WWAHost.exe po.exe File opened for modification C:\Windows\SysWOW64\zh-PH\ po.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid Process 1928 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
vlc.exeWWAHost.exepid Process 1928 vlc.exe 1780 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
po.exeWWAHost.exevlc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2792 po.exe Token: SeSecurityPrivilege 2792 po.exe Token: SeTakeOwnershipPrivilege 2792 po.exe Token: SeLoadDriverPrivilege 2792 po.exe Token: SeSystemProfilePrivilege 2792 po.exe Token: SeSystemtimePrivilege 2792 po.exe Token: SeProfSingleProcessPrivilege 2792 po.exe Token: SeIncBasePriorityPrivilege 2792 po.exe Token: SeCreatePagefilePrivilege 2792 po.exe Token: SeBackupPrivilege 2792 po.exe Token: SeRestorePrivilege 2792 po.exe Token: SeShutdownPrivilege 2792 po.exe Token: SeDebugPrivilege 2792 po.exe Token: SeSystemEnvironmentPrivilege 2792 po.exe Token: SeChangeNotifyPrivilege 2792 po.exe Token: SeRemoteShutdownPrivilege 2792 po.exe Token: SeUndockPrivilege 2792 po.exe Token: SeManageVolumePrivilege 2792 po.exe Token: SeImpersonatePrivilege 2792 po.exe Token: SeCreateGlobalPrivilege 2792 po.exe Token: 33 2792 po.exe Token: 34 2792 po.exe Token: 35 2792 po.exe Token: SeIncreaseQuotaPrivilege 1780 WWAHost.exe Token: SeSecurityPrivilege 1780 WWAHost.exe Token: SeTakeOwnershipPrivilege 1780 WWAHost.exe Token: SeLoadDriverPrivilege 1780 WWAHost.exe Token: SeSystemProfilePrivilege 1780 WWAHost.exe Token: SeSystemtimePrivilege 1780 WWAHost.exe Token: SeProfSingleProcessPrivilege 1780 WWAHost.exe Token: SeIncBasePriorityPrivilege 1780 WWAHost.exe Token: SeCreatePagefilePrivilege 1780 WWAHost.exe Token: SeBackupPrivilege 1780 WWAHost.exe Token: SeRestorePrivilege 1780 WWAHost.exe Token: SeShutdownPrivilege 1780 WWAHost.exe Token: SeDebugPrivilege 1780 WWAHost.exe Token: SeSystemEnvironmentPrivilege 1780 WWAHost.exe Token: SeChangeNotifyPrivilege 1780 WWAHost.exe Token: SeRemoteShutdownPrivilege 1780 WWAHost.exe Token: SeUndockPrivilege 1780 WWAHost.exe Token: SeManageVolumePrivilege 1780 WWAHost.exe Token: SeImpersonatePrivilege 1780 WWAHost.exe Token: SeCreateGlobalPrivilege 1780 WWAHost.exe Token: 33 1780 WWAHost.exe Token: 34 1780 WWAHost.exe Token: 35 1780 WWAHost.exe Token: 33 1928 vlc.exe Token: SeIncBasePriorityPrivilege 1928 vlc.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
DllHost.exevlc.exepid Process 692 DllHost.exe 1928 vlc.exe 1928 vlc.exe 1928 vlc.exe 1928 vlc.exe 1928 vlc.exe 1928 vlc.exe 1928 vlc.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
vlc.exepid Process 1928 vlc.exe 1928 vlc.exe 1928 vlc.exe 1928 vlc.exe 1928 vlc.exe 1928 vlc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WWAHost.exevlc.exepid Process 1780 WWAHost.exe 1928 vlc.exe -
Suspicious use of WriteProcessMemory 59 IoCs
Processes:
1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.execmd.exe11.exepo.execmd.execmd.exeWWAHost.exedescription pid Process procid_target PID 2020 wrote to memory of 2592 2020 1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe 28 PID 2020 wrote to memory of 2592 2020 1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe 28 PID 2020 wrote to memory of 2592 2020 1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe 28 PID 2020 wrote to memory of 2592 2020 1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe 28 PID 2592 wrote to memory of 2508 2592 cmd.exe 30 PID 2592 wrote to memory of 2508 2592 cmd.exe 30 PID 2592 wrote to memory of 2508 2592 cmd.exe 30 PID 2592 wrote to memory of 2508 2592 cmd.exe 30 PID 2508 wrote to memory of 2792 2508 11.exe 31 PID 2508 wrote to memory of 2792 2508 11.exe 31 PID 2508 wrote to memory of 2792 2508 11.exe 31 PID 2508 wrote to memory of 2792 2508 11.exe 31 PID 2792 wrote to memory of 1912 2792 po.exe 33 PID 2792 wrote to memory of 1912 2792 po.exe 33 PID 2792 wrote to memory of 1912 2792 po.exe 33 PID 2792 wrote to memory of 1912 2792 po.exe 33 PID 2792 wrote to memory of 484 2792 po.exe 34 PID 2792 wrote to memory of 484 2792 po.exe 34 PID 2792 wrote to memory of 484 2792 po.exe 34 PID 2792 wrote to memory of 484 2792 po.exe 34 PID 2792 wrote to memory of 1780 2792 po.exe 37 PID 2792 wrote to memory of 1780 2792 po.exe 37 PID 2792 wrote to memory of 1780 2792 po.exe 37 PID 2792 wrote to memory of 1780 2792 po.exe 37 PID 2508 wrote to memory of 1928 2508 11.exe 38 PID 2508 wrote to memory of 1928 2508 11.exe 38 PID 2508 wrote to memory of 1928 2508 11.exe 38 PID 2508 wrote to memory of 1928 2508 11.exe 38 PID 484 wrote to memory of 1968 484 cmd.exe 39 PID 484 wrote to memory of 1968 484 cmd.exe 39 PID 484 wrote to memory of 1968 484 cmd.exe 39 PID 484 wrote to memory of 1968 484 cmd.exe 39 PID 1912 wrote to memory of 2000 1912 cmd.exe 40 PID 1912 wrote to memory of 2000 1912 cmd.exe 40 PID 1912 wrote to memory of 2000 1912 cmd.exe 40 PID 1912 wrote to memory of 2000 1912 cmd.exe 40 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 PID 1780 wrote to memory of 620 1780 WWAHost.exe 41 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 2000 attrib.exe 1968 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\start.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Roaming\11.exe11.exe -p03658512984 -dC:\Users\Admin\AppData\Roaming3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Roaming\po.exe"C:\Users\Admin\AppData\Roaming\po.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\po.exe" +s +h5⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\po.exe" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2000
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h5⤵
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1968
-
-
-
C:\Windows\SysWOW64\zh-PH\WWAHost.exe"C:\Windows\system32\zh-PH\WWAHost.exe"5⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\notepad.exenotepad6⤵PID:620
-
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\12.mp3"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1928
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:692
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.1MB
MD5994ed675fa3c1ec9be2dc88f80a54d6c
SHA10be3478c5cbe848ea920d87c7853aec2c3d990fa
SHA25695012f310436a52c4e083fabdf42db4c8d3242bc42689b63e8e613f73696d924
SHA51238e04c70da86d6a1b473188789712236c09967139581da9578c23804d56f2866b3b1fb2cf115658624c0d6e044f00ba804b8c4efbbb77926b4affdc84af6f901
-
Filesize
13KB
MD52341cf2283361b7a0f971f592bb88e0d
SHA14b9de14303a97a791449b8d972132ab4188f1e8a
SHA25621ac2c0e131e17e2a4210a020ae7857ab3dd0968cd0696f65dbe6ffaa4ead26c
SHA5122bbb780c096ebe683d5b0c1e2e14390536dfecf0643b41f4b7922b90a20d822b7846ebe7d6fc2f11deb79987a52a157c2867768a3d581b239d76c3894faebcfd
-
Filesize
32B
MD5d9b4214e353ba616f5edc2633ba76e36
SHA1a69e0090704947fd72fbfab013699aa56896121b
SHA256f027b25ce42d032279e22532ebae52023482a4fb278d4c3159ccab3102e0fc28
SHA5129d89a0fa65de20b5a089e304939f0da1a34d5ee0509564c42de63e164a1216df31f5e0f0a208f2b9851c33902ef568853322f3df02a0415c78ed66be16b78121
-
Filesize
6.6MB
MD5eea149721c01291896b69895fd414964
SHA1cd7f559e2847a6d26679472040ecc05ab8eef548
SHA2565c4bf3713ff356a995d6fa59b7e68105ab4385cd22f6f519fbe3bdf993add823
SHA512e01aec03356ac64b704d42bf764e89bb286a966f5c2da65201737a5af1accab04d5be8be5f07833a96b5525c9697334bcbddde2ad6f1e6932d7d526a352ea7a7
-
Filesize
251KB
MD5010b72d9045c7aede13473e1f4514ca9
SHA150cc0ba901b8bc1cfd34a277af34b7f666d1f693
SHA25667bd0a65268d058dbf0ca7cd6a4b30060a4aa60bfd3d59c04768b1422d7f433a
SHA5121c492a8927196c028c49931bbc99f6f1dd26f4d97eca35d576c953786d3101119910bb39d9a22b1a65289ad3d66c703bc69305ca616372f03443a17bfc0b3a65