Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe
-
Size
6.7MB
-
MD5
1b6b13653278e38989a3ab4025a69a97
-
SHA1
4d9573df4054a6cfc2d2d3ea91876368a95e405a
-
SHA256
1b75e1edeb875c5218baebebc304a5acab2de18c8970506d4fb0dfcae2ef13c4
-
SHA512
7b9e554a6414f1751addce0b158bfbc107f772c13e6dd52d16989f0f33c0afabe11a4d854afe2614166401cdffdf77564b79db894f2f61556cb91dc5525f325b
-
SSDEEP
196608:nwk9Yh8IRzdq9DK+C/J4X3hDzFLcje2x1Rzf+Qkc5OsHuyDjKa:nw79q9DdCJ41Geu1Rzf+lA7uyDjKa
Malware Config
Extracted
darkcomet
Guest16
andreprivet.ddns.net:1604
DC_MUTEX-RWR5U28
-
InstallPath
zh-PH\WWAHost.exe
-
gencode
WolGzuCR4Xlr
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
WAHost
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
po.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\zh-PH\\WWAHost.exe" po.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
WWAHost.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" WWAHost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile WWAHost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" WWAHost.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 2812 attrib.exe 1312 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe11.exepo.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation 1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation 11.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation po.exe -
Executes dropped EXE 3 IoCs
Processes:
11.exepo.exeWWAHost.exepid Process 1916 11.exe 2652 po.exe 2132 WWAHost.exe -
Processes:
resource yara_rule behavioral2/files/0x000a000000023b9f-18.dat upx behavioral2/memory/2652-25-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2132-39-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2652-42-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2132-53-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2132-72-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2132-91-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2132-110-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
po.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WAHost = "C:\\Windows\\system32\\zh-PH\\WWAHost.exe" po.exe -
Drops file in System32 directory 3 IoCs
Processes:
po.exedescription ioc Process File created C:\Windows\SysWOW64\zh-PH\WWAHost.exe po.exe File opened for modification C:\Windows\SysWOW64\zh-PH\WWAHost.exe po.exe File opened for modification C:\Windows\SysWOW64\zh-PH\ po.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
11.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings 11.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid Process 5104 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
vlc.exeWWAHost.exepid Process 5104 vlc.exe 2132 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
po.exeWWAHost.exeAUDIODG.EXEvlc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2652 po.exe Token: SeSecurityPrivilege 2652 po.exe Token: SeTakeOwnershipPrivilege 2652 po.exe Token: SeLoadDriverPrivilege 2652 po.exe Token: SeSystemProfilePrivilege 2652 po.exe Token: SeSystemtimePrivilege 2652 po.exe Token: SeProfSingleProcessPrivilege 2652 po.exe Token: SeIncBasePriorityPrivilege 2652 po.exe Token: SeCreatePagefilePrivilege 2652 po.exe Token: SeBackupPrivilege 2652 po.exe Token: SeRestorePrivilege 2652 po.exe Token: SeShutdownPrivilege 2652 po.exe Token: SeDebugPrivilege 2652 po.exe Token: SeSystemEnvironmentPrivilege 2652 po.exe Token: SeChangeNotifyPrivilege 2652 po.exe Token: SeRemoteShutdownPrivilege 2652 po.exe Token: SeUndockPrivilege 2652 po.exe Token: SeManageVolumePrivilege 2652 po.exe Token: SeImpersonatePrivilege 2652 po.exe Token: SeCreateGlobalPrivilege 2652 po.exe Token: 33 2652 po.exe Token: 34 2652 po.exe Token: 35 2652 po.exe Token: 36 2652 po.exe Token: SeIncreaseQuotaPrivilege 2132 WWAHost.exe Token: SeSecurityPrivilege 2132 WWAHost.exe Token: SeTakeOwnershipPrivilege 2132 WWAHost.exe Token: SeLoadDriverPrivilege 2132 WWAHost.exe Token: SeSystemProfilePrivilege 2132 WWAHost.exe Token: SeSystemtimePrivilege 2132 WWAHost.exe Token: SeProfSingleProcessPrivilege 2132 WWAHost.exe Token: SeIncBasePriorityPrivilege 2132 WWAHost.exe Token: SeCreatePagefilePrivilege 2132 WWAHost.exe Token: SeBackupPrivilege 2132 WWAHost.exe Token: SeRestorePrivilege 2132 WWAHost.exe Token: SeShutdownPrivilege 2132 WWAHost.exe Token: SeDebugPrivilege 2132 WWAHost.exe Token: SeSystemEnvironmentPrivilege 2132 WWAHost.exe Token: SeChangeNotifyPrivilege 2132 WWAHost.exe Token: SeRemoteShutdownPrivilege 2132 WWAHost.exe Token: SeUndockPrivilege 2132 WWAHost.exe Token: SeManageVolumePrivilege 2132 WWAHost.exe Token: SeImpersonatePrivilege 2132 WWAHost.exe Token: SeCreateGlobalPrivilege 2132 WWAHost.exe Token: 33 2132 WWAHost.exe Token: 34 2132 WWAHost.exe Token: 35 2132 WWAHost.exe Token: 36 2132 WWAHost.exe Token: 33 4984 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4984 AUDIODG.EXE Token: 33 5104 vlc.exe Token: SeIncBasePriorityPrivilege 5104 vlc.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
vlc.exepid Process 5104 vlc.exe 5104 vlc.exe 5104 vlc.exe 5104 vlc.exe 5104 vlc.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
vlc.exepid Process 5104 vlc.exe 5104 vlc.exe 5104 vlc.exe 5104 vlc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WWAHost.exevlc.exepid Process 2132 WWAHost.exe 5104 vlc.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.execmd.exe11.exepo.execmd.execmd.exeWWAHost.exedescription pid Process procid_target PID 4904 wrote to memory of 4856 4904 1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe 84 PID 4904 wrote to memory of 4856 4904 1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe 84 PID 4904 wrote to memory of 4856 4904 1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe 84 PID 4856 wrote to memory of 1916 4856 cmd.exe 87 PID 4856 wrote to memory of 1916 4856 cmd.exe 87 PID 4856 wrote to memory of 1916 4856 cmd.exe 87 PID 1916 wrote to memory of 2652 1916 11.exe 90 PID 1916 wrote to memory of 2652 1916 11.exe 90 PID 1916 wrote to memory of 2652 1916 11.exe 90 PID 2652 wrote to memory of 4168 2652 po.exe 91 PID 2652 wrote to memory of 4168 2652 po.exe 91 PID 2652 wrote to memory of 4168 2652 po.exe 91 PID 2652 wrote to memory of 2484 2652 po.exe 93 PID 2652 wrote to memory of 2484 2652 po.exe 93 PID 2652 wrote to memory of 2484 2652 po.exe 93 PID 2652 wrote to memory of 2132 2652 po.exe 95 PID 2652 wrote to memory of 2132 2652 po.exe 95 PID 2652 wrote to memory of 2132 2652 po.exe 95 PID 4168 wrote to memory of 2812 4168 cmd.exe 96 PID 4168 wrote to memory of 2812 4168 cmd.exe 96 PID 4168 wrote to memory of 2812 4168 cmd.exe 96 PID 2484 wrote to memory of 1312 2484 cmd.exe 97 PID 2484 wrote to memory of 1312 2484 cmd.exe 97 PID 2484 wrote to memory of 1312 2484 cmd.exe 97 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 2132 wrote to memory of 4920 2132 WWAHost.exe 98 PID 1916 wrote to memory of 5104 1916 11.exe 105 PID 1916 wrote to memory of 5104 1916 11.exe 105 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 1312 attrib.exe 2812 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\start.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Roaming\11.exe11.exe -p03658512984 -dC:\Users\Admin\AppData\Roaming3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Roaming\po.exe"C:\Users\Admin\AppData\Roaming\po.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\po.exe" +s +h5⤵
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\po.exe" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2812
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h5⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1312
-
-
-
C:\Windows\SysWOW64\zh-PH\WWAHost.exe"C:\Windows\system32\zh-PH\WWAHost.exe"5⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\notepad.exenotepad6⤵PID:4920
-
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\12.mp3"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5104
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3d0 0x4641⤵
- Suspicious use of AdjustPrivilegeToken
PID:4984
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.6MB
MD5eea149721c01291896b69895fd414964
SHA1cd7f559e2847a6d26679472040ecc05ab8eef548
SHA2565c4bf3713ff356a995d6fa59b7e68105ab4385cd22f6f519fbe3bdf993add823
SHA512e01aec03356ac64b704d42bf764e89bb286a966f5c2da65201737a5af1accab04d5be8be5f07833a96b5525c9697334bcbddde2ad6f1e6932d7d526a352ea7a7
-
Filesize
7.1MB
MD5994ed675fa3c1ec9be2dc88f80a54d6c
SHA10be3478c5cbe848ea920d87c7853aec2c3d990fa
SHA25695012f310436a52c4e083fabdf42db4c8d3242bc42689b63e8e613f73696d924
SHA51238e04c70da86d6a1b473188789712236c09967139581da9578c23804d56f2866b3b1fb2cf115658624c0d6e044f00ba804b8c4efbbb77926b4affdc84af6f901
-
Filesize
251KB
MD5010b72d9045c7aede13473e1f4514ca9
SHA150cc0ba901b8bc1cfd34a277af34b7f666d1f693
SHA25667bd0a65268d058dbf0ca7cd6a4b30060a4aa60bfd3d59c04768b1422d7f433a
SHA5121c492a8927196c028c49931bbc99f6f1dd26f4d97eca35d576c953786d3101119910bb39d9a22b1a65289ad3d66c703bc69305ca616372f03443a17bfc0b3a65
-
Filesize
32B
MD5d9b4214e353ba616f5edc2633ba76e36
SHA1a69e0090704947fd72fbfab013699aa56896121b
SHA256f027b25ce42d032279e22532ebae52023482a4fb278d4c3159ccab3102e0fc28
SHA5129d89a0fa65de20b5a089e304939f0da1a34d5ee0509564c42de63e164a1216df31f5e0f0a208f2b9851c33902ef568853322f3df02a0415c78ed66be16b78121