Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15-07-2024 15:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
150 seconds
General
-
Target
4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe
-
Size
414KB
-
MD5
4a47e04852564dcd9f5881fbd69c6bd9
-
SHA1
a6684ad9f665f0ebf6c243de8b8e309ce195d1fc
-
SHA256
19d059c2008cdd0d30babc96de89c13c2dc38922cfc6f735af4902953469a0c4
-
SHA512
82ee1980f8893c0bf6798c71864a4ee4f298cb5de875b81503fcd738c25150baa579c6e144f507ab6e48ff61af70d6a43bbb54d91752d74d182f1ad75bb43281
-
SSDEEP
12288:MDxoIVCNZwI1eQu/tEzSha7GwAdTusAUa:6o1IIQNNQDWYUa
Malware Config
Extracted
Family
darkcomet
Botnet
Victim
C2
karmaisabitch.zapto.org:1604
Mutex
DC_MUTEX-XBX7X34
Attributes
-
gencode
bSi6W85Uhvq8
-
install
false
-
offline_keylogger
true
-
password
vwurJnIHQY8Xd4X
-
persistence
false
Extracted
Family
latentbot
C2
karmaisabitch.zapto.org
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation webengine.exe -
Executes dropped EXE 2 IoCs
pid Process 4152 webengine.exe 724 MSBuild.exe -
resource yara_rule behavioral2/memory/772-6-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral2/memory/772-7-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral2/memory/772-10-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral2/memory/772-9-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral2/memory/772-8-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral2/memory/772-27-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral2/memory/772-26-0x0000000000400000-0x00000000004BB000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\webengine.exe" webengine.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4264 set thread context of 772 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 85 PID 724 set thread context of 2984 724 MSBuild.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 4152 webengine.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 4152 webengine.exe 724 MSBuild.exe 724 MSBuild.exe 4152 webengine.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 4152 webengine.exe 724 MSBuild.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 4152 webengine.exe 724 MSBuild.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 724 MSBuild.exe 4152 webengine.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 4152 webengine.exe 724 MSBuild.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 724 MSBuild.exe 4152 webengine.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 4152 webengine.exe 724 MSBuild.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 4152 webengine.exe 724 MSBuild.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 724 MSBuild.exe 4152 webengine.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 724 MSBuild.exe 4152 webengine.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 4152 webengine.exe 724 MSBuild.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 724 MSBuild.exe 4152 webengine.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 4152 webengine.exe 724 MSBuild.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 724 MSBuild.exe 4152 webengine.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 4152 webengine.exe 724 MSBuild.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 724 MSBuild.exe 4152 webengine.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 724 MSBuild.exe 4152 webengine.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 724 MSBuild.exe 4152 webengine.exe 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 4152 webengine.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeDebugPrivilege 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 772 AppLaunch.exe Token: SeSecurityPrivilege 772 AppLaunch.exe Token: SeTakeOwnershipPrivilege 772 AppLaunch.exe Token: SeLoadDriverPrivilege 772 AppLaunch.exe Token: SeSystemProfilePrivilege 772 AppLaunch.exe Token: SeSystemtimePrivilege 772 AppLaunch.exe Token: SeProfSingleProcessPrivilege 772 AppLaunch.exe Token: SeIncBasePriorityPrivilege 772 AppLaunch.exe Token: SeCreatePagefilePrivilege 772 AppLaunch.exe Token: SeBackupPrivilege 772 AppLaunch.exe Token: SeRestorePrivilege 772 AppLaunch.exe Token: SeShutdownPrivilege 772 AppLaunch.exe Token: SeDebugPrivilege 772 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 772 AppLaunch.exe Token: SeChangeNotifyPrivilege 772 AppLaunch.exe Token: SeRemoteShutdownPrivilege 772 AppLaunch.exe Token: SeUndockPrivilege 772 AppLaunch.exe Token: SeManageVolumePrivilege 772 AppLaunch.exe Token: SeImpersonatePrivilege 772 AppLaunch.exe Token: SeCreateGlobalPrivilege 772 AppLaunch.exe Token: 33 772 AppLaunch.exe Token: 34 772 AppLaunch.exe Token: 35 772 AppLaunch.exe Token: 36 772 AppLaunch.exe Token: SeDebugPrivilege 4152 webengine.exe Token: SeDebugPrivilege 724 MSBuild.exe Token: SeIncreaseQuotaPrivilege 2984 AppLaunch.exe Token: SeSecurityPrivilege 2984 AppLaunch.exe Token: SeTakeOwnershipPrivilege 2984 AppLaunch.exe Token: SeLoadDriverPrivilege 2984 AppLaunch.exe Token: SeSystemProfilePrivilege 2984 AppLaunch.exe Token: SeSystemtimePrivilege 2984 AppLaunch.exe Token: SeProfSingleProcessPrivilege 2984 AppLaunch.exe Token: SeIncBasePriorityPrivilege 2984 AppLaunch.exe Token: SeCreatePagefilePrivilege 2984 AppLaunch.exe Token: SeBackupPrivilege 2984 AppLaunch.exe Token: SeRestorePrivilege 2984 AppLaunch.exe Token: SeShutdownPrivilege 2984 AppLaunch.exe Token: SeDebugPrivilege 2984 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 2984 AppLaunch.exe Token: SeChangeNotifyPrivilege 2984 AppLaunch.exe Token: SeRemoteShutdownPrivilege 2984 AppLaunch.exe Token: SeUndockPrivilege 2984 AppLaunch.exe Token: SeManageVolumePrivilege 2984 AppLaunch.exe Token: SeImpersonatePrivilege 2984 AppLaunch.exe Token: SeCreateGlobalPrivilege 2984 AppLaunch.exe Token: 33 2984 AppLaunch.exe Token: 34 2984 AppLaunch.exe Token: 35 2984 AppLaunch.exe Token: 36 2984 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 772 AppLaunch.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4264 wrote to memory of 772 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 85 PID 4264 wrote to memory of 772 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 85 PID 4264 wrote to memory of 772 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 85 PID 4264 wrote to memory of 772 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 85 PID 4264 wrote to memory of 772 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 85 PID 4264 wrote to memory of 772 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 85 PID 4264 wrote to memory of 772 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 85 PID 4264 wrote to memory of 772 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 85 PID 4264 wrote to memory of 4152 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 87 PID 4264 wrote to memory of 4152 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 87 PID 4264 wrote to memory of 4152 4264 4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe 87 PID 4152 wrote to memory of 724 4152 webengine.exe 88 PID 4152 wrote to memory of 724 4152 webengine.exe 88 PID 4152 wrote to memory of 724 4152 webengine.exe 88 PID 724 wrote to memory of 2984 724 MSBuild.exe 89 PID 724 wrote to memory of 2984 724 MSBuild.exe 89 PID 724 wrote to memory of 2984 724 MSBuild.exe 89 PID 724 wrote to memory of 2984 724 MSBuild.exe 89 PID 724 wrote to memory of 2984 724 MSBuild.exe 89 PID 724 wrote to memory of 2984 724 MSBuild.exe 89 PID 724 wrote to memory of 2984 724 MSBuild.exe 89 PID 724 wrote to memory of 2984 724 MSBuild.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a47e04852564dcd9f5881fbd69c6bd9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:772
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\webengine.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\webengine.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\MSBuild.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\300PX-ALL_NIPPON_AIRWAYS_BOEING_787-8_DREAMLINER_JA801A_OKJ_IN_FLIGHT.JPG
Filesize7KB
MD594df065ad5c47487a08288a43a7d8039
SHA146425bebc77afd9e372fbe1d5e85c56eae4a9cf3
SHA2560589da7798bb8527cbcbcd036435a3f73d4a378f5bc4c33fdf0e8426f7f5a6c4
SHA512faa649e6857f5af7b90bf2d0f4ba4aeace7d6eaf808cbfe29e3eb9e9dd4732e33573752c46f3557c3102e1fae88f5a31a43293d7189f893627f11e1db6ba7890
-
Filesize
414KB
MD54a47e04852564dcd9f5881fbd69c6bd9
SHA1a6684ad9f665f0ebf6c243de8b8e309ce195d1fc
SHA25619d059c2008cdd0d30babc96de89c13c2dc38922cfc6f735af4902953469a0c4
SHA51282ee1980f8893c0bf6798c71864a4ee4f298cb5de875b81503fcd738c25150baa579c6e144f507ab6e48ff61af70d6a43bbb54d91752d74d182f1ad75bb43281
-
Filesize
8KB
MD58117d80b0e093b8a22808439e98f8438
SHA195e85605a119569be1171e738ab1933d72b4d4ac
SHA256e1d07433984dc20260f212e464fcdd75e0cca098b4c40d9d940ad71995e74699
SHA512bef89879f3b5e3b9a3cad130ef33ca6d9a6b55e0b47dd6c47fd94efb343bf9b5d904bdccc52e2416ac68d12a1077102a2015fd8c9f92defcb83514f0d10e06a3
