Overview

overview

10

Static

static

3

7ef58fae65...18.exe

windows7-x64

10

7ef58fae65...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2024 03:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    7ef58fae6597873eb9ddc200749efb54

  • SHA1

    01b74eb79082d0465ab8654b6a71c8570ac8743a

  • SHA256

    046af6ee479e05559a9830dc541785559e7a006cc1761c1f9f6acd6b9fbef0e9

  • SHA512

    97bcd602af86fdab80368e376712739dc96535026b77b87b6ff5e5f53796c0f39f6ec33954b8655aff64b8ca3bf7faa7e666f8aa5790d8a974c8ca408d0be14f

  • SSDEEP

    24576:4DTCwXMdaEkx9Tod/Z/Va9nVFMG17y+g3LZjQsW2l9r/ArJf4q0/9xAN6:L4E0odR/SnVKaux3LZssW2lF4Ff43s6

Score
10/10
darkcometdarktracknanocorenjratdiscoveryevasionkeyloggerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Signatures

  • DarkTrack

    DarkTrack is a remote administration tool written in delphi.

    ratstealerdarktrack
  • DarkTrack payload 7 IoCs
  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BCC8.tmp\BCC9.bat C:\Users\Admin\AppData\Local\Temp\7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe"
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Users\Admin\AppData\Local\Temp\BCC8.tmp\WindowsSeverHelper.pif
        WindowsSeverHelper.pif
        3⤵
        • Modifies WinLogon for persistence
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4344
        • C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE
          "C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          PID:4348
        • C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE
          "C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4800
          • C:\Users\Admin\AppData\Roaming\GoogleServerHelper.exe
            "C:\Users\Admin\AppData\Roaming\GoogleServerHelper.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2064
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\GoogleServerHelper.exe" "GoogleServerHelper.exe" ENABLE
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:5052
        • C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE
          "C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2208
          • C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
            "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of WriteProcessMemory
            PID:5100
            • C:\Windows\SysWOW64\notepad.exe
              notepad
              6⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:3052
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2876
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 5
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1120
        • C:\Users\Admin\AppData\Roaming\MSDCSC\WindowsShellHelper.exe
          "C:\Users\Admin\AppData\Roaming\MSDCSC\WindowsShellHelper.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5016
          • C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE
            "C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4272
          • C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE
            "C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2184
          • C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE
            "C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3488
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1692
            • C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE
              "C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4008
            • C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE
              "C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4056
            • C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE
              "C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4024
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1628

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Remote System Discovery

    1
    T1018

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CIOUD.EXE.log
      Filesize

      496B

      MD5

      5b4789d01bb4d7483b71e1a35bce6a8b

      SHA1

      de083f2131c9a763c0d1810c97a38732146cffbf

      SHA256

      e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6

      SHA512

      357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\GOOGLESERVERHELPER.EXE.log
      Filesize

      319B

      MD5

      91046f2e147049d3e53cd9bf9d4d95ed

      SHA1

      228e347d062840b2edcbd16904475aacad414c62

      SHA256

      ea92f8291b86440b98162409b1f9f04470455c22be01a1480ea5ebc37eb168dc

      SHA512

      071a9c6e17760a726c3a4519cf8006f36f17f50946af0129e0e1f3e480f6b7fcc804a7614b044247f2420a8b2b46bec5b8493e4869bb918bc7c0f6aa1346c3e0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\BCC8.tmp\1.bat
      Filesize

      48B

      MD5

      55b802862d9eaffe7b7fb6eeae66d729

      SHA1

      b014e037b3849cf206bdd4d2910e9a1803dfe5e0

      SHA256

      1491837dd6978e9323d1f2e7b3bcb6da5e7eb5373245ec569a8f2624ede90ba0

      SHA512

      90f86153716997025a105d64286e2ad6c8ea06951278def6d8f39b76518e966c3ac62e45f986bf4ad9cf3d11264f0ecbe65c42f78cb3fb9096b25a36a341001c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\BCC8.tmp\BCC9.bat
      Filesize

      33B

      MD5

      8a018ca11acfbd81dc4b301fbbcd58d5

      SHA1

      c8e8f856dd9f2c1b904df66c183e3674625b28f4

      SHA256

      b5823db59fcf22262591aecb537ad79764a62925b7ed409615d0cb8d7b37272d

      SHA512

      b7e9f1b6c668f2e6aede983d485979cbed363d15fcf135af9fa8fd949483f3410b17ce383006dfad43243cc884da9b3fcadbfc60a872901e3f1e6e0889f6f028

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\BCC8.tmp\HD.zip
      Filesize

      221KB

      MD5

      7172a8eae4d545316d8d707e0df02632

      SHA1

      49e921f5b8d89c2b4b0017f2920dbdbfd1a55c72

      SHA256

      10556edc1a886af540632f6c9b9bbaf3d263e1cd975b1f67d571faf5c67cf950

      SHA512

      0bb6d1769c5670f1e41659f3e934acb4682d1abd03926caddd858baf8db3f2773e5e66a9a749ee109d4599363fa78cc24c006e2f9ff07c7cdb6762ecac733c99

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\BCC8.tmp\WindowsSeverHelper.pif
      Filesize

      1.0MB

      MD5

      5aa470a6aefd43f2bb371c6d4ff0e81c

      SHA1

      1ff99e88b23fe31798176d7de1dc0fab8891bed8

      SHA256

      4070967cb1326a2685821810479dd8b2c5c3db8c2de1177a5ae42edd7263ac69

      SHA512

      69fa0cf4e2fe5b98b696b50bd9fc429036a01d54b66bd707ddf550fa7003950874c8ea1dc2fbcc7f3f023ef6a44d0f727b59f3a393a199c68910cfc5c876d655

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE
      Filesize

      595KB

      MD5

      890e94388a40a56ef27d6d1d94b72290

      SHA1

      310a196df36bd06ab6660daaf7bdfd6f2aa6b403

      SHA256

      da403e7a6dd93e9357f6fa630a4b2edcc1558174802cad90330365db79d223fc

      SHA512

      53d4914ef2e1c4395e63891d7aec07f5c11dbb1e0a1599adfabbc306a5c17d796c1fc8d290bf4b5e2b0d9b0f99924f0257c045dab13cf4092525a38ff501f754

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE
      Filesize

      33KB

      MD5

      03a9d8b71175a13df468482dd8c28f70

      SHA1

      bc1b0a9973274d4281b81657cb9e8b65466a58fe

      SHA256

      7804b4f4792567cef30f25bf4c2c9d8248c283f46412e24f6896f25968788d75

      SHA512

      f91bd85c80af299691921068a9dcc8de5af5911be2405276b00f05e0aa9a00fb27d9c56d9b22c4960d11b846cb1879218c38b740f42266ddaebc2a51ff74709a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE
      Filesize

      627KB

      MD5

      f6c8aff612013d1b6cf238f51b0fee1c

      SHA1

      8bef1fe8cafd7c99289f8ed666116a454af825be

      SHA256

      847cd3461fd87a7d4b3c9c221ebadaedd03838fd9b4c618f0684436473a8d51d

      SHA512

      a49390f3de6a17e18a1bd1541b0f49f4b3ff0bb187f1d13dead813549b6558cec3e8a3959c45df828a1bc0004593aa78797c123c8abfe5715ca28b49c857e816

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
      Filesize

      94B

      MD5

      27e006d678ffe5ce2ad37649ff333b49

      SHA1

      a5654ed2b5fa772aab6daae7fd3f53b65ad5c187

      SHA256

      dd3291b12b6ae3a3a4a72e033dfd249da18049138e72f41743c307762f2dd9c4

      SHA512

      f6cb88b1f858cbcabb9965a6b4b066da65a434a0342d7b7a5b89bc0f107b76356202d67aac54ffadb084a4b6d67562320a287d32d9b4019d336d38e0ae8ad7ac

      Download Submit

    • memory/2208-50-0x0000000000400000-0x00000000004A8000-memory.dmp

      Filesize

      672KB

      Download

    • memory/3052-51-0x0000000000340000-0x0000000000341000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3488-124-0x0000000000400000-0x00000000004A8000-memory.dmp

      Filesize

      672KB

      Download

    • memory/4024-138-0x0000000000400000-0x00000000004A8000-memory.dmp

      Filesize

      672KB

      Download

    • memory/4344-113-0x0000000000400000-0x0000000000600000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4344-14-0x0000000000400000-0x0000000000600000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/5016-127-0x0000000000400000-0x0000000000600000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/5100-153-0x0000000000400000-0x00000000004A8000-memory.dmp

      Filesize

      672KB

      Download