Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 10:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
de2f31f3883c0e84e6c4e1c2aebde801_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
General
-
Target
de2f31f3883c0e84e6c4e1c2aebde801_JaffaCakes118.exe
-
Size
553KB
-
MD5
de2f31f3883c0e84e6c4e1c2aebde801
-
SHA1
676d34caa52a4dec4829d724c4a1ccd889f91ff3
-
SHA256
c0def001b11e3cb4334ab13f6d2ada8a259cbc8fb4932324e2aea9a839aa9c29
-
SHA512
932d7baf385698ae48cdca85291392f4e7a8bc4bbfb6f53eed504fa6292b5ae79d90e61f08cc1b37c2dd75233bb4ba03fa373a90b08c7d29ef42dc598f831d48
-
SSDEEP
12288:QPxe0gF2s4XmJOHwUqKSCEL/+NV1oYsjogyAWRdTTBnSB6:AY0gUiAQCdEToOY3gtWRdH0B
Malware Config
Extracted
Family
latentbot
C2
dcomete70353.zapto.org
1dcomete70353.zapto.org
2dcomete70353.zapto.org
3dcomete70353.zapto.org
4dcomete70353.zapto.org
5dcomete70353.zapto.org
6dcomete70353.zapto.org
7dcomete70353.zapto.org
8dcomete70353.zapto.org
Signatures
-
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\KSF20FP27A.exe = "C:\\Users\\Admin\\AppData\\Roaming\\KSF20FP27A.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Deletes itself 1 IoCs
pid Process 2164 explorer.exe -
Executes dropped EXE 3 IoCs
pid Process 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe -
Loads dropped DLL 3 IoCs
pid Process 2072 de2f31f3883c0e84e6c4e1c2aebde801_JaffaCakes118.exe 2164 explorer.exe 2620 msdtcstp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\msdtcstp.exe" msdtcstp.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2164 set thread context of 2280 2164 explorer.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RasMigPlugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de2f31f3883c0e84e6c4e1c2aebde801_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdtcstp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2708 reg.exe 2616 reg.exe 2644 reg.exe 2672 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2164 explorer.exe 2620 msdtcstp.exe 2164 explorer.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe 2164 explorer.exe 2620 msdtcstp.exe 2156 RasMigPlugin.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeDebugPrivilege 2072 de2f31f3883c0e84e6c4e1c2aebde801_JaffaCakes118.exe Token: SeDebugPrivilege 2164 explorer.exe Token: 1 2280 AppLaunch.exe Token: SeCreateTokenPrivilege 2280 AppLaunch.exe Token: SeAssignPrimaryTokenPrivilege 2280 AppLaunch.exe Token: SeLockMemoryPrivilege 2280 AppLaunch.exe Token: SeIncreaseQuotaPrivilege 2280 AppLaunch.exe Token: SeMachineAccountPrivilege 2280 AppLaunch.exe Token: SeTcbPrivilege 2280 AppLaunch.exe Token: SeSecurityPrivilege 2280 AppLaunch.exe Token: SeTakeOwnershipPrivilege 2280 AppLaunch.exe Token: SeLoadDriverPrivilege 2280 AppLaunch.exe Token: SeSystemProfilePrivilege 2280 AppLaunch.exe Token: SeSystemtimePrivilege 2280 AppLaunch.exe Token: SeProfSingleProcessPrivilege 2280 AppLaunch.exe Token: SeIncBasePriorityPrivilege 2280 AppLaunch.exe Token: SeCreatePagefilePrivilege 2280 AppLaunch.exe Token: SeCreatePermanentPrivilege 2280 AppLaunch.exe Token: SeBackupPrivilege 2280 AppLaunch.exe Token: SeRestorePrivilege 2280 AppLaunch.exe Token: SeShutdownPrivilege 2280 AppLaunch.exe Token: SeDebugPrivilege 2280 AppLaunch.exe Token: SeAuditPrivilege 2280 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 2280 AppLaunch.exe Token: SeChangeNotifyPrivilege 2280 AppLaunch.exe Token: SeRemoteShutdownPrivilege 2280 AppLaunch.exe Token: SeUndockPrivilege 2280 AppLaunch.exe Token: SeSyncAgentPrivilege 2280 AppLaunch.exe Token: SeEnableDelegationPrivilege 2280 AppLaunch.exe Token: SeManageVolumePrivilege 2280 AppLaunch.exe Token: SeImpersonatePrivilege 2280 AppLaunch.exe Token: SeCreateGlobalPrivilege 2280 AppLaunch.exe Token: 31 2280 AppLaunch.exe Token: 32 2280 AppLaunch.exe Token: 33 2280 AppLaunch.exe Token: 34 2280 AppLaunch.exe Token: 35 2280 AppLaunch.exe Token: SeDebugPrivilege 2620 msdtcstp.exe Token: SeDebugPrivilege 2156 RasMigPlugin.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2280 AppLaunch.exe 2280 AppLaunch.exe 2280 AppLaunch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2164 2072 de2f31f3883c0e84e6c4e1c2aebde801_JaffaCakes118.exe 30 PID 2072 wrote to memory of 2164 2072 de2f31f3883c0e84e6c4e1c2aebde801_JaffaCakes118.exe 30 PID 2072 wrote to memory of 2164 2072 de2f31f3883c0e84e6c4e1c2aebde801_JaffaCakes118.exe 30 PID 2072 wrote to memory of 2164 2072 de2f31f3883c0e84e6c4e1c2aebde801_JaffaCakes118.exe 30 PID 2164 wrote to memory of 2280 2164 explorer.exe 31 PID 2164 wrote to memory of 2280 2164 explorer.exe 31 PID 2164 wrote to memory of 2280 2164 explorer.exe 31 PID 2164 wrote to memory of 2280 2164 explorer.exe 31 PID 2164 wrote to memory of 2280 2164 explorer.exe 31 PID 2164 wrote to memory of 2280 2164 explorer.exe 31 PID 2164 wrote to memory of 2280 2164 explorer.exe 31 PID 2164 wrote to memory of 2280 2164 explorer.exe 31 PID 2164 wrote to memory of 2280 2164 explorer.exe 31 PID 2164 wrote to memory of 2280 2164 explorer.exe 31 PID 2164 wrote to memory of 2280 2164 explorer.exe 31 PID 2280 wrote to memory of 2824 2280 AppLaunch.exe 32 PID 2280 wrote to memory of 2824 2280 AppLaunch.exe 32 PID 2280 wrote to memory of 2824 2280 AppLaunch.exe 32 PID 2280 wrote to memory of 2824 2280 AppLaunch.exe 32 PID 2280 wrote to memory of 2824 2280 AppLaunch.exe 32 PID 2280 wrote to memory of 2824 2280 AppLaunch.exe 32 PID 2280 wrote to memory of 2824 2280 AppLaunch.exe 32 PID 2280 wrote to memory of 2752 2280 AppLaunch.exe 33 PID 2280 wrote to memory of 2752 2280 AppLaunch.exe 33 PID 2280 wrote to memory of 2752 2280 AppLaunch.exe 33 PID 2280 wrote to memory of 2752 2280 AppLaunch.exe 33 PID 2280 wrote to memory of 2752 2280 AppLaunch.exe 33 PID 2280 wrote to memory of 2752 2280 AppLaunch.exe 33 PID 2280 wrote to memory of 2752 2280 AppLaunch.exe 33 PID 2280 wrote to memory of 2720 2280 AppLaunch.exe 34 PID 2280 wrote to memory of 2720 2280 AppLaunch.exe 34 PID 2280 wrote to memory of 2720 2280 AppLaunch.exe 34 PID 2280 wrote to memory of 2720 2280 AppLaunch.exe 34 PID 2280 wrote to memory of 2720 2280 AppLaunch.exe 34 PID 2280 wrote to memory of 2720 2280 AppLaunch.exe 34 PID 2280 wrote to memory of 2720 2280 AppLaunch.exe 34 PID 2280 wrote to memory of 2728 2280 AppLaunch.exe 35 PID 2280 wrote to memory of 2728 2280 AppLaunch.exe 35 PID 2280 wrote to memory of 2728 2280 AppLaunch.exe 35 PID 2280 wrote to memory of 2728 2280 AppLaunch.exe 35 PID 2280 wrote to memory of 2728 2280 AppLaunch.exe 35 PID 2280 wrote to memory of 2728 2280 AppLaunch.exe 35 PID 2280 wrote to memory of 2728 2280 AppLaunch.exe 35 PID 2164 wrote to memory of 2620 2164 explorer.exe 40 PID 2164 wrote to memory of 2620 2164 explorer.exe 40 PID 2164 wrote to memory of 2620 2164 explorer.exe 40 PID 2164 wrote to memory of 2620 2164 explorer.exe 40 PID 2728 wrote to memory of 2708 2728 cmd.exe 41 PID 2728 wrote to memory of 2708 2728 cmd.exe 41 PID 2728 wrote to memory of 2708 2728 cmd.exe 41 PID 2728 wrote to memory of 2708 2728 cmd.exe 41 PID 2728 wrote to memory of 2708 2728 cmd.exe 41 PID 2728 wrote to memory of 2708 2728 cmd.exe 41 PID 2728 wrote to memory of 2708 2728 cmd.exe 41 PID 2720 wrote to memory of 2616 2720 cmd.exe 42 PID 2720 wrote to memory of 2616 2720 cmd.exe 42 PID 2720 wrote to memory of 2616 2720 cmd.exe 42 PID 2720 wrote to memory of 2616 2720 cmd.exe 42 PID 2720 wrote to memory of 2616 2720 cmd.exe 42 PID 2720 wrote to memory of 2616 2720 cmd.exe 42 PID 2720 wrote to memory of 2616 2720 cmd.exe 42 PID 2824 wrote to memory of 2644 2824 cmd.exe 43 PID 2824 wrote to memory of 2644 2824 cmd.exe 43 PID 2824 wrote to memory of 2644 2824 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\de2f31f3883c0e84e6c4e1c2aebde801_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\de2f31f3883c0e84e6c4e1c2aebde801_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2644
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2672
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\KSF20FP27A.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\KSF20FP27A.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\KSF20FP27A.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\KSF20FP27A.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2708
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\msdtcstp.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\msdtcstp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\RasMigPlugin.exe"C:\Users\Admin\AppData\Local\Temp\RasMigPlugin.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84B
MD501a5b311064b9e2e48bc0b49b8c88977
SHA150487233b0944796416c5432babae97b750b2657
SHA256d7537cfdb6e0e7d4d6f436ac3e41841f1f89aafe8fc4325ad6bfe53eee1e8fca
SHA512a1d6e51233b207a8ffce77cb70be06dd9cc19c84e941bee9ac579242a201074b4b34475e52a1809944233316e96f43dd8ee0158219b7da9a65ecec0b87a4ca04
-
Filesize
7KB
MD57a6db8f658cf4af57e888b960f551ab2
SHA18199269b5f7e8b96c4ee726780de5f231ac84c22
SHA256ef80684c44164f0dfd4b2cf584755b830d9334747ce4efd763a392e6fae536d3
SHA512721cc47f53ce454cd95e08c84fac9fbc1301c35eca7f280f443698afa823f543aef37de3fddd125224de784ee59c2b1ee2dba3ec0c200fb38d20240def260521
-
Filesize
553KB
MD5de2f31f3883c0e84e6c4e1c2aebde801
SHA1676d34caa52a4dec4829d724c4a1ccd889f91ff3
SHA256c0def001b11e3cb4334ab13f6d2ada8a259cbc8fb4932324e2aea9a839aa9c29
SHA512932d7baf385698ae48cdca85291392f4e7a8bc4bbfb6f53eed504fa6292b5ae79d90e61f08cc1b37c2dd75233bb4ba03fa373a90b08c7d29ef42dc598f831d48