Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
15-10-2024 18:44
Static task
static1
Behavioral task
behavioral1
Sample
496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
496b3e5f673f5407ea4a55c1d17736a5
-
SHA1
be6b5eae60384d6c99011f003a277c0c3031bc80
-
SHA256
3e6b574ae73a735fde06db712e8c7f2d767e14acba572942ff4b9a2553c557b2
-
SHA512
2531dc8457f9001a73b451a9fd3a0f93e56fcc77114f14a13c7ddfcb70fdab3b95c50cdeb1c8dd0fc2b8889347d022e4abd13512b077f5daae12449b0ea487d1
-
SSDEEP
12288:K9DlmwWmfA71dcgvP7OimiRTH54nqosMbkf8Jyiebft56QcC4Ty089SI3l87d4pZ:0NA1xFRNJo7PU5IPalY7TB4EMj8B
Malware Config
Extracted
darkcomet
Guest16
jesusmanwoohoo.no-ip.org:1604
DC_MUTEX-LVE3HLP
-
gencode
fGXp2YoV37aS
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MjqjvavSo.exepid Process 1972 MjqjvavSo.exe -
Loads dropped DLL 2 IoCs
Processes:
496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exepid Process 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MjqjvavSo.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" MjqjvavSo.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exedescription pid Process procid_target PID 1760 set thread context of 2952 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vbc.exeMjqjvavSo.exe496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MjqjvavSo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exevbc.exedescription pid Process Token: SeDebugPrivilege 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2952 vbc.exe Token: SeSecurityPrivilege 2952 vbc.exe Token: SeTakeOwnershipPrivilege 2952 vbc.exe Token: SeLoadDriverPrivilege 2952 vbc.exe Token: SeSystemProfilePrivilege 2952 vbc.exe Token: SeSystemtimePrivilege 2952 vbc.exe Token: SeProfSingleProcessPrivilege 2952 vbc.exe Token: SeIncBasePriorityPrivilege 2952 vbc.exe Token: SeCreatePagefilePrivilege 2952 vbc.exe Token: SeBackupPrivilege 2952 vbc.exe Token: SeRestorePrivilege 2952 vbc.exe Token: SeShutdownPrivilege 2952 vbc.exe Token: SeDebugPrivilege 2952 vbc.exe Token: SeSystemEnvironmentPrivilege 2952 vbc.exe Token: SeChangeNotifyPrivilege 2952 vbc.exe Token: SeRemoteShutdownPrivilege 2952 vbc.exe Token: SeUndockPrivilege 2952 vbc.exe Token: SeManageVolumePrivilege 2952 vbc.exe Token: SeImpersonatePrivilege 2952 vbc.exe Token: SeCreateGlobalPrivilege 2952 vbc.exe Token: 33 2952 vbc.exe Token: 34 2952 vbc.exe Token: 35 2952 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid Process 2952 vbc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exedescription pid Process procid_target PID 1760 wrote to memory of 2952 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 30 PID 1760 wrote to memory of 2952 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 30 PID 1760 wrote to memory of 2952 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 30 PID 1760 wrote to memory of 2952 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 30 PID 1760 wrote to memory of 2952 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 30 PID 1760 wrote to memory of 2952 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 30 PID 1760 wrote to memory of 2952 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 30 PID 1760 wrote to memory of 2952 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 30 PID 1760 wrote to memory of 2952 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 30 PID 1760 wrote to memory of 2952 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 30 PID 1760 wrote to memory of 2952 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 30 PID 1760 wrote to memory of 2952 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 30 PID 1760 wrote to memory of 2952 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 30 PID 1760 wrote to memory of 2952 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 30 PID 1760 wrote to memory of 2952 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 30 PID 1760 wrote to memory of 1972 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 31 PID 1760 wrote to memory of 1972 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 31 PID 1760 wrote to memory of 1972 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 31 PID 1760 wrote to memory of 1972 1760 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2952
-
-
C:\Users\Admin\AppData\Roaming\MjqjvavSo.exe"C:\Users\Admin\AppData\Roaming\MjqjvavSo.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5890e5b1e0c79f073ce5091cad4aa6452
SHA11f6f6c81b99539c5cd568f2dd37c5834b12174cd
SHA25695bd537e7ea426bbdff936a15129ccb451474c2c9eeab176c4319b874a04fce3
SHA512fe6f6a2deef89055eb10329d26fe45d8946dbef4eccec21cbc518bf0fad8f5727bf1386af014103eedf6b9e9c248fa956a1cf2de77cf50a6972c9b16fd01cd5d