Analysis
-
max time kernel
150s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2024 18:44
Static task
static1
Behavioral task
behavioral1
Sample
496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
496b3e5f673f5407ea4a55c1d17736a5
-
SHA1
be6b5eae60384d6c99011f003a277c0c3031bc80
-
SHA256
3e6b574ae73a735fde06db712e8c7f2d767e14acba572942ff4b9a2553c557b2
-
SHA512
2531dc8457f9001a73b451a9fd3a0f93e56fcc77114f14a13c7ddfcb70fdab3b95c50cdeb1c8dd0fc2b8889347d022e4abd13512b077f5daae12449b0ea487d1
-
SSDEEP
12288:K9DlmwWmfA71dcgvP7OimiRTH54nqosMbkf8Jyiebft56QcC4Ty089SI3l87d4pZ:0NA1xFRNJo7PU5IPalY7TB4EMj8B
Malware Config
Extracted
darkcomet
Guest16
jesusmanwoohoo.no-ip.org:1604
DC_MUTEX-LVE3HLP
-
gencode
fGXp2YoV37aS
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
MjqjvavSo.exepid Process 5016 MjqjvavSo.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MjqjvavSo.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" MjqjvavSo.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exedescription pid Process procid_target PID 3888 set thread context of 452 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exevbc.exeMjqjvavSo.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MjqjvavSo.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exevbc.exedescription pid Process Token: SeDebugPrivilege 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 452 vbc.exe Token: SeSecurityPrivilege 452 vbc.exe Token: SeTakeOwnershipPrivilege 452 vbc.exe Token: SeLoadDriverPrivilege 452 vbc.exe Token: SeSystemProfilePrivilege 452 vbc.exe Token: SeSystemtimePrivilege 452 vbc.exe Token: SeProfSingleProcessPrivilege 452 vbc.exe Token: SeIncBasePriorityPrivilege 452 vbc.exe Token: SeCreatePagefilePrivilege 452 vbc.exe Token: SeBackupPrivilege 452 vbc.exe Token: SeRestorePrivilege 452 vbc.exe Token: SeShutdownPrivilege 452 vbc.exe Token: SeDebugPrivilege 452 vbc.exe Token: SeSystemEnvironmentPrivilege 452 vbc.exe Token: SeChangeNotifyPrivilege 452 vbc.exe Token: SeRemoteShutdownPrivilege 452 vbc.exe Token: SeUndockPrivilege 452 vbc.exe Token: SeManageVolumePrivilege 452 vbc.exe Token: SeImpersonatePrivilege 452 vbc.exe Token: SeCreateGlobalPrivilege 452 vbc.exe Token: 33 452 vbc.exe Token: 34 452 vbc.exe Token: 35 452 vbc.exe Token: 36 452 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid Process 452 vbc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exedescription pid Process procid_target PID 3888 wrote to memory of 452 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 87 PID 3888 wrote to memory of 452 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 87 PID 3888 wrote to memory of 452 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 87 PID 3888 wrote to memory of 452 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 87 PID 3888 wrote to memory of 452 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 87 PID 3888 wrote to memory of 452 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 87 PID 3888 wrote to memory of 452 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 87 PID 3888 wrote to memory of 452 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 87 PID 3888 wrote to memory of 452 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 87 PID 3888 wrote to memory of 452 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 87 PID 3888 wrote to memory of 452 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 87 PID 3888 wrote to memory of 452 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 87 PID 3888 wrote to memory of 452 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 87 PID 3888 wrote to memory of 452 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 87 PID 3888 wrote to memory of 5016 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 88 PID 3888 wrote to memory of 5016 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 88 PID 3888 wrote to memory of 5016 3888 496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\496b3e5f673f5407ea4a55c1d17736a5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:452
-
-
C:\Users\Admin\AppData\Roaming\MjqjvavSo.exe"C:\Users\Admin\AppData\Roaming\MjqjvavSo.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5890e5b1e0c79f073ce5091cad4aa6452
SHA11f6f6c81b99539c5cd568f2dd37c5834b12174cd
SHA25695bd537e7ea426bbdff936a15129ccb451474c2c9eeab176c4319b874a04fce3
SHA512fe6f6a2deef89055eb10329d26fe45d8946dbef4eccec21cbc518bf0fad8f5727bf1386af014103eedf6b9e9c248fa956a1cf2de77cf50a6972c9b16fd01cd5d