Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2024 18:29

General

  • Target

    80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe

  • Size

    2.1MB

  • MD5

    80331cb992b4aaf28c0109096c78e137

  • SHA1

    856a328b145d2a02f591d2fd62e71e21db4e0622

  • SHA256

    99c3b4f9d4c32256e5ab697c5dc4ff1d753b146c846681e429e2a3eb2f207ada

  • SHA512

    128e2ea41800e3a93da297921f918014ae1dc05750f7dcace823fdcd365f422127dca449dd5ce05813ce44eff195b6f589cc95bf4cc40f404bb00eb9ed79a5be

  • SSDEEP

    24576:WDQMyUCLowSEwiR49iPUHV8XgYrpxbNT9IA0HD4OsqirBJu9crkQCmLMR:W8MyUCNd+vVeob0OMp2

Malware Config

Extracted

Family

darkcomet

Botnet

Getjava

C2

essstzttztz.zapto.org:1612

Mutex

DC_MUTEX-NPVY9D6

Attributes
  • gencode

    z3bx7DQvDgi3

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

latentbot

C2

essstzttztz.zapto.org

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Latentbot family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qvukih1o.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA767.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA766.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1960
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2136
    • C:\Windows\SysWOW64\cmd.exe
      "cmd"
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      PID:2744
    • C:\Users\Admin\AppData\Local\Temp\jx.exe
      "C:\Users\Admin\AppData\Local\Temp\jx.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      PID:2740
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESA767.tmp

    Filesize

    1KB

    MD5

    721cf0847e1f545030ee79187477e450

    SHA1

    cca027a6f8c331f2e31a030e7ef577b58a916cc2

    SHA256

    a258c51a3a1c1d3a005f8cf0b925a37acdac952f83d2472a033b53dd575c21b2

    SHA512

    275aecb86bd7fbe4d6cb08e0fa8f054bb989dbdf3d2359d5c4a0edb1616da4d75fb577db5d57ac0142a39a9be95063b94e55f4349b74033226a02934cf1607d9

  • C:\Users\Admin\AppData\Local\Temp\qvukih1o.0.vb

    Filesize

    256B

    MD5

    9f362c5084b0126d5460310d3353d13e

    SHA1

    8617abc0a8c22a109b52e2e3c85b4400ed04b40e

    SHA256

    83ef5a38a9ddf6fcb030ef4f4f63c0e989a49c83691f18b07f851bf35544f2d0

    SHA512

    9f701a8cec9297f50533ee6cf72851f2400bc777013b663cacea1b531801446d08ffc9a3f5d120b7e81a0f363c7421b9c2103e26be6606f7fe29de3107c4cbbf

  • C:\Users\Admin\AppData\Local\Temp\qvukih1o.cmdline

    Filesize

    317B

    MD5

    7fe204c9f29c6876a59c96f1d17e7827

    SHA1

    806a99861b6dc8f73edcfed206a981019c968831

    SHA256

    d6cd14665e448e29073b5c0c22c048b66bd1c154ab837b21d2985ee0f920bcdc

    SHA512

    a1a7e4c47735012247d0799c9a7f3ee7056cba4b0dff43cdbb6dfd456d917e6d8036160e9e505c5de8d5eef9b73374f25803231c70f8facee073cb8d86ef602f

  • C:\Users\Admin\AppData\Local\Temp\qvukih1o.dll

    Filesize

    6KB

    MD5

    ad27a54af6e4487f37b73143a3afe06f

    SHA1

    bb929ec45395bf0442ab22914ead69fe45335640

    SHA256

    fed906a3798935801800182179ab2897bee1b7e58ee93b2f1d94a289250c807d

    SHA512

    208ffe8f81e1ad5e7df05b5504446ac6de386649435c4d7e9d73b44c91f3ab25b7661c923815b76c01cdb258b4b84ad818a480408f1665134b2361fcdc86c568

  • C:\Users\Admin\AppData\Local\Temp\vbcA766.tmp

    Filesize

    652B

    MD5

    6936178f5ede1f9b0a6d61307219f981

    SHA1

    0c9fafe1ad1e05f4fb6a61b6578d0e3da29f19f6

    SHA256

    269aafb5edadc660ad5b11a6e7bfbe327bcc623de9af18e0bd8a4f4f8fec13b4

    SHA512

    ff6f27cb85775a30debb66e4c18909c050752caf7884dba1a2adaee6ae2ea8f764b45729481bd2775e2751125a0eb1a5225fb6179f0a282330356ad2f4ffcbaf

  • C:\Users\Admin\AppData\Roaming\fp.txt

    Filesize

    100B

    MD5

    46141ad6a47ab3d59e09d2e191cee4c9

    SHA1

    8ccccc6069099a080e7d264200d4c6206e5b1fa5

    SHA256

    7c5221717bcc045387d609cbd4b1801159e417a9908bad7fc89a271371e6f2a4

    SHA512

    59afd1d01c979a4c75a565da390265ace4f8594f231a8ba9e6091357e143472a9c4d3e363d75a13a771798d35bfcd897bce0e8ae62db175eebf97a750969bb6e

  • \Users\Admin\AppData\Local\Temp\jx.exe

    Filesize

    871KB

    MD5

    f6167efc4d1ef0d0e2739a521f6c87d0

    SHA1

    c8d1a4b74fd774718ad5d2210e5db1a8c57f931c

    SHA256

    ec3357953ca575beffae55678548f8348cbeaef6a753d3de151007862962e03e

    SHA512

    ce39f11229ed14011acfd0a0edb9bf4bcf9f043b72e8d14320c3235f6889e05ec4dffc521af8ad481326140e31a475badff86a54be45740b857e84fd42342901

  • memory/1944-7-0x00000000749E0000-0x0000000074F8B000-memory.dmp

    Filesize

    5.7MB

  • memory/1944-16-0x00000000749E0000-0x0000000074F8B000-memory.dmp

    Filesize

    5.7MB

  • memory/1984-4-0x00000000749E0000-0x0000000074F8B000-memory.dmp

    Filesize

    5.7MB

  • memory/1984-1-0x00000000749E0000-0x0000000074F8B000-memory.dmp

    Filesize

    5.7MB

  • memory/1984-0-0x00000000749E1000-0x00000000749E2000-memory.dmp

    Filesize

    4KB

  • memory/1984-60-0x00000000749E0000-0x0000000074F8B000-memory.dmp

    Filesize

    5.7MB

  • memory/1984-45-0x0000000006E70000-0x000000000702B000-memory.dmp

    Filesize

    1.7MB

  • memory/2136-20-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/2136-31-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/2136-28-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/2136-36-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/2136-26-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/2136-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2136-22-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/2136-21-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/2504-51-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-96-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-53-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-56-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-57-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-103-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-59-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-58-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-62-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-61-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-102-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-77-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-78-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-101-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-91-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-92-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-93-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-94-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-95-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-49-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-97-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-98-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-99-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2504-100-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2740-90-0x0000000000400000-0x00000000005BB000-memory.dmp

    Filesize

    1.7MB

  • memory/2740-76-0x0000000000400000-0x00000000005BB000-memory.dmp

    Filesize

    1.7MB

  • memory/2740-46-0x0000000000400000-0x00000000005BB000-memory.dmp

    Filesize

    1.7MB