Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-10-2024 18:29
Static task
static1
Behavioral task
behavioral1
Sample
80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
80331cb992b4aaf28c0109096c78e137
-
SHA1
856a328b145d2a02f591d2fd62e71e21db4e0622
-
SHA256
99c3b4f9d4c32256e5ab697c5dc4ff1d753b146c846681e429e2a3eb2f207ada
-
SHA512
128e2ea41800e3a93da297921f918014ae1dc05750f7dcace823fdcd365f422127dca449dd5ce05813ce44eff195b6f589cc95bf4cc40f404bb00eb9ed79a5be
-
SSDEEP
24576:WDQMyUCLowSEwiR49iPUHV8XgYrpxbNT9IA0HD4OsqirBJu9crkQCmLMR:W8MyUCNd+vVeob0OMp2
Malware Config
Extracted
darkcomet
Getjava
essstzttztz.zapto.org:1612
DC_MUTEX-NPVY9D6
-
gencode
z3bx7DQvDgi3
-
install
false
-
offline_keylogger
true
-
persistence
false
Extracted
latentbot
essstzttztz.zapto.org
Signatures
-
Darkcomet family
-
Latentbot family
-
Executes dropped EXE 1 IoCs
pid Process 2740 jx.exe -
Loads dropped DLL 1 IoCs
pid Process 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\javacs = "C:\\Users\\Admin\\AppData\\Roaming\\javamc.exe" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1984 set thread context of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 33 PID 1984 set thread context of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 37 -
resource yara_rule behavioral1/files/0x00080000000186f8-41.dat upx behavioral1/memory/2740-46-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/memory/2504-51-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-53-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-56-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-57-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-59-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-58-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-62-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-61-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2740-76-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/memory/2504-77-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-78-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2740-90-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/memory/2504-91-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-92-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-93-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-94-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-95-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-96-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-97-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-98-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-99-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-100-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-101-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-102-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-103-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\AppData\Roaming\javamc.exe:ZONE.identifier cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jx.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 jx.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde jx.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\javamc.exe:ZONE.identifier cmd.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2504 vbc.exe Token: SeSecurityPrivilege 2504 vbc.exe Token: SeTakeOwnershipPrivilege 2504 vbc.exe Token: SeLoadDriverPrivilege 2504 vbc.exe Token: SeSystemProfilePrivilege 2504 vbc.exe Token: SeSystemtimePrivilege 2504 vbc.exe Token: SeProfSingleProcessPrivilege 2504 vbc.exe Token: SeIncBasePriorityPrivilege 2504 vbc.exe Token: SeCreatePagefilePrivilege 2504 vbc.exe Token: SeBackupPrivilege 2504 vbc.exe Token: SeRestorePrivilege 2504 vbc.exe Token: SeShutdownPrivilege 2504 vbc.exe Token: SeDebugPrivilege 2504 vbc.exe Token: SeSystemEnvironmentPrivilege 2504 vbc.exe Token: SeChangeNotifyPrivilege 2504 vbc.exe Token: SeRemoteShutdownPrivilege 2504 vbc.exe Token: SeUndockPrivilege 2504 vbc.exe Token: SeManageVolumePrivilege 2504 vbc.exe Token: SeImpersonatePrivilege 2504 vbc.exe Token: SeCreateGlobalPrivilege 2504 vbc.exe Token: 33 2504 vbc.exe Token: 34 2504 vbc.exe Token: 35 2504 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2136 vbc.exe 2504 vbc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1984 wrote to memory of 1944 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 30 PID 1984 wrote to memory of 1944 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 30 PID 1984 wrote to memory of 1944 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 30 PID 1984 wrote to memory of 1944 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 30 PID 1944 wrote to memory of 1960 1944 vbc.exe 32 PID 1944 wrote to memory of 1960 1944 vbc.exe 32 PID 1944 wrote to memory of 1960 1944 vbc.exe 32 PID 1944 wrote to memory of 1960 1944 vbc.exe 32 PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 33 PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 33 PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 33 PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 33 PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 33 PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 33 PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 33 PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 33 PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 33 PID 1984 wrote to memory of 2744 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 34 PID 1984 wrote to memory of 2744 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 34 PID 1984 wrote to memory of 2744 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 34 PID 1984 wrote to memory of 2744 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 34 PID 1984 wrote to memory of 2740 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 36 PID 1984 wrote to memory of 2740 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 36 PID 1984 wrote to memory of 2740 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 36 PID 1984 wrote to memory of 2740 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 36 PID 1984 wrote to memory of 2740 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 36 PID 1984 wrote to memory of 2740 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 36 PID 1984 wrote to memory of 2740 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 36 PID 1984 wrote to memory of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 37 PID 1984 wrote to memory of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 37 PID 1984 wrote to memory of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 37 PID 1984 wrote to memory of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 37 PID 1984 wrote to memory of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 37 PID 1984 wrote to memory of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 37 PID 1984 wrote to memory of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 37 PID 1984 wrote to memory of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qvukih1o.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA767.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA766.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:1960
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2136
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2744
-
-
C:\Users\Admin\AppData\Local\Temp\jx.exe"C:\Users\Admin\AppData\Local\Temp\jx.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2740
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2504
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5721cf0847e1f545030ee79187477e450
SHA1cca027a6f8c331f2e31a030e7ef577b58a916cc2
SHA256a258c51a3a1c1d3a005f8cf0b925a37acdac952f83d2472a033b53dd575c21b2
SHA512275aecb86bd7fbe4d6cb08e0fa8f054bb989dbdf3d2359d5c4a0edb1616da4d75fb577db5d57ac0142a39a9be95063b94e55f4349b74033226a02934cf1607d9
-
Filesize
256B
MD59f362c5084b0126d5460310d3353d13e
SHA18617abc0a8c22a109b52e2e3c85b4400ed04b40e
SHA25683ef5a38a9ddf6fcb030ef4f4f63c0e989a49c83691f18b07f851bf35544f2d0
SHA5129f701a8cec9297f50533ee6cf72851f2400bc777013b663cacea1b531801446d08ffc9a3f5d120b7e81a0f363c7421b9c2103e26be6606f7fe29de3107c4cbbf
-
Filesize
317B
MD57fe204c9f29c6876a59c96f1d17e7827
SHA1806a99861b6dc8f73edcfed206a981019c968831
SHA256d6cd14665e448e29073b5c0c22c048b66bd1c154ab837b21d2985ee0f920bcdc
SHA512a1a7e4c47735012247d0799c9a7f3ee7056cba4b0dff43cdbb6dfd456d917e6d8036160e9e505c5de8d5eef9b73374f25803231c70f8facee073cb8d86ef602f
-
Filesize
6KB
MD5ad27a54af6e4487f37b73143a3afe06f
SHA1bb929ec45395bf0442ab22914ead69fe45335640
SHA256fed906a3798935801800182179ab2897bee1b7e58ee93b2f1d94a289250c807d
SHA512208ffe8f81e1ad5e7df05b5504446ac6de386649435c4d7e9d73b44c91f3ab25b7661c923815b76c01cdb258b4b84ad818a480408f1665134b2361fcdc86c568
-
Filesize
652B
MD56936178f5ede1f9b0a6d61307219f981
SHA10c9fafe1ad1e05f4fb6a61b6578d0e3da29f19f6
SHA256269aafb5edadc660ad5b11a6e7bfbe327bcc623de9af18e0bd8a4f4f8fec13b4
SHA512ff6f27cb85775a30debb66e4c18909c050752caf7884dba1a2adaee6ae2ea8f764b45729481bd2775e2751125a0eb1a5225fb6179f0a282330356ad2f4ffcbaf
-
Filesize
100B
MD546141ad6a47ab3d59e09d2e191cee4c9
SHA18ccccc6069099a080e7d264200d4c6206e5b1fa5
SHA2567c5221717bcc045387d609cbd4b1801159e417a9908bad7fc89a271371e6f2a4
SHA51259afd1d01c979a4c75a565da390265ace4f8594f231a8ba9e6091357e143472a9c4d3e363d75a13a771798d35bfcd897bce0e8ae62db175eebf97a750969bb6e
-
Filesize
871KB
MD5f6167efc4d1ef0d0e2739a521f6c87d0
SHA1c8d1a4b74fd774718ad5d2210e5db1a8c57f931c
SHA256ec3357953ca575beffae55678548f8348cbeaef6a753d3de151007862962e03e
SHA512ce39f11229ed14011acfd0a0edb9bf4bcf9f043b72e8d14320c3235f6889e05ec4dffc521af8ad481326140e31a475badff86a54be45740b857e84fd42342901