Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-10-2024 18:29
Static task
static1
Behavioral task
behavioral1
Sample
80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
80331cb992b4aaf28c0109096c78e137
-
SHA1
856a328b145d2a02f591d2fd62e71e21db4e0622
-
SHA256
99c3b4f9d4c32256e5ab697c5dc4ff1d753b146c846681e429e2a3eb2f207ada
-
SHA512
128e2ea41800e3a93da297921f918014ae1dc05750f7dcace823fdcd365f422127dca449dd5ce05813ce44eff195b6f589cc95bf4cc40f404bb00eb9ed79a5be
-
SSDEEP
24576:WDQMyUCLowSEwiR49iPUHV8XgYrpxbNT9IA0HD4OsqirBJu9crkQCmLMR:W8MyUCNd+vVeob0OMp2
Malware Config
Extracted
darkcomet
Getjava
essstzttztz.zapto.org:1612
DC_MUTEX-NPVY9D6
-
gencode
z3bx7DQvDgi3
-
install
false
-
offline_keylogger
true
-
persistence
false
Extracted
latentbot
essstzttztz.zapto.org
Signatures
-
Darkcomet family
-
Latentbot family
-
Executes dropped EXE 1 IoCs
Processes:
jx.exepid process 2740 jx.exe -
Loads dropped DLL 1 IoCs
Processes:
80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exepid process 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\javacs = "C:\\Users\\Admin\\AppData\\Roaming\\javamc.exe" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exedescription pid process target process PID 1984 set thread context of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 set thread context of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\jx.exe upx behavioral1/memory/2740-46-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/memory/2504-51-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-53-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-56-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-57-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-59-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-58-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-62-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-61-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2740-76-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/memory/2504-77-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-78-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2740-90-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/memory/2504-91-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-92-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-93-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-94-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-95-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-96-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-97-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-98-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-99-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-100-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-101-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-102-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2504-103-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\javamc.exe:ZONE.identifier cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vbc.exe80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exevbc.execvtres.exevbc.execmd.exejx.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jx.exe -
Processes:
jx.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 jx.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde jx.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\javamc.exe:ZONE.identifier cmd.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exevbc.exedescription pid process Token: SeDebugPrivilege 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2504 vbc.exe Token: SeSecurityPrivilege 2504 vbc.exe Token: SeTakeOwnershipPrivilege 2504 vbc.exe Token: SeLoadDriverPrivilege 2504 vbc.exe Token: SeSystemProfilePrivilege 2504 vbc.exe Token: SeSystemtimePrivilege 2504 vbc.exe Token: SeProfSingleProcessPrivilege 2504 vbc.exe Token: SeIncBasePriorityPrivilege 2504 vbc.exe Token: SeCreatePagefilePrivilege 2504 vbc.exe Token: SeBackupPrivilege 2504 vbc.exe Token: SeRestorePrivilege 2504 vbc.exe Token: SeShutdownPrivilege 2504 vbc.exe Token: SeDebugPrivilege 2504 vbc.exe Token: SeSystemEnvironmentPrivilege 2504 vbc.exe Token: SeChangeNotifyPrivilege 2504 vbc.exe Token: SeRemoteShutdownPrivilege 2504 vbc.exe Token: SeUndockPrivilege 2504 vbc.exe Token: SeManageVolumePrivilege 2504 vbc.exe Token: SeImpersonatePrivilege 2504 vbc.exe Token: SeCreateGlobalPrivilege 2504 vbc.exe Token: 33 2504 vbc.exe Token: 34 2504 vbc.exe Token: 35 2504 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
vbc.exevbc.exepid process 2136 vbc.exe 2504 vbc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exevbc.exedescription pid process target process PID 1984 wrote to memory of 1944 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 1944 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 1944 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 1944 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1944 wrote to memory of 1960 1944 vbc.exe cvtres.exe PID 1944 wrote to memory of 1960 1944 vbc.exe cvtres.exe PID 1944 wrote to memory of 1960 1944 vbc.exe cvtres.exe PID 1944 wrote to memory of 1960 1944 vbc.exe cvtres.exe PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 2136 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 2744 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe cmd.exe PID 1984 wrote to memory of 2744 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe cmd.exe PID 1984 wrote to memory of 2744 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe cmd.exe PID 1984 wrote to memory of 2744 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe cmd.exe PID 1984 wrote to memory of 2740 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe jx.exe PID 1984 wrote to memory of 2740 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe jx.exe PID 1984 wrote to memory of 2740 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe jx.exe PID 1984 wrote to memory of 2740 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe jx.exe PID 1984 wrote to memory of 2740 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe jx.exe PID 1984 wrote to memory of 2740 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe jx.exe PID 1984 wrote to memory of 2740 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe jx.exe PID 1984 wrote to memory of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe PID 1984 wrote to memory of 2504 1984 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qvukih1o.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA767.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA766.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2136 -
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\jx.exe"C:\Users\Admin\AppData\Local\Temp\jx.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2740 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2504
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5721cf0847e1f545030ee79187477e450
SHA1cca027a6f8c331f2e31a030e7ef577b58a916cc2
SHA256a258c51a3a1c1d3a005f8cf0b925a37acdac952f83d2472a033b53dd575c21b2
SHA512275aecb86bd7fbe4d6cb08e0fa8f054bb989dbdf3d2359d5c4a0edb1616da4d75fb577db5d57ac0142a39a9be95063b94e55f4349b74033226a02934cf1607d9
-
Filesize
256B
MD59f362c5084b0126d5460310d3353d13e
SHA18617abc0a8c22a109b52e2e3c85b4400ed04b40e
SHA25683ef5a38a9ddf6fcb030ef4f4f63c0e989a49c83691f18b07f851bf35544f2d0
SHA5129f701a8cec9297f50533ee6cf72851f2400bc777013b663cacea1b531801446d08ffc9a3f5d120b7e81a0f363c7421b9c2103e26be6606f7fe29de3107c4cbbf
-
Filesize
317B
MD57fe204c9f29c6876a59c96f1d17e7827
SHA1806a99861b6dc8f73edcfed206a981019c968831
SHA256d6cd14665e448e29073b5c0c22c048b66bd1c154ab837b21d2985ee0f920bcdc
SHA512a1a7e4c47735012247d0799c9a7f3ee7056cba4b0dff43cdbb6dfd456d917e6d8036160e9e505c5de8d5eef9b73374f25803231c70f8facee073cb8d86ef602f
-
Filesize
6KB
MD5ad27a54af6e4487f37b73143a3afe06f
SHA1bb929ec45395bf0442ab22914ead69fe45335640
SHA256fed906a3798935801800182179ab2897bee1b7e58ee93b2f1d94a289250c807d
SHA512208ffe8f81e1ad5e7df05b5504446ac6de386649435c4d7e9d73b44c91f3ab25b7661c923815b76c01cdb258b4b84ad818a480408f1665134b2361fcdc86c568
-
Filesize
652B
MD56936178f5ede1f9b0a6d61307219f981
SHA10c9fafe1ad1e05f4fb6a61b6578d0e3da29f19f6
SHA256269aafb5edadc660ad5b11a6e7bfbe327bcc623de9af18e0bd8a4f4f8fec13b4
SHA512ff6f27cb85775a30debb66e4c18909c050752caf7884dba1a2adaee6ae2ea8f764b45729481bd2775e2751125a0eb1a5225fb6179f0a282330356ad2f4ffcbaf
-
Filesize
100B
MD546141ad6a47ab3d59e09d2e191cee4c9
SHA18ccccc6069099a080e7d264200d4c6206e5b1fa5
SHA2567c5221717bcc045387d609cbd4b1801159e417a9908bad7fc89a271371e6f2a4
SHA51259afd1d01c979a4c75a565da390265ace4f8594f231a8ba9e6091357e143472a9c4d3e363d75a13a771798d35bfcd897bce0e8ae62db175eebf97a750969bb6e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
871KB
MD5f6167efc4d1ef0d0e2739a521f6c87d0
SHA1c8d1a4b74fd774718ad5d2210e5db1a8c57f931c
SHA256ec3357953ca575beffae55678548f8348cbeaef6a753d3de151007862962e03e
SHA512ce39f11229ed14011acfd0a0edb9bf4bcf9f043b72e8d14320c3235f6889e05ec4dffc521af8ad481326140e31a475badff86a54be45740b857e84fd42342901