Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 18:29
Static task
static1
Behavioral task
behavioral1
Sample
80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
80331cb992b4aaf28c0109096c78e137
-
SHA1
856a328b145d2a02f591d2fd62e71e21db4e0622
-
SHA256
99c3b4f9d4c32256e5ab697c5dc4ff1d753b146c846681e429e2a3eb2f207ada
-
SHA512
128e2ea41800e3a93da297921f918014ae1dc05750f7dcace823fdcd365f422127dca449dd5ce05813ce44eff195b6f589cc95bf4cc40f404bb00eb9ed79a5be
-
SSDEEP
24576:WDQMyUCLowSEwiR49iPUHV8XgYrpxbNT9IA0HD4OsqirBJu9crkQCmLMR:W8MyUCNd+vVeob0OMp2
Malware Config
Extracted
darkcomet
Getjava
essstzttztz.zapto.org:1612
DC_MUTEX-NPVY9D6
-
gencode
z3bx7DQvDgi3
-
install
false
-
offline_keylogger
true
-
persistence
false
Extracted
latentbot
essstzttztz.zapto.org
Signatures
-
Darkcomet family
-
Latentbot family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 5036 jx.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javacs = "C:\\Users\\Admin\\AppData\\Roaming\\javamc.exe" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3500 set thread context of 3732 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 91 PID 3500 set thread context of 4340 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 95 -
resource yara_rule behavioral2/files/0x0035000000023b73-37.dat upx behavioral2/memory/5036-44-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral2/memory/4340-48-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-55-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-54-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-51-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-50-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5036-61-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral2/memory/4340-65-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-64-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5036-72-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral2/memory/4340-73-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-74-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-75-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-76-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-77-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-78-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-79-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-80-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-81-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-82-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-83-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-84-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4340-85-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\AppData\Roaming\javamc.exe:ZONE.identifier cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\javamc.exe:ZONE.identifier cmd.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4340 vbc.exe Token: SeSecurityPrivilege 4340 vbc.exe Token: SeTakeOwnershipPrivilege 4340 vbc.exe Token: SeLoadDriverPrivilege 4340 vbc.exe Token: SeSystemProfilePrivilege 4340 vbc.exe Token: SeSystemtimePrivilege 4340 vbc.exe Token: SeProfSingleProcessPrivilege 4340 vbc.exe Token: SeIncBasePriorityPrivilege 4340 vbc.exe Token: SeCreatePagefilePrivilege 4340 vbc.exe Token: SeBackupPrivilege 4340 vbc.exe Token: SeRestorePrivilege 4340 vbc.exe Token: SeShutdownPrivilege 4340 vbc.exe Token: SeDebugPrivilege 4340 vbc.exe Token: SeSystemEnvironmentPrivilege 4340 vbc.exe Token: SeChangeNotifyPrivilege 4340 vbc.exe Token: SeRemoteShutdownPrivilege 4340 vbc.exe Token: SeUndockPrivilege 4340 vbc.exe Token: SeManageVolumePrivilege 4340 vbc.exe Token: SeImpersonatePrivilege 4340 vbc.exe Token: SeCreateGlobalPrivilege 4340 vbc.exe Token: 33 4340 vbc.exe Token: 34 4340 vbc.exe Token: 35 4340 vbc.exe Token: 36 4340 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3732 vbc.exe 4340 vbc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3500 wrote to memory of 4500 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 87 PID 3500 wrote to memory of 4500 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 87 PID 3500 wrote to memory of 4500 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 87 PID 4500 wrote to memory of 2596 4500 vbc.exe 90 PID 4500 wrote to memory of 2596 4500 vbc.exe 90 PID 4500 wrote to memory of 2596 4500 vbc.exe 90 PID 3500 wrote to memory of 3732 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 91 PID 3500 wrote to memory of 3732 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 91 PID 3500 wrote to memory of 3732 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 91 PID 3500 wrote to memory of 3732 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 91 PID 3500 wrote to memory of 3732 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 91 PID 3500 wrote to memory of 3732 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 91 PID 3500 wrote to memory of 3732 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 91 PID 3500 wrote to memory of 3732 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 91 PID 3500 wrote to memory of 744 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 92 PID 3500 wrote to memory of 744 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 92 PID 3500 wrote to memory of 744 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 92 PID 3500 wrote to memory of 5036 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 94 PID 3500 wrote to memory of 5036 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 94 PID 3500 wrote to memory of 5036 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 94 PID 3500 wrote to memory of 4340 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 95 PID 3500 wrote to memory of 4340 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 95 PID 3500 wrote to memory of 4340 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 95 PID 3500 wrote to memory of 4340 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 95 PID 3500 wrote to memory of 4340 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 95 PID 3500 wrote to memory of 4340 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 95 PID 3500 wrote to memory of 4340 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 95 PID 3500 wrote to memory of 4340 3500 80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bonse633.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAC3B0D4CC3934B5092D6DE8BE9A56353.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2596
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3732
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:744
-
-
C:\Users\Admin\AppData\Local\Temp\jx.exe"C:\Users\Admin\AppData\Local\Temp\jx.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5036
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4340
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD521bb8ddd5033d2350888358dcc6055e9
SHA1ede850ddde52f5ba5335f907599a0900163f96c9
SHA2566d66e6da8081eac444200d8bfbb78fd1bb69cca4327a051b0049c84dde6c84ed
SHA5123fa5ad3815aad1cc07bede703c2f705f4b726747ddd01de1ac4bd29df0087e626e003d1c7e6c986d1d16aa3498c7fd7b728090734091f0af9736687673468f30
-
Filesize
256B
MD59f362c5084b0126d5460310d3353d13e
SHA18617abc0a8c22a109b52e2e3c85b4400ed04b40e
SHA25683ef5a38a9ddf6fcb030ef4f4f63c0e989a49c83691f18b07f851bf35544f2d0
SHA5129f701a8cec9297f50533ee6cf72851f2400bc777013b663cacea1b531801446d08ffc9a3f5d120b7e81a0f363c7421b9c2103e26be6606f7fe29de3107c4cbbf
-
Filesize
317B
MD51946a7420d7fb634775ed5283e2e7c37
SHA156a7542764bc122fc71c64df05c66bd10a3c7d22
SHA256619e7d544a276db787ba64697948c26062e95cb35880a404bc889c48f00eaee8
SHA512f3de7bc30167f8033a0196c9aca6efd3f58c64b6f94ea01fabc2783fd2ad1cec8ddf456d1f3564c24e75b98fe57b5f86bd3651a60d5c682eb3bb74c427de7e3f
-
Filesize
6KB
MD59bd14c0f061acbf72e71bc651241fbde
SHA179a4261973598d063fb878f938e1f283d376b7e8
SHA25694851a3ae75bc60b507872025b2938c2df02931542cad9504444d7910a20f13a
SHA5124939e79c49aabc56d2d36c0a00a82abe940edd55e9c6df1c27986f96b9a7caa3b611b864aed4d954c80d4b35566ac30b844d86ecccb4c99aef616ad4a49e7012
-
Filesize
163KB
MD5286d788cbfc076f0e661a7ea37380f7b
SHA1ce05b510fce4f15f6cc057e735b84d3668773cda
SHA2567883a10de8b37568d96e653c0654350820322c5f1e99f6d207313fc3304ecbd9
SHA51283fc1dde2e0e3b94dbdc0dcd1a836716d3f08b0420e14afac7fbc2887776bf6437e4b5da761420c32f099d619979e386daf4ffac94ec4fa2df7d365461007c44
-
Filesize
871KB
MD5f6167efc4d1ef0d0e2739a521f6c87d0
SHA1c8d1a4b74fd774718ad5d2210e5db1a8c57f931c
SHA256ec3357953ca575beffae55678548f8348cbeaef6a753d3de151007862962e03e
SHA512ce39f11229ed14011acfd0a0edb9bf4bcf9f043b72e8d14320c3235f6889e05ec4dffc521af8ad481326140e31a475badff86a54be45740b857e84fd42342901
-
Filesize
652B
MD51d3b82fcea659b062e08244adad5caf1
SHA13c514f4544f14209a09e87e28885c861e8d25f43
SHA256cfbefa9a36449f11682f5ddd80d0aaca7bcd32a292571f3d57e4b306e00ab108
SHA512543a64052e0b489d0637f0b4ac1ebea5607f1617d5501d1df021f6778a966e7e1dd6208fbea1b00a2c6e9605ec5f85f5584039a78e2c05113de696c4c9690878
-
Filesize
100B
MD546141ad6a47ab3d59e09d2e191cee4c9
SHA18ccccc6069099a080e7d264200d4c6206e5b1fa5
SHA2567c5221717bcc045387d609cbd4b1801159e417a9908bad7fc89a271371e6f2a4
SHA51259afd1d01c979a4c75a565da390265ace4f8594f231a8ba9e6091357e143472a9c4d3e363d75a13a771798d35bfcd897bce0e8ae62db175eebf97a750969bb6e