Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 16:14

General

  • Target

    8c59df2671f68c6026ca254483bf189c_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    8c59df2671f68c6026ca254483bf189c

  • SHA1

    7d9b000aff2e1230f912538784227f9dae811a16

  • SHA256

    33f13a29c8ecc5ad7056321e73aaf84217ec9ba685814fb34120b4f3ad6900dd

  • SHA512

    d5c5d53b2f54c74cbcaa27ba33c014d0228475a020057bf83ec259e78c00085ee7c7239339c25d50febbad568367c72a28d6be5b2c77c3ee3f46d63e5f5db903

  • SSDEEP

    24576:oRmJkcoQricOIQxiZY1iafBWtL/YerMytPZyyJ7:NJZoQrbTFZY1iafBWBYSBJ7

Malware Config

Extracted

Family

darkcomet

Botnet

Msconfig32

C2

greatgiggles.zapto.org:9001

Mutex

DC_MUTEX-EAB1BX6

Attributes
  • gencode

    TQgQFlfVslb7

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

latentbot

C2

greatgiggles.zapto.org

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Latentbot family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c59df2671f68c6026ca254483bf189c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8c59df2671f68c6026ca254483bf189c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4692
    • C:\Users\Admin\AppData\Local\Temp\8c59df2671f68c6026ca254483bf189c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\8c59df2671f68c6026ca254483bf189c_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\a.vbs

    Filesize

    9KB

    MD5

    f2764287e75f3aec142e6195cb330b3e

    SHA1

    6cdb779c5681861c95529a311d26c28d36411e05

    SHA256

    c93035ec22ec0a8bcdb1a5dc167d9a0130b3243faf2bea0e1abc6308fdf727ef

    SHA512

    c7cee9e6df90f5817ebae3004964b7c496c2dc5a872e16a80b8256c441128c77d81e623ff69668c8456e43ac36563d0ad8858ebdda7ca1ec5e0c97c8d8dc81e2

  • C:\Users\Admin\AppData\Local\Temp\ensambla.txt

    Filesize

    2KB

    MD5

    992dea548be8314039a109d8f0725578

    SHA1

    dbfbb7268164b58f27bc4650158312058573ac32

    SHA256

    9a186fead0270c923d4672ed89b898f9210cfd59837ab1fbdc82987a61378cec

    SHA512

    52c22415a7f0cafa1d42163873fb46e8f02a081e9edda7a51c02be87a5c0550e3eebba4f697b33d6e62bf42a79f1cbcb75f281d2cc0dc2a78e6a8e933da20577

  • memory/4632-19-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-18-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-20-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-21-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-22-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-24-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-23-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-25-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-26-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-27-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-28-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-29-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-30-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-31-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-32-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-33-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-34-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-35-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-36-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-37-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-38-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-39-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4632-40-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB