Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 16:30
Static task
static1
Behavioral task
behavioral1
Sample
da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe
-
Size
549KB
-
MD5
da850e482c7b7b9daa4f2dadc45465b8
-
SHA1
a73cfb93a76081704d021c061688f5278fe70e43
-
SHA256
b083d9975868f9db819f144c6301051a35ce490af730ca65f3b2fcfedccce962
-
SHA512
65da3971bd9e026f7800ba0e359b108559f1548a9a13dd491a3ecfff4d7561fa76b2dbadbbc5ff7f2c6cf0f91048f0b704b0c75fa7a723c6d47bc3fcfafdbc83
-
SSDEEP
12288:F2S7zTYrvnhMk2r6sl10yYqJOkx6FvUyMrusgfVyr7mr:0S7orak2SIOqFVyhErKr
Malware Config
Extracted
latentbot
snaggelpuss123.zapto.org
Signatures
-
Darkcomet family
-
Latentbot family
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2792 MINECRAFT.EXE 2124 MINECRAFT.EXE -
Loads dropped DLL 4 IoCs
pid Process 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1780 set thread context of 2664 1780 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 31 -
resource yara_rule behavioral1/memory/2664-5-0x0000000013140000-0x000000001326F000-memory.dmp upx behavioral1/memory/2664-1-0x0000000013140000-0x000000001326F000-memory.dmp upx behavioral1/memory/2664-2-0x0000000013140000-0x000000001326F000-memory.dmp upx behavioral1/memory/2664-7-0x0000000013140000-0x000000001326F000-memory.dmp upx behavioral1/memory/2664-9-0x0000000013140000-0x000000001326F000-memory.dmp upx behavioral1/memory/2664-8-0x0000000013140000-0x000000001326F000-memory.dmp upx behavioral1/memory/2664-78-0x0000000013140000-0x000000001326F000-memory.dmp upx behavioral1/memory/2664-77-0x0000000013140000-0x000000001326F000-memory.dmp upx behavioral1/memory/2664-76-0x0000000013140000-0x000000001326F000-memory.dmp upx behavioral1/memory/2664-116-0x0000000013140000-0x000000001326F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MINECRAFT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MINECRAFT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeSecurityPrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeSystemtimePrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeBackupPrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeRestorePrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeShutdownPrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeDebugPrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeUndockPrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeManageVolumePrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeImpersonatePrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: 33 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: 34 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: 35 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2724 javaw.exe 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 2360 javaw.exe 2724 javaw.exe 2360 javaw.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 1780 wrote to memory of 2664 1780 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 31 PID 1780 wrote to memory of 2664 1780 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 31 PID 1780 wrote to memory of 2664 1780 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 31 PID 1780 wrote to memory of 2664 1780 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 31 PID 1780 wrote to memory of 2664 1780 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 31 PID 1780 wrote to memory of 2664 1780 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 31 PID 1780 wrote to memory of 2664 1780 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 31 PID 1780 wrote to memory of 2664 1780 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 31 PID 2664 wrote to memory of 2792 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2792 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2792 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2792 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 32 PID 2792 wrote to memory of 2724 2792 MINECRAFT.EXE 33 PID 2792 wrote to memory of 2724 2792 MINECRAFT.EXE 33 PID 2792 wrote to memory of 2724 2792 MINECRAFT.EXE 33 PID 2792 wrote to memory of 2724 2792 MINECRAFT.EXE 33 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2708 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 34 PID 2664 wrote to memory of 2124 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 35 PID 2664 wrote to memory of 2124 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 35 PID 2664 wrote to memory of 2124 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 35 PID 2664 wrote to memory of 2124 2664 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 35 PID 2124 wrote to memory of 2360 2124 MINECRAFT.EXE 36 PID 2124 wrote to memory of 2360 2124 MINECRAFT.EXE 36 PID 2124 wrote to memory of 2360 2124 MINECRAFT.EXE 36 PID 2124 wrote to memory of 2360 2124 MINECRAFT.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\MINECRAFT.EXE"C:\Users\Admin\AppData\Local\Temp\MINECRAFT.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -Xms512m -Xmx1024m -jar "C:\Users\Admin\AppData\Local\Temp\MINECRAFT.EXE"4⤵
- Suspicious use of SetWindowsHookEx
PID:2724
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\MINECRAFT.EXE"C:\Users\Admin\AppData\Local\Temp\MINECRAFT.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -Xms512m -Xmx1024m -jar "C:\Users\Admin\AppData\Local\Temp\MINECRAFT.EXE"4⤵
- Suspicious use of SetWindowsHookEx
PID:2360
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3551809350-4263495960-1443967649-1000\83aa4cc77f591dfc2374580bbd95f6ba_5a410d66-f84f-4a6b-9b29-3982febe58d9
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
263KB
MD50f1931e26c21219db1c90e90037f11f6
SHA174b65f7fb7fa197d413ba5bc45cf10304deb4ecc
SHA256f4d54e35b857b5dfbca6fefcff5ab5599ce30b62eef7deded6594c5be93d25c3
SHA5120c6a90034e5852915af61ccc091568cb636f583d4c4b5cca8bfc3f7f86bbf6a79f16c324d723c1d3968d7996071bb85a79cd6fde682bb4bfeedfd770b7b8e817