Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2024 16:30
Static task
static1
Behavioral task
behavioral1
Sample
da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe
-
Size
549KB
-
MD5
da850e482c7b7b9daa4f2dadc45465b8
-
SHA1
a73cfb93a76081704d021c061688f5278fe70e43
-
SHA256
b083d9975868f9db819f144c6301051a35ce490af730ca65f3b2fcfedccce962
-
SHA512
65da3971bd9e026f7800ba0e359b108559f1548a9a13dd491a3ecfff4d7561fa76b2dbadbbc5ff7f2c6cf0f91048f0b704b0c75fa7a723c6d47bc3fcfafdbc83
-
SSDEEP
12288:F2S7zTYrvnhMk2r6sl10yYqJOkx6FvUyMrusgfVyr7mr:0S7orak2SIOqFVyhErKr
Malware Config
Extracted
latentbot
snaggelpuss123.zapto.org
Signatures
-
Darkcomet family
-
Latentbot family
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4844 MINECRAFT.EXE 3776 MINECRAFT.EXE -
pid Process 4556 GameBarPresenceWriter.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5064 set thread context of 2024 5064 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 83 -
resource yara_rule behavioral2/memory/2024-0-0x0000000013140000-0x000000001326F000-memory.dmp upx behavioral2/memory/2024-2-0x0000000013140000-0x000000001326F000-memory.dmp upx behavioral2/memory/2024-4-0x0000000013140000-0x000000001326F000-memory.dmp upx behavioral2/memory/2024-3-0x0000000013140000-0x000000001326F000-memory.dmp upx behavioral2/memory/2024-47-0x0000000013140000-0x000000001326F000-memory.dmp upx behavioral2/memory/2024-48-0x0000000013140000-0x000000001326F000-memory.dmp upx behavioral2/memory/2024-49-0x0000000013140000-0x000000001326F000-memory.dmp upx behavioral2/memory/2024-352-0x0000000013140000-0x000000001326F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MINECRAFT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MINECRAFT.EXE -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeSecurityPrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeSystemtimePrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeBackupPrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeRestorePrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeShutdownPrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeDebugPrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeUndockPrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeManageVolumePrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeImpersonatePrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: 33 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: 34 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: 35 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe Token: 36 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4180 javaw.exe 4016 javaw.exe 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 4180 javaw.exe 4016 javaw.exe 4472 OpenWith.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 5064 wrote to memory of 2024 5064 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 83 PID 5064 wrote to memory of 2024 5064 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 83 PID 5064 wrote to memory of 2024 5064 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 83 PID 5064 wrote to memory of 2024 5064 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 83 PID 5064 wrote to memory of 2024 5064 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 83 PID 5064 wrote to memory of 2024 5064 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 83 PID 5064 wrote to memory of 2024 5064 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 83 PID 5064 wrote to memory of 2024 5064 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 83 PID 2024 wrote to memory of 4844 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 84 PID 2024 wrote to memory of 4844 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 84 PID 2024 wrote to memory of 4844 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 84 PID 4844 wrote to memory of 4180 4844 MINECRAFT.EXE 85 PID 4844 wrote to memory of 4180 4844 MINECRAFT.EXE 85 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 396 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 86 PID 2024 wrote to memory of 3776 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 87 PID 2024 wrote to memory of 3776 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 87 PID 2024 wrote to memory of 3776 2024 da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe 87 PID 3776 wrote to memory of 4016 3776 MINECRAFT.EXE 88 PID 3776 wrote to memory of 4016 3776 MINECRAFT.EXE 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\MINECRAFT.EXE"C:\Users\Admin\AppData\Local\Temp\MINECRAFT.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xms512m -Xmx1024m -jar "C:\Users\Admin\AppData\Local\Temp\MINECRAFT.EXE"4⤵
- Suspicious use of SetWindowsHookEx
PID:4180
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵
- System Location Discovery: System Language Discovery
PID:396
-
-
C:\Users\Admin\AppData\Local\Temp\MINECRAFT.EXE"C:\Users\Admin\AppData\Local\Temp\MINECRAFT.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xms512m -Xmx1024m -jar "C:\Users\Admin\AppData\Local\Temp\MINECRAFT.EXE"4⤵
- Suspicious use of SetWindowsHookEx
PID:4016
-
-
-
-
C:\Windows\System32\GameBarPresenceWriter.exe"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer1⤵
- Network Service Discovery
PID:4556
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD5ec6a009df76f78dfd2f2017dbf915b34
SHA1dc29f2341e0294c3c36c5b4b1049bf175f5b79c2
SHA256375afbd2da7bed0db6d1fd56cee9ee91594c9f87bb53fbb14b193cda3bda8580
SHA5125f23678aea44cfa35089163a4bf63016c6014d8778cf63779025681b290d223557606078dc61f2c74d7ca7283cb6f9d74421b7274b84cdbce1c1be21d464a78d
-
Filesize
263KB
MD50f1931e26c21219db1c90e90037f11f6
SHA174b65f7fb7fa197d413ba5bc45cf10304deb4ecc
SHA256f4d54e35b857b5dfbca6fefcff5ab5599ce30b62eef7deded6594c5be93d25c3
SHA5120c6a90034e5852915af61ccc091568cb636f583d4c4b5cca8bfc3f7f86bbf6a79f16c324d723c1d3968d7996071bb85a79cd6fde682bb4bfeedfd770b7b8e817
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3350944739-639801879-157714471-1000\83aa4cc77f591dfc2374580bbd95f6ba_dd2803c7-d377-4f06-bdfe-aea230fc7b0e
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd