Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 19:52
Static task
static1
Behavioral task
behavioral1
Sample
133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe
-
Size
689KB
-
MD5
133b22daeb05a907491ce1c8fbef04b9
-
SHA1
f801a99437c15f0ac34fe3297b945bf410c37cc2
-
SHA256
fdc99489f71d7f72e1ec5746cdae8cc7d441c28082de699d6e066c1c16b1ee77
-
SHA512
2f7ce692eaf86275eeba0eece50841b3f74668ab00be62c3d310cf1201cbdca48fd2b2535302019856ee4c57bc8f6da6471abed89f9d2bce14e89815e7df67ad
-
SSDEEP
12288:dGezWOMTBYrGEVbsgr1mCk5Ko0L78a3BeBv8P8oaTGUZy9amJ9q3K4P3x8c8Hx3w:lLMTBYyEOgkCWK3BeBUkpG1cmJoXfx3P
Malware Config
Extracted
darkcomet
Guest16
botnetclients.zapto.org:1604
DC_MUTEX-4ET0BTN
-
gencode
vkUUxAwqAkJT
-
install
false
-
offline_keylogger
true
-
persistence
false
Extracted
latentbot
botnetclients.zapto.org
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
ƴƐơӸƛ.exesvchost.exepid process 1656 ƴƐơӸƛ.exe 1132 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ƴƐơӸƛ.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Googleupdaterss = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GoogleUpdate.exe" ƴƐơӸƛ.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exedescription pid process target process PID 624 set thread context of 1132 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exesvchost.exedescription pid process Token: SeDebugPrivilege 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1132 svchost.exe Token: SeSecurityPrivilege 1132 svchost.exe Token: SeTakeOwnershipPrivilege 1132 svchost.exe Token: SeLoadDriverPrivilege 1132 svchost.exe Token: SeSystemProfilePrivilege 1132 svchost.exe Token: SeSystemtimePrivilege 1132 svchost.exe Token: SeProfSingleProcessPrivilege 1132 svchost.exe Token: SeIncBasePriorityPrivilege 1132 svchost.exe Token: SeCreatePagefilePrivilege 1132 svchost.exe Token: SeBackupPrivilege 1132 svchost.exe Token: SeRestorePrivilege 1132 svchost.exe Token: SeShutdownPrivilege 1132 svchost.exe Token: SeDebugPrivilege 1132 svchost.exe Token: SeSystemEnvironmentPrivilege 1132 svchost.exe Token: SeChangeNotifyPrivilege 1132 svchost.exe Token: SeRemoteShutdownPrivilege 1132 svchost.exe Token: SeUndockPrivilege 1132 svchost.exe Token: SeManageVolumePrivilege 1132 svchost.exe Token: SeImpersonatePrivilege 1132 svchost.exe Token: SeCreateGlobalPrivilege 1132 svchost.exe Token: 33 1132 svchost.exe Token: 34 1132 svchost.exe Token: 35 1132 svchost.exe Token: 36 1132 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 1132 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.execsc.exedescription pid process target process PID 624 wrote to memory of 760 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe csc.exe PID 624 wrote to memory of 760 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe csc.exe PID 624 wrote to memory of 760 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe csc.exe PID 760 wrote to memory of 1788 760 csc.exe cvtres.exe PID 760 wrote to memory of 1788 760 csc.exe cvtres.exe PID 760 wrote to memory of 1788 760 csc.exe cvtres.exe PID 624 wrote to memory of 1656 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe ƴƐơӸƛ.exe PID 624 wrote to memory of 1656 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe ƴƐơӸƛ.exe PID 624 wrote to memory of 1656 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe ƴƐơӸƛ.exe PID 624 wrote to memory of 1132 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe PID 624 wrote to memory of 1132 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe PID 624 wrote to memory of 1132 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe PID 624 wrote to memory of 1132 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe PID 624 wrote to memory of 1132 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe PID 624 wrote to memory of 1132 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe PID 624 wrote to memory of 1132 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe PID 624 wrote to memory of 1132 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe PID 624 wrote to memory of 1132 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe PID 624 wrote to memory of 1132 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe PID 624 wrote to memory of 1132 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe PID 624 wrote to memory of 1132 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe PID 624 wrote to memory of 1132 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe PID 624 wrote to memory of 1132 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gtwvkvzl.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A99.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3A98.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\ƴƐơӸƛ.exe"C:\Users\Admin\AppData\Local\Temp\ƴƐơӸƛ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES3A99.tmpFilesize
1KB
MD5f945b67328147d12c25845ea161ced14
SHA12990d7ee4f3463021fe415648da87a12a8019b80
SHA256f5e8b37ecb29a81009c5b8ef43d238a50054e6fd629f7d8c2cbe0dd11e711111
SHA512afaf9682582f7fe86412ccc0a63a07e5323f394769a08336a15fea068681110913451b6d2dba97df6f133f550761d0d06f494411377c44c6aa339c7c452fc4a6
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
C:\Users\Admin\AppData\Local\Temp\ƴƐơӸƛ.exeFilesize
4KB
MD50d445dec862f16335f356fe9e7b0ffb2
SHA1b9705ecb09ff5a35937a02f9435918ffda6e2e72
SHA256e4282c30dfeac24350abe4b1526f440b74460f0e6c79a006dda923b702f0d72a
SHA512d98c52c4f9aa1d3e4678d80cfa0a9bcdf0f22b969f97a417bc36a0bc9840f0f1bec4b1f453076c0010004de556ba914f94b3ab74ef08623a86a08f07e79c1842
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC3A98.tmpFilesize
636B
MD52730ab17d4096ca3bd422d60329a4dd4
SHA15e2b17f0949eff720b65a436ebcab5ee7c9981a6
SHA25660c5e88c7e70c5261c29c4f6658893c93eebe2c5a0a60b6a7aa8431bd3b55bfa
SHA512c74a0088cf03f3171b31a13a54d37d35cadc796f5bec6508291b60835c445cfc04cc1f10ca14b059b58b250aeda235bed6a272839c170700cdb505a532a3d451
-
\??\c:\Users\Admin\AppData\Local\Temp\gtwvkvzl.0.csFilesize
1KB
MD5f80b11bd919779674e6eafe423e97e60
SHA1909c86bd235bbae1769517843edb6d963effa3a2
SHA2569c93657602cf1b1d423c530c66cad6fee05420cb9058fd887d689d4aa38bb6c9
SHA512c17379d0a5461ba9111bb2367025d993904cf063bd71e93806e672847f5bbe8bfad8953706a358d22f36bad05ec04411445d109d982f1942980953e3819e5c66
-
\??\c:\Users\Admin\AppData\Local\Temp\gtwvkvzl.cmdlineFilesize
263B
MD5548951bdd37d847911db5ae73ba74dd0
SHA1b8e4773b71982f675c3fe8a81ba66b06cd926f2a
SHA256c4d9a1e3d8c9022c7749321c08b88e512233cd73ef52f9e1e2354412e509dc80
SHA5123eedadcaa0842dc11fffe3867c906b6d3f6f58ef0ce503b8bc6a3707be8933f5ac4ffc76d68222fcff4f9b56e7f1160d3e930b1b17066babdd867a356ad07f8f
-
memory/624-30-0x00000000752C0000-0x0000000075871000-memory.dmpFilesize
5.7MB
-
memory/624-1-0x00000000752C0000-0x0000000075871000-memory.dmpFilesize
5.7MB
-
memory/624-2-0x00000000752C0000-0x0000000075871000-memory.dmpFilesize
5.7MB
-
memory/624-0-0x00000000752C2000-0x00000000752C3000-memory.dmpFilesize
4KB
-
memory/760-8-0x00000000752C0000-0x0000000075871000-memory.dmpFilesize
5.7MB
-
memory/760-15-0x00000000752C0000-0x0000000075871000-memory.dmpFilesize
5.7MB
-
memory/1132-31-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-43-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-33-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-32-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-49-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-28-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-48-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-22-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-47-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-36-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-37-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-38-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-39-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-40-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-41-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-42-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-26-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-44-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-45-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1132-46-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1656-35-0x00000000752C0000-0x0000000075871000-memory.dmpFilesize
5.7MB
-
memory/1656-27-0x00000000752C0000-0x0000000075871000-memory.dmpFilesize
5.7MB
-
memory/1656-21-0x00000000752C0000-0x0000000075871000-memory.dmpFilesize
5.7MB