Overview

overview

10

Static

static

3

eb2b67ed74...18.exe

windows7-x64

10

eb2b67ed74...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 13:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    eb2b67ed7492c18927170a54fc5146cd_JaffaCakes118.exe

  • Size

    2.3MB

  • MD5

    eb2b67ed7492c18927170a54fc5146cd

  • SHA1

    b5c746c4856296a6c018fe4235ac455376543248

  • SHA256

    748a3f4500b4184fff913426710b7469bd0879847e101281474e65d0b9b951c6

  • SHA512

    3c540c7b0b4149008f68ca731b89b7f84962e71e60b0bc5e0be154c7f3e32d9144edda3a53e1b8bf32ea705b0c2d8660b22f62f871cbd7bbe9fe0acae2d4903a

  • SSDEEP

    24576:juzX9cQQiwE3I8A17BXk/38bYdfzPhbJEBgLeGLsxIDw+Za:xmCB0l9CG1Z

Score
10/10
darkcometevasionrattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb2b67ed7492c18927170a54fc5146cd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eb2b67ed7492c18927170a54fc5146cd_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\ProgramData\syshost.exe
      C:\ProgramData\syshost.exe
      2⤵
      • Modifies firewall policy service
      • Disables RegEdit via registry modification
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
          PID:2476

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \ProgramData\syshost.exe
            Filesize

            6KB

            MD5

            36c689700adbb227867e409938607270

            SHA1

            6123e236f73faa37600a60107a5b167980b83a61

            SHA256

            a2158014ecd471868954d0e97397f9df43e310c48d56fa0b5a6ef908dc654adf

            SHA512

            c75728ed30135032a6755e33b9034b98c871554c33a4b8ba1586e0b3282dbc65e3b61571d407365b24289dae2de56b514ef0db744f85e6648dc6432a33b85fef

            Download Submit

          • memory/2476-41-0x0000000000400000-0x0000000000406000-memory.dmp

            Filesize

            24KB

            Download

          • memory/2476-40-0x0000000000400000-0x0000000000406000-memory.dmp

            Filesize

            24KB

            Download

          • memory/2476-38-0x0000000000400000-0x0000000000406000-memory.dmp

            Filesize

            24KB

            Download

          • memory/2476-34-0x0000000000400000-0x0000000000406000-memory.dmp

            Filesize

            24KB

            Download

          • memory/2476-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2476-30-0x0000000000400000-0x0000000000406000-memory.dmp

            Filesize

            24KB

            Download

          • memory/2852-0-0x00000000747D0000-0x0000000074D7B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2852-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2852-2-0x0000000000420000-0x0000000000460000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2852-25-0x00000000747D0000-0x0000000074D7B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/3032-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3032-28-0x0000000000400000-0x00000000004B0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/3032-22-0x0000000000400000-0x00000000004B0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/3032-24-0x0000000000400000-0x00000000004B0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/3032-18-0x0000000000400000-0x00000000004B0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/3032-26-0x0000000000400000-0x00000000004B0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/3032-27-0x00000000002E0000-0x00000000002E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3032-19-0x0000000000400000-0x00000000004B0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/3032-17-0x0000000000400000-0x00000000004B0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/3032-16-0x0000000000400000-0x00000000004B0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/3032-14-0x0000000000400000-0x00000000004B0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/3032-35-0x0000000000400000-0x00000000004B0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/3032-13-0x0000000000400000-0x00000000004B0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/3032-12-0x0000000000400000-0x00000000004B0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/3032-10-0x0000000000400000-0x00000000004B0000-memory.dmp

            Filesize

            704KB

            Download