Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-04-2024 01:56

General

  • Target

    f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe

  • Size

    757KB

  • MD5

    f007b11b6014d888d33b581c438bc296

  • SHA1

    18fe4c3997b5730b3c0a375314be046903325817

  • SHA256

    570985f06c6a51a2df7ff6706931807de298709e0083a56b38caf572635efec0

  • SHA512

    58bc0f72616b8f918ffce1b50a858b50596784e8062860cceb4b9ac92103147f719729460b86c009ce6e404a073beb438d0880e97f23ce61fa66d66e609645b5

  • SSDEEP

    12288:w9AFlAd0Z+89cxTGzO4AucTD8QP2lmFSrVs9LqnKEqMd0QZh9u:2AQ6Zx9cxTmOrucTIEFSpOGVD0QZh9u

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:460
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Adds Run key to start application
      PID:3720
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Modifies firewall policy service
      • Modifies security service
      • Windows security bypass
      • Checks BIOS information in registry
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4604
      • C:\Windows\SysWOW64\notepad.exe
        C:\Windows\SysWOW64\notepad.exe
        3⤵
          PID:2876
      • C:\Windows\SysWOW64\notepad.exe
        C:\Windows\SysWOW64\notepad.exe
        2⤵
        • Deletes itself
        PID:3200
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3480,i,353436235481858446,15149564830344523381,262144 --variations-seed-version --mojo-platform-channel-handle=1728 /prefetch:8
      1⤵
        PID:2340

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windupdt\winupdate.exe

        Filesize

        757KB

        MD5

        f007b11b6014d888d33b581c438bc296

        SHA1

        18fe4c3997b5730b3c0a375314be046903325817

        SHA256

        570985f06c6a51a2df7ff6706931807de298709e0083a56b38caf572635efec0

        SHA512

        58bc0f72616b8f918ffce1b50a858b50596784e8062860cceb4b9ac92103147f719729460b86c009ce6e404a073beb438d0880e97f23ce61fa66d66e609645b5

      • memory/460-0-0x00000000021F0000-0x00000000021F1000-memory.dmp

        Filesize

        4KB

      • memory/460-11-0x0000000013140000-0x000000001320F000-memory.dmp

        Filesize

        828KB

      • memory/2876-15-0x00000000012D0000-0x00000000012D1000-memory.dmp

        Filesize

        4KB

      • memory/3200-9-0x0000000001220000-0x0000000001221000-memory.dmp

        Filesize

        4KB

      • memory/3720-2-0x0000000001410000-0x0000000001411000-memory.dmp

        Filesize

        4KB

      • memory/4604-7-0x0000000013140000-0x000000001320F000-memory.dmp

        Filesize

        828KB

      • memory/4604-10-0x0000000013140000-0x000000001320F000-memory.dmp

        Filesize

        828KB

      • memory/4604-14-0x0000000000E50000-0x0000000000E51000-memory.dmp

        Filesize

        4KB

      • memory/4604-12-0x0000000013140000-0x000000001320F000-memory.dmp

        Filesize

        828KB

      • memory/4604-16-0x0000000013140000-0x000000001320F000-memory.dmp

        Filesize

        828KB

      • memory/4604-17-0x0000000013140000-0x000000001320F000-memory.dmp

        Filesize

        828KB

      • memory/4604-13-0x0000000013140000-0x000000001320F000-memory.dmp

        Filesize

        828KB

      • memory/4604-8-0x0000000013140000-0x000000001320F000-memory.dmp

        Filesize

        828KB

      • memory/4604-19-0x0000000013140000-0x000000001320F000-memory.dmp

        Filesize

        828KB