Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-04-2024 07:30

General

  • Target

    f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    f093f75b0c4fb499e79407a6f1e0677b

  • SHA1

    4c49a59b3723aef75f7dbb1270151112cc844c7e

  • SHA256

    7c313a9892feb0bd975f6d8c1fe9ea0447adbf738c88353236079693046bb4d8

  • SHA512

    5034c1fab191f226aaa82f3f44b31d34f078c7aee2027f70a02cf6acb6db239311df60deacf19c1b798a658e4fdf775b4bbd67b0ba813357dc49f8247b7a1a68

  • SSDEEP

    12288:A5fQl3fYNmFm4ODd6spRXLh2pBHMP4KSt9043Q5yzYtS5Ur8bmFzujLRI4LZJZjE:DvYRRLpNAttTXgVan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
          PID:2644

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1968-18-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB

    • memory/1968-19-0x0000000000280000-0x0000000000281000-memory.dmp

      Filesize

      4KB

    • memory/1968-15-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB

    • memory/1968-4-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB

    • memory/1968-6-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB

    • memory/1968-8-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB

    • memory/1968-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/1968-12-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB

    • memory/1968-28-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB

    • memory/1968-20-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB

    • memory/1968-17-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB

    • memory/1968-16-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB

    • memory/2020-0-0x0000000074700000-0x0000000074CAB000-memory.dmp

      Filesize

      5.7MB

    • memory/2020-1-0x0000000074700000-0x0000000074CAB000-memory.dmp

      Filesize

      5.7MB

    • memory/2020-2-0x0000000000970000-0x00000000009B0000-memory.dmp

      Filesize

      256KB

    • memory/2020-14-0x0000000074700000-0x0000000074CAB000-memory.dmp

      Filesize

      5.7MB

    • memory/2644-27-0x0000000000400000-0x000000000051E000-memory.dmp

      Filesize

      1.1MB

    • memory/2644-23-0x0000000000400000-0x000000000051E000-memory.dmp

      Filesize

      1.1MB

    • memory/2644-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB