Analysis

  • max time kernel
    3s
  • max time network
    5s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-04-2024 01:50

Errors

Reason
Machine shutdown

General

  • Target

    f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    f269ccb519476724082fd3d4383d5ca6

  • SHA1

    fd9005d5401c9d2df2d792eec8d47ba5cee2b9c6

  • SHA256

    e56800ef1346a3a28f31c466eb1d31655a127c7cb81647bb7697558e7a879ed2

  • SHA512

    77e5f1499acfea03e9cef52d85c1189b7ea0283b005c8584bc559d5ab694c3d3870906c52c012a5ad64930819b05f618852cd289eaa4a73b157c171d799a69ac

  • SSDEEP

    12288:3R3osGLyv32XrpXEJETL3ZaHa1fwd3DqjPtet4nQTl0RgiynJd4m8SdZuZCpnp+Z:B3pvHEdchJFZkyYsBkcUZL

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:844
    • C:\Users\Admin\AppData\Local\Temp\hostcv.exe
      "C:\Users\Admin\AppData\Local\Temp\hostcv.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Users\Admin\AppData\Local\Temp\winini.exe
        C:\Users\Admin\AppData\Local\Temp\winini.exe
        3⤵
        • Executes dropped EXE
        PID:4880
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 12
          4⤵
          • Program crash
          PID:3032
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4880 -ip 4880
    1⤵
      PID:4848

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\hostcv.exe

      Filesize

      696KB

      MD5

      771c6ba0050a51ca574d2e316468720b

      SHA1

      6fc9f25f8f6fd2295e394fbbac529c5ed6a80459

      SHA256

      5bcce062586bf4f2be50b18110cb25f413f2f2049f505f1aed7f588951826900

      SHA512

      bbcbf93ae4ef4a08798c4f68b58267885a3db147d442ee5df449aa723d83d4e6004b901c28d55a463c74c072390b13434fccd198049cd93fc05af097f853fb64

    • C:\Users\Admin\AppData\Local\Temp\winini.exe

      Filesize

      34KB

      MD5

      e118330b4629b12368d91b9df6488be0

      SHA1

      ce90218c7e3b90df2a3409ec253048bb6472c2fd

      SHA256

      3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

      SHA512

      ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

    • memory/844-0-0x0000000074D80000-0x0000000075331000-memory.dmp

      Filesize

      5.7MB

    • memory/844-1-0x00000000018A0000-0x00000000018B0000-memory.dmp

      Filesize

      64KB

    • memory/844-2-0x0000000074D80000-0x0000000075331000-memory.dmp

      Filesize

      5.7MB

    • memory/844-15-0x0000000074D80000-0x0000000075331000-memory.dmp

      Filesize

      5.7MB

    • memory/2480-16-0x0000000074D80000-0x0000000075331000-memory.dmp

      Filesize

      5.7MB

    • memory/2480-18-0x00000000012B0000-0x00000000012C0000-memory.dmp

      Filesize

      64KB

    • memory/2480-21-0x0000000074D80000-0x0000000075331000-memory.dmp

      Filesize

      5.7MB

    • memory/2480-24-0x0000000074D80000-0x0000000075331000-memory.dmp

      Filesize

      5.7MB

    • memory/4880-20-0x0000000013140000-0x000000001320F000-memory.dmp

      Filesize

      828KB