Overview

overview

10

Static

static

3

07e44ffcff...18.exe

windows7-x64

10

07e44ffcff...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    29-04-2024 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07e44ffcffde46ad96eb9c018bed6193_JaffaCakes118.exe

  • Size

    888KB

  • MD5

    07e44ffcffde46ad96eb9c018bed6193

  • SHA1

    43ebee608da73cdc476c773284d1257a4d6fe8ff

  • SHA256

    97329752b4a2f48fed6e10ec54492c31413fe7148bfe6152bffe49ab4a9c7246

  • SHA512

    ec70827ae4267a2340ece89224dd26c98301c64d972d768ff462d8ee84397b8f0571d50afda71b8982fa76ccb88ef7d282d9a7d0e1f31a43c06c6c243c7025e8

  • SSDEEP

    12288:kuOG1pSLsBKa0BBmzmBoJCcsk6TtXGLErHeSVT2j7UyAi46qYIYnnqno8Fyhm0BO:P1UvBqmaJWXTtFrt2XOi46qYICKbCV

Score
10/10
darkcometrattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07e44ffcffde46ad96eb9c018bed6193_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\07e44ffcffde46ad96eb9c018bed6193_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Update\secure" /XML "C:\Users\Admin\AppData\Local\Temp\z564.xml"
      2⤵
      • Creates scheduled task(s)
      PID:2524
    • C:\Users\Admin\AppData\Local\Temp\07e44ffcffde46ad96eb9c018bed6193_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\07e44ffcffde46ad96eb9c018bed6193_JaffaCakes118.exe"
      2⤵
      • Checks BIOS information in registry
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\z564.xml
    Filesize

    1KB

    MD5

    a8edec783b91e66b4f3ccc0f2f91094e

    SHA1

    edd7a3784a54fdcb7f9f443c567c4a129e0f4ba8

    SHA256

    468a6b9cb76d2ee1ab1d02fdef6dfc8c9f43cd0c30cbebda96d2159dce52436f

    SHA512

    f4ff6c9532b1487245ecde12d641b113b85136ed3aacefcb8319188f904bbdd6bc11cc02639d375bd725451f44cc8fdaa54f2425befa3f8b8a3cdba4c5e839f9

    Download Submit

  • memory/2268-24-0x00000000744A0000-0x0000000074A4B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2268-2-0x0000000000A50000-0x0000000000A90000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2268-1-0x00000000744A0000-0x0000000074A4B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2268-0-0x00000000744A0000-0x0000000074A4B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2536-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2536-15-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2536-26-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2536-25-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2536-12-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2536-7-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2536-19-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2536-17-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2536-27-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2536-23-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2536-28-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2536-11-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2536-22-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2536-9-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2536-14-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2536-30-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2536-29-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2536-31-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download