Analysis Overview
SHA256
c6f046412481145ab7556d3d6bb390c286f6ab292833c57a3b6a3c570817483f
Threat Level: Known bad
The file 00ae7ab4d6bf02d1358326df176f4023_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Darkcomet
Uses the VBS compiler for execution
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-19 21:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 21:46
Reported
2024-06-19 21:48
Platform
win7-20240611-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Darkcomet
Uses the VBS compiler for execution
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\00ae7ab4d6bf02d1358326df176f4023_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 2180 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\00ae7ab4d6bf02d1358326df176f4023_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 2180 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\00ae7ab4d6bf02d1358326df176f4023_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 2180 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\00ae7ab4d6bf02d1358326df176f4023_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\00ae7ab4d6bf02d1358326df176f4023_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00ae7ab4d6bf02d1358326df176f4023_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Network
Files
memory/2180-0-0x000007FEF5E6E000-0x000007FEF5E6F000-memory.dmp
memory/2180-2-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
memory/2180-1-0x0000000001180000-0x0000000001230000-memory.dmp
memory/2180-3-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
memory/2180-4-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 21:46
Reported
2024-06-19 21:48
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Darkcomet
Uses the VBS compiler for execution
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2644 wrote to memory of 3172 | N/A | C:\Users\Admin\AppData\Local\Temp\00ae7ab4d6bf02d1358326df176f4023_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 2644 wrote to memory of 3172 | N/A | C:\Users\Admin\AppData\Local\Temp\00ae7ab4d6bf02d1358326df176f4023_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 2644 wrote to memory of 3172 | N/A | C:\Users\Admin\AppData\Local\Temp\00ae7ab4d6bf02d1358326df176f4023_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\00ae7ab4d6bf02d1358326df176f4023_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00ae7ab4d6bf02d1358326df176f4023_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Network
Files
memory/2644-0-0x00007FFE97735000-0x00007FFE97736000-memory.dmp
memory/2644-1-0x00007FFE97480000-0x00007FFE97E21000-memory.dmp
memory/2644-2-0x000000001BF20000-0x000000001C3EE000-memory.dmp
memory/2644-3-0x000000001C3F0000-0x000000001C496000-memory.dmp
memory/2644-4-0x00007FFE97480000-0x00007FFE97E21000-memory.dmp
memory/2644-5-0x000000001C510000-0x000000001C5C0000-memory.dmp
memory/2644-7-0x00007FFE97480000-0x00007FFE97E21000-memory.dmp