Analysis Overview
SHA256
9882ea1620d446a7b105187db22d23143db52f1fa3014686514d2f1312b8dff2
Threat Level: Known bad
The file 05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Darkcomet family
Darkcomet
Executes dropped EXE
Checks computer location settings
Checks BIOS information in registry
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 11:56
Signatures
Darkcomet family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 11:56
Reported
2024-06-20 11:59
Platform
win7-20231129-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Darkcomet
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\WINDOWS\\system32\\Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\SysWOW64\Explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "C:\\WINDOWS\\system32\\Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\SysWOW64\Explorer.exe | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
| File opened for modification | C:\WINDOWS\SysWOW64\Explorer.exe | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
| File opened for modification | C:\WINDOWS\SysWOW64\ | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2392 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | C:\WINDOWS\SysWOW64\Explorer.exe |
| PID 2392 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | C:\WINDOWS\SysWOW64\Explorer.exe |
| PID 2392 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | C:\WINDOWS\SysWOW64\Explorer.exe |
| PID 2392 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | C:\WINDOWS\SysWOW64\Explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe"
C:\WINDOWS\SysWOW64\Explorer.exe
"C:\WINDOWS\system32\Explorer.exe"
Network
Files
memory/2392-0-0x0000000000400000-0x00000000004E1000-memory.dmp
memory/2392-1-0x00000000002F0000-0x00000000002F1000-memory.dmp
\Windows\SysWOW64\explorer.exe
| MD5 | 40d777b7a95e00593eb1568c68514493 |
| SHA1 | 89a175a12bc20104770d0ef83e553f8b0e06274b |
| SHA256 | 0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894 |
| SHA512 | d5719baef8bef791ef99b4c88d449d45f199638438bd929c1a3e7a74309931c72e03567633135a4fcf4c92e2b53e552f9526cba2e1d85383906d3c1aa21dd67f |
memory/2392-5-0x0000000000400000-0x00000000004E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 11:56
Reported
2024-06-20 11:59
Platform
win10v2004-20240611-en
Max time kernel
141s
Max time network
124s
Command Line
Signatures
Darkcomet
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\WINDOWS\\system32\\Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\SysWOW64\Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "C:\\WINDOWS\\system32\\Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\SysWOW64\Explorer.exe | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
| File opened for modification | C:\WINDOWS\SysWOW64\Explorer.exe | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
| File opened for modification | C:\WINDOWS\SysWOW64\ | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings | C:\WINDOWS\SysWOW64\Explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4768 wrote to memory of 1436 | N/A | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | C:\WINDOWS\SysWOW64\Explorer.exe |
| PID 4768 wrote to memory of 1436 | N/A | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | C:\WINDOWS\SysWOW64\Explorer.exe |
| PID 4768 wrote to memory of 1436 | N/A | C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe | C:\WINDOWS\SysWOW64\Explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05c46fa4ecf6cf047b9c6cefbcd62971_JaffaCakes118.exe"
C:\WINDOWS\SysWOW64\Explorer.exe
"C:\WINDOWS\system32\Explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/4768-0-0x0000000000400000-0x00000000004E1000-memory.dmp
memory/4768-1-0x00000000022E0000-0x00000000022E1000-memory.dmp
C:\Windows\SysWOW64\explorer.exe
| MD5 | 0155e85852fde62a441cbaf485e023be |
| SHA1 | 59482d4b1c0f061426ef71bff8506230faa00701 |
| SHA256 | e0689419d3d7879a229ecf3e74639e4e9ba0669ed4574f47b108097593fc9fbc |
| SHA512 | f1a43adb7b0203dc5ad4613da9645070c4da0d15d8788b50644cb80420d4a38151488aa3888da39a6cb17ef6d3f5ebc5fe08ac948dca1fd0c852dceecd3bafff |
memory/4768-4-0x0000000000400000-0x00000000004E1000-memory.dmp