Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
20-06-2024 17:48
General
-
Target
085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
085a4a5430ccb482aaf5e1f428b2e035
-
SHA1
a1a22b49b830728849e84e4c2bb686f73eb252e4
-
SHA256
e4c9e8116827030fee7a80a2d2fbbadb2f0b0fc353dbe8833e57f7852ea86810
-
SHA512
71cd748b221f990e28c7978dd9213ebb711c346fb7bceaf8d01acf115c55afeec3450fd0dbf0b64dd8ab7232a7d92792acab158e681d51049f589b8ab820c1bf
-
SSDEEP
24576:/CSakkVYTNLqPY3Oz8zmpbZipBw8QVJBTyjCtAscY7EAqGvgbidbGFn15jnpCXmO:1k03o3lV3/tAs97EAqGTdban15jnAXd
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 52 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240646406.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe" /f3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\service.exe"C:\Users\Admin\AppData\Roaming\Microsoft\service.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\service.exeC:\Users\Admin\AppData\Roaming\Microsoft\service.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\service.exe4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Microsoft" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Microsoft" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 14486⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXE"C:\Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXE"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 14326⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\MSDCSC\msdcsc.exe"C:\MSDCSC\msdcsc.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\MSDCSC\msdcsc.exeC:\MSDCSC\msdcsc.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\MSDCSC\msdcsc.exe7⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER755B.tmp.xmlFilesize
4KB
MD5e2bb81451f849a0848a9d18574c9018c
SHA14b189fd237b4b42d7c93132b8fe63463958243be
SHA256bd0ea254b6e047137623cd19a511b686d2aeb0d2812494bf5b04ee42aab0fa89
SHA512a598426adcf44ce1d29f22e5792c68c422ca6345f9b26ff375c1e08cbc6787ea6074e283f7ed1f600945cfb22c58910e9c333ecd96901d3f65498941ede29dee
-
C:\Users\Admin\AppData\Local\Temp\240646406.batFilesize
146B
MD57eee65b102f30fd1ead48a8cd3b99827
SHA12f74a754019f280c6186c11531d460006814952e
SHA2565748c60056db288b67e61148b339778816279e36907977f4fe03b5df04f6b57f
SHA512a06de9e35ada579a95b2ba399e4c65b074d642788d456e10e0ae967896ac729c552f715261d9dc8c17fffca8d6b9144a6155ff11ab8569a82bdbd9d26109bd85
-
C:\Users\Admin\AppData\Local\Temp\SERVICES.EXEFilesize
6KB
MD50b3db22d987384297d6d3e37bbb42525
SHA1505682a108f0cf55caaeca6c781f4d49cc2d8edf
SHA256883b8f25dec2a5f565c45363f81402969ce5b5e4d03fc565ccc2fd162916aa00
SHA512b03cae2a2fcd46b0fde982214a11db50f6443d85efcf67b51ef60bb5a9fa3b0ad4b6b274c6175c634c7d343ee9253877d52712d1fee0e5b8843e1d3301273ae8
-
C:\Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXEFilesize
6KB
MD5d52e36ac4ab591f5cac32b433d2134fc
SHA1868df7e02042482a37cae9c1b1b7cc25e63b7ab2
SHA256968266055dfa20300ee91a14f3344864b07cd1505054186f91946cccfcb96207
SHA512c77c10dbcf58a86a384b413bb064df1af535af48744fe744d03cdfee16df1efa8275216b9cbe083294dac4cfd9e3445e7bb5e1f9051f462be484ae95ab622541
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
57B
MD5960ff9f0fdcc7fe6180f159185b228dd
SHA1562e42c0f4c5c1b30b086cd1c110645391bb9cb2
SHA256527513b95baf56c82cc823317b90be26f3d3f3ece8046152cdbb0e8092e7d44d
SHA512a3a4d87968efc28b2d736ebd2d9b818c2e7d58d2588124e05f71d82a1a9b0dd5ae8c145b5b8098089d480da93ad535a427d648f6230f6e2bacfda9056110dc62
-
C:\Users\Admin\AppData\Roaming\Microsoft\service.exeFilesize
1.7MB
MD5d0a34581ffb8d6d99ef29b6e46e06ab8
SHA15a169f12cf42262ffd62cc1bab213654d7a4dac6
SHA256e59240de73344a6cb74551be43702ca23b8c0156ba8cbcb842118509360657f1
SHA512515068e21b1fbb018651e0e53394a5171d92d65eb3de4105efe067cb05f173d6e68d5b908c6684bcf5c53b1891a5752b4b4176044f63e805d7d0896e6c3fd941
-
memory/224-82-0x000000001BEB0000-0x000000001BF56000-memory.dmpFilesize
664KB
-
memory/1768-32-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1768-35-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1768-28-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1768-30-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1768-77-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4132-85-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4132-106-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4132-100-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4508-113-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4508-115-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4508-121-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4508-103-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4508-105-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4508-120-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4508-108-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4508-109-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4508-110-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4508-112-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4508-111-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4508-119-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4508-114-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4508-118-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4508-116-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4508-117-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/4864-20-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4864-31-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4864-27-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4864-24-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB