Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-06-2024 15:33

General

  • Target

    127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    127d59e896105a4ca97bc280f568dcb0

  • SHA1

    0a20354cb57ef1d58c4e7c51e24599a5fba172d0

  • SHA256

    3483fc2b3d3897609a3c0374f863ebf6b1c7088ce6ecfa4b4d4db81b8d39edca

  • SHA512

    110e78f265e09f0d49990a069ef3023c448c8acfebb127be8a1d2aa35176a1a3a31992a7a83ac34555e2e354fa42a5de232ff24e96ca0ce4cad350919f019ff2

  • SSDEEP

    24576:SBY/jbLgH/8HM7wv11Coaz7iVW8MilGe05QiwJ0M5QFV:Nak5vzC1iM5icKi38Qj

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Users\Admin\Documents\MSDCSC\Shell32.exe
        "C:\Users\Admin\Documents\MSDCSC\Shell32.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4232
        • C:\Users\Admin\Documents\MSDCSC\Shell32.exe
          C:\Users\Admin\Documents\MSDCSC\Shell32.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:5108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\MSDCSC\Shell32.exe

    Filesize

    1.1MB

    MD5

    127d59e896105a4ca97bc280f568dcb0

    SHA1

    0a20354cb57ef1d58c4e7c51e24599a5fba172d0

    SHA256

    3483fc2b3d3897609a3c0374f863ebf6b1c7088ce6ecfa4b4d4db81b8d39edca

    SHA512

    110e78f265e09f0d49990a069ef3023c448c8acfebb127be8a1d2aa35176a1a3a31992a7a83ac34555e2e354fa42a5de232ff24e96ca0ce4cad350919f019ff2

  • memory/2352-2-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

  • memory/2512-0-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/2512-1-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/2512-3-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/2512-4-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/2512-5-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/2512-67-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/4232-73-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

  • memory/5108-75-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-84-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-78-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-77-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-76-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-72-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-79-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-80-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-81-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-82-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-83-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-74-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-85-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-86-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-87-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-88-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-89-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-90-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-91-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-92-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/5108-93-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB