Analysis

  • max time kernel
    153s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 01:58

General

  • Target

    1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe

  • Size

    732KB

  • MD5

    1446d50ecf1384818a85d24238464f1d

  • SHA1

    d4dcd8a9b0b87e8593db081f2656c0a4daf9eab9

  • SHA256

    c506bdc545ffd804df9b91ce4d1320945c07d3b13e5a8c45abe7aee9b06d0428

  • SHA512

    243a59db8eec7bfa0628e40bf3912f1a5fe99e928dcb74f9df3b02727237d8e9f1fd43f1e97c41d295adb4668900c868e294d279d92ad2bb9725df5044323be0

  • SSDEEP

    12288:7FwXAw6/n1ouMfjNgoqrYYcSSG9oPTMGX+AIsLtQiinxbt2rg5xkaPRHw/okTcZh:7ia/n1ou+jGv0YcSSG9oP4GX+AIsLtQh

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Users\Admin\AppData\Local\Temp\run.exe
      "C:\Users\Admin\AppData\Local\Temp\run.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Windupdt\winupdate.exe
        "C:\Windupdt\winupdate.exe"
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:4048
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3660 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:452

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\run.exe

      Filesize

      714KB

      MD5

      1fa9af8c7e8272904027add5bc3cd908

      SHA1

      56bb82a0f60168c9dac19140de5ed7e46fc7ee27

      SHA256

      817f18a2364ebc92f327098a12c63a7497645e770683b0f2e3779fb5362f1b46

      SHA512

      c766fcbbbd5e8f432920f489a0817dbd95536c53773a83e3d0536dd54bd29697febdd6b6c9b32d14b15ad02a90f7f0b7aeb3566bb582b3d36f42e9c6f64917ab

    • memory/1164-35-0x0000000002890000-0x0000000002891000-memory.dmp

      Filesize

      4KB

    • memory/1164-45-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

    • memory/1884-5-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

    • memory/4048-46-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

    • memory/4048-48-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

    • memory/4048-50-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

    • memory/4048-52-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

    • memory/4048-54-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

    • memory/4048-56-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

    • memory/4048-58-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB