Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 13:41

General

  • Target

    16345de556130b38be95f6e4d8740121_JaffaCakes118.exe

  • Size

    771KB

  • MD5

    16345de556130b38be95f6e4d8740121

  • SHA1

    0ced1e7bcc96fb116bee7076f8894d18c9115cba

  • SHA256

    532eb5e45493e1988bbf041c3db40410abbb456e6199b00d02d141a5b3aeafa7

  • SHA512

    b2e05de7dad1792f6a310e9c57c65b1ad3102251ee657f1e57e6fc9ed703fa222363e0ed0c5528c2e92ed364d9091b6dbf3ebb962b4c981cef8ddeb31def2fc7

  • SSDEEP

    12288:Efbh3edoSdPDze9LBApPsKNoeP313umLcUmyqC+N/jXI0zvvNVR:+R8oYzS12PVaA3LLRHqC+ljXFvzR

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1224
      • C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe"
        2⤵
        • Adds Run key to start application
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:332
        • C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2068
          • C:\Windupdt\winupdate.exe
            "C:\Windupdt\winupdate.exe"
            4⤵
            • Windows security bypass
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:836
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              5⤵
              • Windows security bypass
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml

      Filesize

      14KB

      MD5

      f543083e2a5d7ed9840d9a32b0a9d2ce

      SHA1

      a950d39a11603820b53755a4d0ffe36f5db5783f

      SHA256

      53f4c656bf9670eb837912f64fd5641aa96863fc264e7e731c40b8a4472396d8

      SHA512

      5ef3a23e644566ec8eb125ce0e607dda1fa9b4e2d52e92b98d0c252e228a55c004436c0ae4c7254dafa9fb200a83a80dacad280200a7ffd12b0729ba8480709c

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

      Filesize

      12KB

      MD5

      8156706568e77846b7bfbcc091c6ffeb

      SHA1

      792aa0db64f517520ee8f745bee71152532fe4d2

      SHA256

      5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8

      SHA512

      8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

      Filesize

      8KB

      MD5

      7757fe48a0974cb625e89012c92cc995

      SHA1

      e4684021f14053c3f9526070dc687ff125251162

      SHA256

      c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03

      SHA512

      b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

    • C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

      Filesize

      451KB

      MD5

      6d5d0522e89e5800841a9751bfa0521a

      SHA1

      ee651d5b2486a338b4de0964a43c8b2a5a8c5966

      SHA256

      0a7822b96ece567633b222d20f1cae5a0569fc28d86c84ece5c61016aa9487a1

      SHA512

      28171b0b04e8a3be2ff7f997c134b652a6a584809a35f2bc2a3293bb31a6a126d03f39831bcfe24705d6d9b0b1754e0c05ccbd339f2cde678923a8e91ab2a9db

    • C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

      Filesize

      640KB

      MD5

      82bc39595f31924c757a45d812beeecd

      SHA1

      fe8d453eb05a87732ac28f62cf31d0c48726dbdf

      SHA256

      a430fd6b58bba1e01fc70d7b579c2826b06357b1bc8692dd416139e17684e0d6

      SHA512

      507fa3db5621aed0514ca9ab4e9e8730989d5580fca10013a6bc884791cf75691d5e40c920a54546b8fe2bca5fafb87aff8f96ecd433ce11d4c2705251914099

    • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

      Filesize

      640KB

      MD5

      6f7a466db89aa477ee5a513527dad359

      SHA1

      d7ab2985230d654160e8a428a5e729dbbaff47f3

      SHA256

      c25a43fda3d23a570dcc9ebed7cc3101712b9521e2e38b660a621e9dca1c6eee

      SHA512

      c9fc69360c095ade135cc8b6368983c4cabe5790d7211d7d281e38841392cc052df16f9e63af6ae02b55ff6a0abce10bb90b8ee3e317fc326fc8633bc06acdc6

    • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

      Filesize

      461KB

      MD5

      3406a8cdb7015994b947b5571e0b80ef

      SHA1

      ba9292c82c29968e49624163f146b905a1548952

      SHA256

      b87e5d5566223d96ed5b8dee670cb45311acd1dd85d4d37bbe493946ec50a654

      SHA512

      9e5503f0c2cb5369e47e636d0392f5db6b4bf2b375d0ab2ad94b7ca4a7e4e293e96a9bd6f5b96f51ffe61d4ae614cd1a05707a7570185914d5f8dcd840a5a6b2

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

      Filesize

      451KB

      MD5

      99645b83b2150282dfd642afe26c573b

      SHA1

      5a310627f0d411bb57145f35ce48c8b9c57a355e

      SHA256

      4559d8f333f86ce44379f2063de9523307dd107933fe4f22a5258ecda8702830

      SHA512

      6c31fd0d899e54a0700c2331388d61734fc9137e816952c2e5781f21b4e71c0b7f0603e00b736e84868bb54b011b37aa64dd751d2531fc9adffe2e020b2cdb3f

    • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

      Filesize

      461KB

      MD5

      f3439478eac0265bbfb6151370c2d051

      SHA1

      e8fb20db05222b6101c8f93f231edb8d5ea872c3

      SHA256

      5ce87e9e191e55fd25d1a7145ff1c123e30574a57b30df048ce20323c23ba476

      SHA512

      1d076ae14a440d280df5c0c7508769e661f06f0ff134bd0caa2c77da6be2f9cda9a20d2c772263c13dd07eae98e0db15385cd756e8d1a07b6a41fb2c042656b1

    • C:\Users\Admin\AppData\Local\Temp\ose00000.exe

      Filesize

      152KB

      MD5

      2f8ec7065fc6d01c6b9c121268f6179e

      SHA1

      65e8919b2b82bc547ea184f17647ad7574ba8ee6

      SHA256

      516b6ee757d32e4931a299ca0a24e7f93b3b75bdd0c8826b39a078508d2502de

      SHA512

      f237d281c4881a1989d71bde9a38a8b43d9e733696c199b9a5573afdd1bf28b60abed5ba074c41cb6e26e3de8256fec130fed4d6534c9491b2d8bea53879d166

    • C:\Windows\SysWOW64\runouce.exe

      Filesize

      10KB

      MD5

      4ba49affda6b270ba410a6aa3156041b

      SHA1

      589bac9796bdf20de8c4506ef8d345862ca96881

      SHA256

      f47fee017927f072cc051e1557135e84f03c62f37c332dcb729648e16ca3abef

      SHA512

      7c5f5fd34470c95e6cc0782de6f2ded30e1f1fde2b6e84d2c12c5da0b384c8514fc2013a0597271cdc9ba02852b9da5d255c60258d3df15cdf44e2937b13582a

    • C:\vcredist2010_x86.log.html

      Filesize

      81KB

      MD5

      e791f3e552ad5dad5cc5284177701858

      SHA1

      b1e444a3e21f24da0e696486725246f593f7e477

      SHA256

      c9ab47792cdbe09c2e010dd13920213f5b6264ef40d1eab209dabbda7a283e01

      SHA512

      f6aad713f1bbc388b1691ed02077fefe626f1b43ae5f2bc6cc489bc33e31dfcbc32258d18d79a40ea191adba2a65dc6ea2aed62a83e40877c8bb232394501b69

    • \Windupdt\winupdate.exe

      Filesize

      771KB

      MD5

      16345de556130b38be95f6e4d8740121

      SHA1

      0ced1e7bcc96fb116bee7076f8894d18c9115cba

      SHA256

      532eb5e45493e1988bbf041c3db40410abbb456e6199b00d02d141a5b3aeafa7

      SHA512

      b2e05de7dad1792f6a310e9c57c65b1ad3102251ee657f1e57e6fc9ed703fa222363e0ed0c5528c2e92ed364d9091b6dbf3ebb962b4c981cef8ddeb31def2fc7

    • memory/332-0-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB

    • memory/332-1087-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB

    • memory/332-1034-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB

    • memory/332-1030-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB

    • memory/332-462-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB

    • memory/332-567-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB

    • memory/332-876-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB

    • memory/332-985-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB

    • memory/836-23-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB

    • memory/836-20-0x0000000000230000-0x00000000002FE000-memory.dmp

      Filesize

      824KB

    • memory/836-15-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB

    • memory/1224-5-0x0000000002D30000-0x0000000002D31000-memory.dmp

      Filesize

      4KB

    • memory/1224-4-0x0000000002D30000-0x0000000002D31000-memory.dmp

      Filesize

      4KB

    • memory/2068-13-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB

    • memory/2068-2-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

    • memory/2068-1-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB

    • memory/2592-21-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB