Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 13:41

General

  • Target

    16345de556130b38be95f6e4d8740121_JaffaCakes118.exe

  • Size

    771KB

  • MD5

    16345de556130b38be95f6e4d8740121

  • SHA1

    0ced1e7bcc96fb116bee7076f8894d18c9115cba

  • SHA256

    532eb5e45493e1988bbf041c3db40410abbb456e6199b00d02d141a5b3aeafa7

  • SHA512

    b2e05de7dad1792f6a310e9c57c65b1ad3102251ee657f1e57e6fc9ed703fa222363e0ed0c5528c2e92ed364d9091b6dbf3ebb962b4c981cef8ddeb31def2fc7

  • SSDEEP

    12288:Efbh3edoSdPDze9LBApPsKNoeP313umLcUmyqC+N/jXI0zvvNVR:+R8oYzS12PVaA3LLRHqC+ljXFvzR

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Windupdt\winupdate.exe
      "C:\Windupdt\winupdate.exe"
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4920
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
          PID:5076
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          3⤵
            PID:5092
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3812,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:8
        1⤵
          PID:1316

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windupdt\winupdate.exe

          Filesize

          771KB

          MD5

          16345de556130b38be95f6e4d8740121

          SHA1

          0ced1e7bcc96fb116bee7076f8894d18c9115cba

          SHA256

          532eb5e45493e1988bbf041c3db40410abbb456e6199b00d02d141a5b3aeafa7

          SHA512

          b2e05de7dad1792f6a310e9c57c65b1ad3102251ee657f1e57e6fc9ed703fa222363e0ed0c5528c2e92ed364d9091b6dbf3ebb962b4c981cef8ddeb31def2fc7

        • memory/4920-47-0x0000000000400000-0x00000000004CE000-memory.dmp

          Filesize

          824KB

        • memory/4920-36-0x0000000000400000-0x00000000004CE000-memory.dmp

          Filesize

          824KB

        • memory/4920-38-0x0000000002180000-0x0000000002181000-memory.dmp

          Filesize

          4KB

        • memory/4920-39-0x0000000000400000-0x00000000004CE000-memory.dmp

          Filesize

          824KB

        • memory/4920-40-0x0000000000400000-0x00000000004CE000-memory.dmp

          Filesize

          824KB

        • memory/4920-43-0x0000000000400000-0x00000000004CE000-memory.dmp

          Filesize

          824KB

        • memory/4920-48-0x0000000000400000-0x00000000004CE000-memory.dmp

          Filesize

          824KB

        • memory/4920-51-0x0000000000400000-0x00000000004CE000-memory.dmp

          Filesize

          824KB

        • memory/4920-52-0x0000000000400000-0x00000000004CE000-memory.dmp

          Filesize

          824KB

        • memory/4956-1-0x0000000002280000-0x0000000002281000-memory.dmp

          Filesize

          4KB

        • memory/4956-35-0x0000000000400000-0x00000000004CE000-memory.dmp

          Filesize

          824KB

        • memory/4956-0-0x0000000000400000-0x00000000004CE000-memory.dmp

          Filesize

          824KB