Overview

overview

10

Static

static

3

1e479f954d...18.exe

windows7-x64

10

1e479f954d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    47s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e479f954d2399585aec7aeb0783bbc1_JaffaCakes118.exe

  • Size

    778KB

  • MD5

    1e479f954d2399585aec7aeb0783bbc1

  • SHA1

    36757502115a0f4585549b37310a8b150236fec3

  • SHA256

    456daeb1ed3b635a9297fbe349f245adda4f1d62e8ba08a84d161f9ac097fabd

  • SHA512

    287e8b9df46e588cfe1a867010a598db05fcf1065cf2a7292b7a28c20040a50a45a56dd957c0abd598de38409b3c74d34f07ee2c3607a0bf31ed823525f582a8

  • SSDEEP

    24576:AHh8b+qK/cGks3yguUk57r6CyvIpqSus/Z:G9Lep57VuIpvB

Score
10/10
darkcometpersistencerattrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e479f954d2399585aec7aeb0783bbc1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1e479f954d2399585aec7aeb0783bbc1_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Users\Admin\AppData\Local\Temp\opipip.exe
      "C:\Users\Admin\AppData\Local\Temp\opipip.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3136
      • C:\Users\Admin\AppData\Local\Temp\opipip.exe
        "C:\Users\Admin\AppData\Local\Temp\opipip.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Users\Admin\AppData\Local\Temp\Windupdt_microsoft\winupdate_microsoft.exe
          "C:\Users\Admin\AppData\Local\Temp\Windupdt_microsoft\winupdate_microsoft.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:5080
          • C:\Users\Admin\AppData\Local\Temp\Windupdt_microsoft\winupdate_microsoft.exe
            "C:\Users\Admin\AppData\Local\Temp\Windupdt_microsoft\winupdate_microsoft.exe"
            5⤵
              PID:1964
      • C:\Users\Admin\AppData\Local\Temp\keygen.exe
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2496
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x508 0x300
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3132

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\keygen.exe
      Filesize

      540KB

      MD5

      4d864e429b90e30fb1bb972b475b2d5b

      SHA1

      e08ccbe42b9668cfb3db6090bca294605c6bf729

      SHA256

      29ebadfed12048934f7ef225e2a3af2606820dd329b8fd0e7384f9ab4257e3be

      SHA512

      5b40d68518ddb4c7f7b00c1668aa9fc29b7ad93fd6c7826ab6cc58eacd1c7e69f08f23b7bfd4e854b16aa5bd1280c43e1cb25159e2b64b404e4035afa19c7e5d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\opipip.exe
      Filesize

      555KB

      MD5

      1b321bec48a0029266f2b785e7bccf49

      SHA1

      9281e0a0ab17ff38d517385420c820e76b24ce4c

      SHA256

      152a27d1f470a7cd2a0ed41fca1789ac17d3718ef668fb7e86a2d01e4bb097ca

      SHA512

      5a0ee4dd43169119aa08cb42e268663c0e22e15d784b7e3e0561c628216903bdddc329b35829057cbd3ea66f4e3e9b31befb6df71e6aa895928aced99315cb5c

      Download Submit

    • memory/2496-56-0x0000000000400000-0x000000000049A000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2496-58-0x0000000000400000-0x000000000049A000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2496-48-0x0000000000400000-0x000000000049A000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2496-55-0x0000000000400000-0x000000000049A000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2496-62-0x0000000000400000-0x000000000049A000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2496-54-0x0000000000400000-0x000000000049A000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2496-53-0x0000000000400000-0x000000000049A000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2496-52-0x0000000000400000-0x000000000049A000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2496-61-0x0000000000400000-0x000000000049A000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2496-51-0x0000000000400000-0x000000000049A000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2496-57-0x0000000000400000-0x000000000049A000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2496-60-0x0000000000400000-0x000000000049A000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2496-59-0x0000000000400000-0x000000000049A000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2496-63-0x0000000000400000-0x000000000049A000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2656-17-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

      Download

    • memory/2656-19-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

      Download

    • memory/2656-24-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

      Download

    • memory/2656-46-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

      Download

    • memory/2656-27-0x0000000002910000-0x0000000002911000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2656-22-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

      Download

    • memory/2656-23-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

      Download

    • memory/2656-15-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

      Download

    • memory/2788-0-0x0000000074C82000-0x0000000074C83000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2788-2-0x0000000074C80000-0x0000000075231000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2788-50-0x0000000074C80000-0x0000000075231000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2788-1-0x0000000074C80000-0x0000000075231000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2788-49-0x0000000074C82000-0x0000000074C83000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3136-14-0x0000000074C80000-0x0000000075231000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3136-20-0x0000000074C80000-0x0000000075231000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3136-21-0x0000000074C80000-0x0000000075231000-memory.dmp

      Filesize

      5.7MB

      Download