Overview

overview

10

Static

static

10

1f515e3870...18.exe

windows7-x64

10

1f515e3870...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 12:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f515e387041e92f55fda67c641e404c_JaffaCakes118.exe

  • Size

    281KB

  • MD5

    1f515e387041e92f55fda67c641e404c

  • SHA1

    e5e3f0b8341fe70fdaa2261c05bb038fd2a12ece

  • SHA256

    1813a3cbd2ce370e1cfb072b0e48c198840e3bff70d916dd1094c0a0ce29a897

  • SHA512

    154c7958923169a2bbfd6059e1b6c037a65609f201947fe4f05e13ddb787dbd8a3ee6edf2d07a5c18c4fc206f911e8fa3f0568a1c0769cbcb50e2c80f8631bdd

  • SSDEEP

    6144:j1iJcYtR1HsvpSHY7KoSrfTNBuzZZcA1wnOLrMM4Qov:jkHcpSHY7VSrfT2/czO3HKv

Score
10/10
darkcometlatentbotevasionpersistencerattrojanupx

Malware Config

Extracted

Family

latentbot

C2

kckconexant.zapto.org

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f515e387041e92f55fda67c641e404c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1f515e387041e92f55fda67c641e404c_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4584
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Adds Run key to start application
      PID:2944
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Modifies firewall policy service
      • Modifies security service
      • Windows security bypass
      • Checks BIOS information in registry
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\SysWOW64\notepad.exe
        C:\Windows\SysWOW64\notepad.exe
        3⤵
          PID:116

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/116-13-0x00000000006C0000-0x00000000006C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2352-10-0x0000000013140000-0x000000001320F000-memory.dmp

      Filesize

      828KB

      Download

    • memory/2352-15-0x0000000013140000-0x000000001320F000-memory.dmp

      Filesize

      828KB

      Download

    • memory/2352-6-0x0000000013140000-0x000000001320F000-memory.dmp

      Filesize

      828KB

      Download

    • memory/2352-7-0x0000000013140000-0x000000001320F000-memory.dmp

      Filesize

      828KB

      Download

    • memory/2352-8-0x0000000013140000-0x000000001320F000-memory.dmp

      Filesize

      828KB

      Download

    • memory/2352-18-0x0000000013140000-0x000000001320F000-memory.dmp

      Filesize

      828KB

      Download

    • memory/2352-14-0x0000000013140000-0x000000001320F000-memory.dmp

      Filesize

      828KB

      Download

    • memory/2352-16-0x0000000013140000-0x000000001320F000-memory.dmp

      Filesize

      828KB

      Download

    • memory/2352-17-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2352-9-0x0000000013140000-0x000000001320F000-memory.dmp

      Filesize

      828KB

      Download

    • memory/2944-3-0x0000000000B60000-0x0000000000B61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4584-12-0x0000000013140000-0x000000001320F000-memory.dmp

      Filesize

      828KB

      Download

    • memory/4584-1-0x0000000000A50000-0x0000000000A51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4584-0-0x0000000013140000-0x000000001320F000-memory.dmp

      Filesize

      828KB

      Download