Overview

overview

10

Static

static

10

460a54a249...18.exe

windows7-x64

10

460a54a249...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/07/2024, 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    460a54a2494603102b7b86afeb11a89c_JaffaCakes118.exe

  • Size

    808KB

  • MD5

    460a54a2494603102b7b86afeb11a89c

  • SHA1

    5ed8881b620fc408764e77e95ce7bef8c41b531d

  • SHA256

    379f02a6c2c3fd95ea8079da6564125a77720256061e562b7c7897a17c021d7e

  • SHA512

    a83423ecb164ec30e25fdea09cba1bc73b7ae6ca8c249584dbbaae2fdac55a77872e716855aed9935bf2c01db77f602f705ec2d19feaa4cba824fa34d12d65d5

  • SSDEEP

    12288:W6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfhvK2m:7AmBpVKHu0Mu9Xo20VGLVP5vK

Score
10/10
darkcometevasionrattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\460a54a2494603102b7b86afeb11a89c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\460a54a2494603102b7b86afeb11a89c_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3252
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\460a54a2494603102b7b86afeb11a89c_JaffaCakes118.exe" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\460a54a2494603102b7b86afeb11a89c_JaffaCakes118.exe" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:3560
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:3576
    • C:\Users\Admin\AppData\Local\Temp\PHOTOSHOPCS5EXTENDED EDITION_KEYGEN.EXE
      "C:\Users\Admin\AppData\Local\Temp\PHOTOSHOPCS5EXTENDED EDITION_KEYGEN.EXE"
      2⤵
      • Executes dropped EXE
      PID:4844
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x510 0x50c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\PHOTOSHOPCS5EXTENDED EDITION_KEYGEN.EXE
    Filesize

    61KB

    MD5

    b6ac9256dc2c68751facf49b48ffe16e

    SHA1

    99137f9c21403db6a0c4db70f9c4adca28f46447

    SHA256

    e11434558518a2b9a43ce0857e1149c927916c208931f6c3a03a921a307ad628

    SHA512

    69e5eae1595f07c1015760c14e36e47f66030e0a584668579cdbc364033070339bbc1fae3714730fc5ce671d40180dad9a83b984257a9d5390ff70698f7295b6

    Download Submit

  • memory/3252-14-0x0000000000400000-0x00000000004DB000-memory.dmp

    Filesize

    876KB

    Download

  • memory/3252-0-0x00000000022A0000-0x00000000022A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3252-10-0x0000000000400000-0x00000000004DB000-memory.dmp

    Filesize

    876KB

    Download

  • memory/4844-20-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4844-22-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4844-11-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4844-15-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4844-16-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4844-18-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4844-9-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4844-13-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4844-25-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4844-26-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4844-28-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4844-30-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4844-32-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4844-35-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4844-36-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4844-38-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download