Analysis

  • max time kernel
    141s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22/07/2024, 21:57

General

  • Target

    64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe

  • Size

    724KB

  • MD5

    64f1ca665436b6de17efe57a1a0326e3

  • SHA1

    d384911a2f53cf307890f6c0788a2124f9114e5f

  • SHA256

    5aa6b435bbf4122ecd80e02129bc5629946b470981585bb41aec932e870d202c

  • SHA512

    1f79c1399a82d7eedf611e778b9b22f9f26426cb1eb587d00c9797722c47acff5f94d8369af0850f6d1cd6c07ed3c64f34657fe4ec521516e3a2518206a42bbb

  • SSDEEP

    12288:gFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJT:Q3nbWmJVJFwSddIXvfhqbiaxvRxq9N

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
      2⤵
        PID:2368
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        2⤵
          PID:2724
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 632
          2⤵
          • Program crash
          PID:2452

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

        Filesize

        101B

        MD5

        3dc3c41cbda9ea24d0b0c921fd1e8fcb

        SHA1

        b689dad610ea2149d3da78344881c68f1afdf260

        SHA256

        a90ce1d0ec528978483ed8eff71957657667398bf126e014ead019a629c7489a

        SHA512

        b972661ed41f5d690684ed9849c247c004b09a2eb875c52951e9c6b28e984e68b67246e7ca9ecdeac925f297aebf774bd17f20f2f5492a297911622b286a1e46

      • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

        Filesize

        50B

        MD5

        b774ae3fb1da087e1f83b4f7b2060e5a

        SHA1

        97eb9be49ac3af9c851c9e1e84e32bfd53e325a8

        SHA256

        adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b

        SHA512

        f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701

      • memory/1052-0-0x0000000000250000-0x0000000000251000-memory.dmp

        Filesize

        4KB

      • memory/1052-21-0x0000000000400000-0x00000000004C3000-memory.dmp

        Filesize

        780KB