Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/07/2024, 22:31

General

  • Target

    650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe

  • Size

    723KB

  • MD5

    650e8eebea969067fdde31da20d9b0ba

  • SHA1

    710f976b524504e65d01ddb947a7bb756a9e1fd6

  • SHA256

    dc2bbbadf241dc21246ca32daaea5abcef6c5141ca83cbb863c48e6d4b17646e

  • SHA512

    b41a26c3c62d9b0e21310916a09d762d93ab94edfdf410b4b254655489cdde92c7719fb866ff37ce8c6bae6f1517252071053a36f727dc6c0faf2551a8753029

  • SSDEEP

    12288:gFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJO:Q3nbWmJVJFwSddIXvfhqbiaxvRxq94

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies firewall policy service 3 TTPs 6 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:1336
    • C:\Windows\MSWINST\mswinstat.exe
      "C:\Windows\MSWINST\mswinstat.exe"
      2⤵
      • Modifies firewall policy service
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:472
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies firewall policy service
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

    Filesize

    101B

    MD5

    996f0aaed9af6625ed3e623c73d2965d

    SHA1

    cbd202d3723fe64b4455cb25bbeab4dab018fea2

    SHA256

    3f191bad7339a018fb0022c72759a6526e2f961154fbdd16ec7942f83930521b

    SHA512

    dbfb3fae42f0f65956173293acbf816ed0625d6297deb1046c513512bd969c8494d1f3e253bd1ee7ba30f7394b9a78fd8d869ff75aa3ce13b6e61d054b8c6b3d

  • C:\Windows\MSWINST\mswinstat.exe

    Filesize

    723KB

    MD5

    650e8eebea969067fdde31da20d9b0ba

    SHA1

    710f976b524504e65d01ddb947a7bb756a9e1fd6

    SHA256

    dc2bbbadf241dc21246ca32daaea5abcef6c5141ca83cbb863c48e6d4b17646e

    SHA512

    b41a26c3c62d9b0e21310916a09d762d93ab94edfdf410b4b254655489cdde92c7719fb866ff37ce8c6bae6f1517252071053a36f727dc6c0faf2551a8753029

  • memory/472-67-0x0000000002720000-0x0000000002721000-memory.dmp

    Filesize

    4KB

  • memory/472-69-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

  • memory/1120-0-0x00000000007D0000-0x00000000007D1000-memory.dmp

    Filesize

    4KB

  • memory/1120-66-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

  • memory/2600-68-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB