Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    22/07/2024, 16:32

General

  • Target

    63ef0345e13c18cb0678e3f02a6d73ec_JaffaCakes118.exe

  • Size

    900KB

  • MD5

    63ef0345e13c18cb0678e3f02a6d73ec

  • SHA1

    36447d8e0ae1700a67c516137169e8ead9a78003

  • SHA256

    dad7e8970d66932f9ec8a877164854ef92e4cfa821faa3a092aa374680bd10a0

  • SHA512

    ad6e529569ff4167362ced1f6dd627457a74c11cc6b9b9ae332f3efe28fd7a058b5e7eb9c11fe3e8ae7c039b546a85b2cec967196b8dfec1e4fbbd64e3f56015

  • SSDEEP

    12288:RMYIWfFq6mgOmJbJPTLUfkF1w8fbN3+J86FMSaJ/q3NSo76ZBvu6Yoa/TBiFrO+z:RX3CkF1w8T1+J86F/uq3Mo6ZYoatE

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63ef0345e13c18cb0678e3f02a6d73ec_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\63ef0345e13c18cb0678e3f02a6d73ec_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\matrix.bat" "
      2⤵
        PID:2432
      • C:\Users\Admin\AppData\Local\Temp\test ‮.scr.exe
        "C:\Users\Admin\AppData\Local\Temp\test ‮.scr.exe"
        2⤵
        • Modifies WinLogon for persistence
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2216
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          3⤵
          • Adds Run key to start application
          PID:2464
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 452
          3⤵
          • Loads dropped DLL
          • Program crash
          PID:2924

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\matrix.bat

      Filesize

      498B

      MD5

      82c80b9371a77dea5dae7be0465e12ec

      SHA1

      352c293197f06d61af414990e4e12e716779bb28

      SHA256

      2d0992c371d04241a42091bc513cddfcc0a50c65d03cb4f1bb0d5a255b908801

      SHA512

      bd226a353b156a684d402aab391c7b2a50a231349a9a6750086e3a065d70a5de5dfe908b53e6ef3b79c39390a9fe681efff167837a563053eae173b772892c73

    • C:\Users\Admin\AppData\Local\Temp\test ‮.scr.exe

      Filesize

      659KB

      MD5

      27826851be859cf68fd872f52bf0fda0

      SHA1

      ede13d2ada6448f7d7fba2eb7ae30a4ed2ba6adb

      SHA256

      2cec27c92a4eadd7bb087737718af0cb23c2864065caf7ef5e82c95be32b43b8

      SHA512

      ae3645ea4e03085f670f2228bf1d93d1b1d6bba146c272ef583698b3227423b6dc966e7f613bcc1b135ce16012f20ddf00061fdf487570dc371246871efbe1af

    • memory/2216-18-0x0000000000270000-0x0000000000271000-memory.dmp

      Filesize

      4KB

    • memory/2216-51-0x0000000013140000-0x00000000131F6000-memory.dmp

      Filesize

      728KB

    • memory/2464-46-0x0000000000020000-0x0000000000021000-memory.dmp

      Filesize

      4KB

    • memory/2464-19-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

    • memory/2548-0-0x000007FEF619E000-0x000007FEF619F000-memory.dmp

      Filesize

      4KB

    • memory/2548-17-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

      Filesize

      9.6MB