Analysis

  • max time kernel
    13s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22/07/2024, 16:38

General

  • Target

    63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe

  • Size

    668KB

  • MD5

    63f2fc876c09c7a6a1700612e479f251

  • SHA1

    36acdc5c72b3159ce9b2764259a3c208ff2d4f54

  • SHA256

    4a2b8775c52b3594c1e8889afdf96c1477853d5b912b3ede8248fa306da74bcd

  • SHA512

    9bdd352918b393a5a8d39f0b1535cea00f21a2127ebaca992dc159895549a6b5c7efe057442831d959dc7fdc166f5d3e5a9b77dd50fa0899c9abe117542e6647

  • SSDEEP

    12288:+oiyf03HDkrzviq6C09GZPQcxaBOzcL75WmnTKWfg0wxXSjqT9tMM/GU9fWXaFQI:+oIHgnq5IOKFQB2Fakn

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops file in Drivers directory
      • Checks BIOS information in registry
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
          PID:2640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2268-17-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/2268-15-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/2268-33-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/2268-3-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/2268-13-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/2268-12-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/2268-11-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/2268-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2268-7-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/2268-5-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/2268-16-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/2268-18-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/2268-20-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/2268-19-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/2304-14-0x00000000748B0000-0x0000000074E5B000-memory.dmp

      Filesize

      5.7MB

    • memory/2304-0-0x00000000748B1000-0x00000000748B2000-memory.dmp

      Filesize

      4KB

    • memory/2304-1-0x00000000748B0000-0x0000000074E5B000-memory.dmp

      Filesize

      5.7MB

    • memory/2304-2-0x00000000748B0000-0x0000000074E5B000-memory.dmp

      Filesize

      5.7MB

    • memory/2640-29-0x0000000000400000-0x000000000051E000-memory.dmp

      Filesize

      1.1MB

    • memory/2640-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2640-25-0x0000000000400000-0x000000000051E000-memory.dmp

      Filesize

      1.1MB