Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/07/2024, 17:33

General

  • Target

    641eee36a837e78938443a37bdba829f_JaffaCakes118.exe

  • Size

    484KB

  • MD5

    641eee36a837e78938443a37bdba829f

  • SHA1

    6a270b234c96d1102ede2082ad51a7c9285c749b

  • SHA256

    5e933618f0cca94e548037a4f8e0c3603e1f38175f6bd8085bfb64ed8c5f1a34

  • SHA512

    2e0059582be9648d2bb7143d17d179a335537cebfcef18037a84823d65e01d9b202a4b6d495443a386dab7b7e39b7251bf86640ea351eda070b813e9997ef29c

  • SSDEEP

    6144:8NvQ7ettISBED2zX5AhGU+CLfu5qPZkGSRuq0ud:8NDgSBED27OhqmLSGSRx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3624
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 4
          4⤵
          • Runs ping.exe
          PID:4376
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1244
        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3644
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            5⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3828
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              6⤵
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

    Filesize

    484KB

    MD5

    641eee36a837e78938443a37bdba829f

    SHA1

    6a270b234c96d1102ede2082ad51a7c9285c749b

    SHA256

    5e933618f0cca94e548037a4f8e0c3603e1f38175f6bd8085bfb64ed8c5f1a34

    SHA512

    2e0059582be9648d2bb7143d17d179a335537cebfcef18037a84823d65e01d9b202a4b6d495443a386dab7b7e39b7251bf86640ea351eda070b813e9997ef29c

  • memory/1244-78-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2832-2-0x0000000000401000-0x0000000000411000-memory.dmp

    Filesize

    64KB

  • memory/2832-5-0x0000000000401000-0x0000000000411000-memory.dmp

    Filesize

    64KB

  • memory/3624-6-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/3624-7-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/3624-8-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/3624-9-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/3624-4-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/3624-70-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/3624-3-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/3644-81-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/3644-80-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/3644-79-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/3644-84-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/3644-82-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/3828-83-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB