Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/07/2024, 18:59

General

  • Target

    6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe

  • Size

    733KB

  • MD5

    6466d57f553e2f1a1fa2b04887cb39f1

  • SHA1

    91d78fc011d9cbb2f3e7fe8f74af26e447026320

  • SHA256

    3c02b033d320021a76bb882beea0d2f26c8ae88f9174b012455b4b6e8f1fde7e

  • SHA512

    6df6934886cf9e7d8859ff626eb09db66f449dde780b9d262ed8fd3891e02c7a39524c91265c1a0524541a6d9eb27fc546a549d6338de43059fb4f31374ee100

  • SSDEEP

    12288:TpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMzXG91uhKIXn/RG:1wAcu99lPzvxP+Bsz2XjWTRMTckkIXn4

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Checks computer location settings
    • Adds Run key to start application
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3504
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
        PID:3316
      • C:\Windupdt\winupdate.exe
        "C:\Windupdt\winupdate.exe"
        2⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\SysWOW64\explorer.exe"
          3⤵
            PID:2500

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windupdt\winupdate.exe

        Filesize

        733KB

        MD5

        6466d57f553e2f1a1fa2b04887cb39f1

        SHA1

        91d78fc011d9cbb2f3e7fe8f74af26e447026320

        SHA256

        3c02b033d320021a76bb882beea0d2f26c8ae88f9174b012455b4b6e8f1fde7e

        SHA512

        6df6934886cf9e7d8859ff626eb09db66f449dde780b9d262ed8fd3891e02c7a39524c91265c1a0524541a6d9eb27fc546a549d6338de43059fb4f31374ee100

      • memory/1528-40-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/1528-42-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/1528-35-0x00000000006B0000-0x00000000006B1000-memory.dmp

        Filesize

        4KB

      • memory/1528-36-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/1528-37-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/1528-38-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/1528-39-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/1528-49-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/1528-48-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/1528-43-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/1528-41-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/1528-44-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/1528-45-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/1528-46-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/1528-47-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/3504-33-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/3504-0-0x00000000022C0000-0x00000000022C1000-memory.dmp

        Filesize

        4KB