Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    22/07/2024, 19:04

General

  • Target

    646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe

  • Size

    658KB

  • MD5

    646ae77a2a1e3b77d67f3fbfbad0c196

  • SHA1

    ef127099b6ed542a5ade8ce84ce0ba3959e146b4

  • SHA256

    0af3bcc26eecebcc4e5c86819edf001bbc09db78c2e6b83160293312c4a37ef7

  • SHA512

    b20bcba6433853f81a0a070502b848db93dca155b8aa8d1217b251a0fd07942c0624118e9eb1490ffae0f8993b3eef999820076db1c368484f357e5e9d27af80

  • SSDEEP

    12288:SJWWV9azog1UtQC9A9toG6MgkNTIoj8lTowJ1nmVPvx99v7sQejQLNIGJEKt:SJWWu8PQRBBN8Z85RjsQVIO

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Local\Temp\646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Windows security bypass
      • Checks BIOS information in registry
      • Windows security modification
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2836
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 236
          4⤵
          • Program crash
          PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1280-2-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

  • memory/1280-14-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

  • memory/1280-19-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

  • memory/1280-34-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

  • memory/1280-17-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

  • memory/1280-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1280-12-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

  • memory/1280-10-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

  • memory/1280-7-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

  • memory/1280-20-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

  • memory/1280-8-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

  • memory/1280-0-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

  • memory/1280-4-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

  • memory/1280-23-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

  • memory/1280-22-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

  • memory/1280-21-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

  • memory/2672-18-0x0000000000400000-0x00000000004AC000-memory.dmp

    Filesize

    688KB

  • memory/2836-28-0x0000000000400000-0x00000000004AC000-memory.dmp

    Filesize

    688KB

  • memory/2836-35-0x0000000000400000-0x00000000004AC000-memory.dmp

    Filesize

    688KB

  • memory/2836-33-0x0000000000400000-0x00000000004AC000-memory.dmp

    Filesize

    688KB

  • memory/2836-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2836-24-0x0000000000400000-0x00000000004AC000-memory.dmp

    Filesize

    688KB