Analysis Overview
SHA256
53ecb9edade4262d5837c9fa4e1bc3dfa4fee2a2d4b3469caefe1345cfdd89dc
Threat Level: Known bad
The file 741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Darkcomet
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-26 12:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 12:48
Reported
2024-07-26 13:29
Platform
win7-20240708-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Darkcomet
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3032 set thread context of 2020 | N/A | C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
Network
Files
memory/3032-0-0x0000000074CCE000-0x0000000074CCF000-memory.dmp
memory/3032-1-0x00000000003A0000-0x000000000048A000-memory.dmp
memory/3032-2-0x00000000002F0000-0x00000000002FA000-memory.dmp
\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
| MD5 | 741f2201d2eed8facfa78ef34bb86ee4 |
| SHA1 | 260759e0b822eaf96473eafc97b33653407c97a2 |
| SHA256 | 53ecb9edade4262d5837c9fa4e1bc3dfa4fee2a2d4b3469caefe1345cfdd89dc |
| SHA512 | b88503ed4716e5c6418f787784b3c9a3975e4f6600169732d7e527c9274216056c3fe17cdb7a4b91cd8db1eb6c2c14b78b1f01b495b7ac4b6768c7e6f7cf28af |
memory/2020-4-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2020-6-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2020-9-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2020-17-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2020-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2020-14-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2020-13-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2020-12-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2020-11-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2020-8-0x0000000000400000-0x00000000004B4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 12:48
Reported
2024-07-26 13:33
Platform
win10v2004-20240709-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Darkcomet
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3660 set thread context of 3048 | N/A | C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3048 -ip 3048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 12
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
Files
memory/3660-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp
memory/3660-1-0x00000000009A0000-0x0000000000A8A000-memory.dmp
memory/3660-2-0x0000000005370000-0x000000000540C000-memory.dmp
memory/3660-3-0x0000000001400000-0x000000000140A000-memory.dmp
memory/3048-4-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
| MD5 | 741f2201d2eed8facfa78ef34bb86ee4 |
| SHA1 | 260759e0b822eaf96473eafc97b33653407c97a2 |
| SHA256 | 53ecb9edade4262d5837c9fa4e1bc3dfa4fee2a2d4b3469caefe1345cfdd89dc |
| SHA512 | b88503ed4716e5c6418f787784b3c9a3975e4f6600169732d7e527c9274216056c3fe17cdb7a4b91cd8db1eb6c2c14b78b1f01b495b7ac4b6768c7e6f7cf28af |