Overview

overview

10

Static

static

10

778cc94729...18.exe

windows7-x64

10

778cc94729...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    27-07-2024 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    778cc947298543f1124f464ea15f3537_JaffaCakes118.exe

  • Size

    811KB

  • MD5

    778cc947298543f1124f464ea15f3537

  • SHA1

    58350434ab2ce5d930224cb65df16194ad70cbd9

  • SHA256

    d3c0716bc99609b4ad5f8eaea5e2c956ece3351c67d49c70c88edaf97d05f459

  • SHA512

    81f2fba1c522e51468de61e5c382977d38ccad03a94cf3d0896cdd408d67e8cfe4295c04f0fc5f1152f4f0356fe4f89927df7c185d30bf0b7c87e6260ccfd67d

  • SSDEEP

    12288:NaAchpWsuVTv7ItY8XljyypHP7cOLBev03hlULsmWZ++09ZcKDVsgd:IAEENIq8XwyVPQclDq/+WnpsS

Score
10/10
darkcometlatentbotdiscoveryevasionrattrojan

Malware Config

Extracted

Family

latentbot

C2

forumdeturkojan.zapto.org

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\778cc947298543f1124f464ea15f3537_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\778cc947298543f1124f464ea15f3537_JaffaCakes118.exe"
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Windows security bypass
    • Disables RegEdit via registry modification
    • Checks BIOS information in registry
    • Windows security modification
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2060-0-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2060-1-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2060-3-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2060-5-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2060-7-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2060-9-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2060-12-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2060-14-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download