Analysis Overview
SHA256
b6d774f32aeef2ca1da256b632e71d4c05d0e2a185c8caafbe1b145cf0cdf89d
Threat Level: Known bad
The file 795524a907a4dbc2da64cd1adc05a937_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Darkcomet
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-30 17:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-30 17:10
Reported
2024-07-30 17:13
Platform
win10v2004-20240730-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Darkcomet
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crypted.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Crypted.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2792 wrote to memory of 4780 | N/A | C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\Crypted.exe |
| PID 2792 wrote to memory of 4780 | N/A | C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\Crypted.exe |
| PID 2792 wrote to memory of 4780 | N/A | C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\Crypted.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\Crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rstown123.no-ip.biz | udp |
| N/A | 127.0.0.1:3081 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/2792-0-0x00000000748F2000-0x00000000748F3000-memory.dmp
memory/2792-1-0x00000000748F0000-0x0000000074EA1000-memory.dmp
memory/2792-2-0x00000000748F0000-0x0000000074EA1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Crypted.exe
| MD5 | a1e21c7d23195a45a2bc874c2f2188a8 |
| SHA1 | 6ce85bfc56a1d43b54c8561b19aedac4dbd7154f |
| SHA256 | a307fa406b177b44f886ef9de3360f4d0de586794355639f682bf69885fb3c0f |
| SHA512 | 352c87d1967941e43af645daaae8b1a0d6b1dfd3035ccb09940fb7ece8e5e606aee2bc743710a0d5dba3403a1ba26a1eeb42021effe119631e05d76a88a7bdc2 |
memory/4780-14-0x0000000002170000-0x0000000002171000-memory.dmp
memory/2792-15-0x0000000001670000-0x0000000001680000-memory.dmp
memory/4780-16-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/2792-17-0x00000000748F2000-0x00000000748F3000-memory.dmp
memory/2792-18-0x00000000748F0000-0x0000000074EA1000-memory.dmp
memory/2792-20-0x0000000001670000-0x0000000001680000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-30 17:10
Reported
2024-07-30 17:13
Platform
win7-20240708-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Darkcomet
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crypted.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Crypted.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2292 wrote to memory of 336 | N/A | C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\Crypted.exe |
| PID 2292 wrote to memory of 336 | N/A | C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\Crypted.exe |
| PID 2292 wrote to memory of 336 | N/A | C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\Crypted.exe |
| PID 2292 wrote to memory of 336 | N/A | C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\Crypted.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\795524a907a4dbc2da64cd1adc05a937_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\Crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rstown123.no-ip.biz | udp |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp | |
| N/A | 127.0.0.1:3081 | tcp |
Files
memory/2292-0-0x00000000745A1000-0x00000000745A2000-memory.dmp
memory/2292-1-0x00000000745A0000-0x0000000074B4B000-memory.dmp
memory/2292-2-0x00000000745A0000-0x0000000074B4B000-memory.dmp
\Users\Admin\AppData\Local\Temp\Crypted.exe
| MD5 | a1e21c7d23195a45a2bc874c2f2188a8 |
| SHA1 | 6ce85bfc56a1d43b54c8561b19aedac4dbd7154f |
| SHA256 | a307fa406b177b44f886ef9de3360f4d0de586794355639f682bf69885fb3c0f |
| SHA512 | 352c87d1967941e43af645daaae8b1a0d6b1dfd3035ccb09940fb7ece8e5e606aee2bc743710a0d5dba3403a1ba26a1eeb42021effe119631e05d76a88a7bdc2 |
memory/336-12-0x0000000000260000-0x0000000000261000-memory.dmp
memory/336-13-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/2292-15-0x00000000745A0000-0x0000000074B4B000-memory.dmp
memory/336-14-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/336-16-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/336-17-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/336-18-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/336-19-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/336-20-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/336-21-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/336-22-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/336-23-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/336-24-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/336-25-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/336-26-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/336-27-0x0000000000400000-0x00000000004B5000-memory.dmp