Overview

overview

10

Static

static

7

2757f76e73...18.exe

windows7-x64

10

2757f76e73...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08/10/2024, 23:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2757f76e73f89a394adf37eb339e6c70_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    2757f76e73f89a394adf37eb339e6c70

  • SHA1

    4cc4c9df20096da522837e090df80e64acd9d09c

  • SHA256

    702cf7fee8a42c80e295d6629f564bae2075f152415fe1c2756c35fa8d71b322

  • SHA512

    abc0689984c20c7a8d6922ec9403288630dbb0032b6d0e6613579c48d12038e4ac41df6430db4e5608a1bbb44a1cc24f8b8b982a4fa45c29de373fd1c52c8064

  • SSDEEP

    24576:TuqOgwfRJz5LEHyxoR9yLE8QOXXncn5GJMD0QZh9uRcHo8ChYY5nQe:TuqOgYRJzdEH3Senn5WXRcHoD3

Score
10/10
darkcometdiscoveryevasionpersistenceratthemidatrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 4 IoCs
  • Themida packer 38 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2757f76e73f89a394adf37eb339e6c70_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2757f76e73f89a394adf37eb339e6c70_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2880
    • C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE
      "C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE"
      2⤵
      • Executes dropped EXE
      PID:2596
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE
        "C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE"
        3⤵
        • Executes dropped EXE
        PID:1496
    • C:\Windows\Windupdt\svchost.exe
      "C:\Windows\Windupdt\svchost.exe"
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\NOTEPAD.EXE
    Filesize

    189KB

    MD5

    f2c7bb8acc97f92e987a2d4087d021b1

    SHA1

    7eb0139d2175739b3ccb0d1110067820be6abd29

    SHA256

    142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

    SHA512

    2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

    Download Submit

  • \Windows\Windupdt\svchost.exe
    Filesize

    1.4MB

    MD5

    2757f76e73f89a394adf37eb339e6c70

    SHA1

    4cc4c9df20096da522837e090df80e64acd9d09c

    SHA256

    702cf7fee8a42c80e295d6629f564bae2075f152415fe1c2756c35fa8d71b322

    SHA512

    abc0689984c20c7a8d6922ec9403288630dbb0032b6d0e6613579c48d12038e4ac41df6430db4e5608a1bbb44a1cc24f8b8b982a4fa45c29de373fd1c52c8064

    Download Submit

  • memory/536-95-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2624-0-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2624-1-0x0000000013141000-0x00000000131F2000-memory.dmp

    Filesize

    708KB

    Download

  • memory/2624-2-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2624-93-0x0000000013141000-0x00000000131F2000-memory.dmp

    Filesize

    708KB

    Download

  • memory/2624-86-0x0000000007540000-0x000000000773F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2624-89-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2624-87-0x0000000007540000-0x000000000773F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2880-4-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2880-30-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-58-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-49-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-67-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-66-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-65-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-64-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-62-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-61-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-60-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-59-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-52-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-57-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-56-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-55-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-54-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-53-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-51-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-69-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-48-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-47-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-68-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-63-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-46-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-70-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-71-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-72-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-50-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-43-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-44-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-90-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-45-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-38-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-96-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download