Overview

overview

10

Static

static

5

21066c00de...18.exe

windows7-x64

10

21066c00de...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/10/2024, 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21066c00de752ffa1fe224ba7fc5853c_JaffaCakes118.exe

  • Size

    760KB

  • MD5

    21066c00de752ffa1fe224ba7fc5853c

  • SHA1

    05fa88cf992a0a5c3872a5a3814e82de21c398e0

  • SHA256

    004c48195399bc6471e98e129bf98e7a6d21560107fcdb2ac58c7644770e4112

  • SHA512

    de1d800ce0510817ce5eff866a43eb2439d8309ba5e27e23b45bedd3649685d781e4f34ccb7a5c86bf17698c54d843f7b07cd4d68446ffd5c9bae5cf6e070b1f

  • SSDEEP

    12288:h4dMRU/UP4heFjLDFtvoSZiUXZRY49SA7GI/p7a6o2Mhi9Byu8QFIAaWfaydp9pB:qwU/UwhWv1XZpSRSJo2xByuPIA7Pdp9b

Score
10/10
darkcometdiscoveryrattrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21066c00de752ffa1fe224ba7fc5853c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\21066c00de752ffa1fe224ba7fc5853c_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3776
      • C:\Users\Admin\AppData\Roaming\7za.exe
        "C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:580
    • C:\Users\Admin\AppData\Roaming\Server.exe
      C:\Users\Admin\AppData\Roaming\Server.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    224KB

    MD5

    e3afe3da16ae5a60ca61a3ad05a2a0a8

    SHA1

    e9be371ec434dbc617541ff8a0cc7f3cd4dc5e40

    SHA256

    a5ebb2c8b1cf3c4fef62bf6f70c2fa5a89f6cc39994239ef176980172df93022

    SHA512

    c04f1cb701c70ecd79d4e29ddd99cac3a3fb36214b59e285eeeeba8fdaf21a8cac74cec7bd6fe7d96946dd5e031cfe7a93aa6eea9af8d47bd234501cd865a452

    Download Submit

  • C:\Users\Admin\AppData\Roaming\7za.exe
    Filesize

    574KB

    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Server.7z
    Filesize

    224KB

    MD5

    4d2f2b38dab211c715a08d5904325f6d

    SHA1

    eec185bdc7d2a4774d2aa1c62d1ece95a9de3e69

    SHA256

    5ca238fab814e7a3447ceb0ea7bf080cad4e8ebd40b031c3193af2e16c548ac8

    SHA512

    4d620e5d1e9ea9bcee138ad7fedf77811184f5b7b0d661e0eaa661158266c0c66e1c50765a77f1254d3c28bd64b4690ac94b973af17bb817608aebead26610c9

    Download Submit

  • memory/2632-22-0x00000000022C0000-0x00000000022C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2632-14-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2632-15-0x00000000005B0000-0x00000000005B3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2632-16-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2632-17-0x00000000022C0000-0x00000000022C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2632-19-0x00000000005B0000-0x00000000005B3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2632-21-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2632-23-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2632-33-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2632-35-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/3544-18-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/3544-20-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/3544-0-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download