Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 20:02

General

  • Target

    43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe

  • Size

    374KB

  • MD5

    43f37415ce56073c5259ee06325c9561

  • SHA1

    9a52363cc87982db4389e66afc23d3d5b19ca120

  • SHA256

    f977ef11e8cafc36f65eac224eb6beb3da9e210376f529ab193e55e9d9b689a4

  • SHA512

    23cd1519ce284497f5ff6155415ae5fc137ea4346490ddc48b4760f85350b680b9de8a7d7f46beb1587ba8e996fe4316c10c2fa5f4c09ae9bcaf923b3d42867a

  • SSDEEP

    6144:CMjLpLlFnV2VsUqiifR55Aj4wWHA90EVb2/1T6LHcGQ2s8Yg6FxOp63RPE9YG8yH:vt8VtqiifjOj4wWcLbY6zRo8COpExgYG

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Users\Admin\AppData\Local\Temp\oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
      C:\Users\Admin\AppData\Local\Temp\oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2788
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:2616
      • C:\Windows\SysWOW64\notepad.exe
        C:\Windows\SysWOW64\notepad.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\oTToMaN.3apcmifwcvu.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

    Filesize

    340KB

    MD5

    e4dd035d5fc3a0570c72a84d06480645

    SHA1

    e7b8526379ab2b5a6685eacf6014d89e03abc361

    SHA256

    bb18ea9a23f03bd48f0e55b7cf20c25ea6a84c844ad1a97707f56fd6e327cd37

    SHA512

    ad5f03038ecfa17f97e973adb469d8805252bb34cda54d63a67f6b2997cae5933feb97355631262a072c8b29701d776801de792013948e8537c14c6e1a8fca12

  • memory/2200-79-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

    Filesize

    9.6MB

  • memory/2200-1-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

    Filesize

    9.6MB

  • memory/2200-2-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

    Filesize

    9.6MB

  • memory/2200-8-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

    Filesize

    9.6MB

  • memory/2200-0-0x000007FEF537E000-0x000007FEF537F000-memory.dmp

    Filesize

    4KB

  • memory/2580-76-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

  • memory/2616-80-0x0000000013140000-0x000000001322D000-memory.dmp

    Filesize

    948KB

  • memory/2616-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2616-43-0x0000000013140000-0x000000001322D000-memory.dmp

    Filesize

    948KB

  • memory/2616-78-0x0000000013140000-0x000000001322D000-memory.dmp

    Filesize

    948KB

  • memory/2616-84-0x0000000013140000-0x000000001322D000-memory.dmp

    Filesize

    948KB

  • memory/2616-77-0x0000000013140000-0x000000001322D000-memory.dmp

    Filesize

    948KB

  • memory/2616-87-0x0000000013140000-0x000000001322D000-memory.dmp

    Filesize

    948KB

  • memory/2648-11-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

  • memory/2648-82-0x0000000013140000-0x000000001322D000-memory.dmp

    Filesize

    948KB

  • memory/2648-10-0x0000000013140000-0x000000001322D000-memory.dmp

    Filesize

    948KB

  • memory/2788-41-0x0000000000010000-0x0000000000011000-memory.dmp

    Filesize

    4KB

  • memory/2788-14-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB