Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 20:02

General

  • Target

    43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe

  • Size

    374KB

  • MD5

    43f37415ce56073c5259ee06325c9561

  • SHA1

    9a52363cc87982db4389e66afc23d3d5b19ca120

  • SHA256

    f977ef11e8cafc36f65eac224eb6beb3da9e210376f529ab193e55e9d9b689a4

  • SHA512

    23cd1519ce284497f5ff6155415ae5fc137ea4346490ddc48b4760f85350b680b9de8a7d7f46beb1587ba8e996fe4316c10c2fa5f4c09ae9bcaf923b3d42867a

  • SSDEEP

    6144:CMjLpLlFnV2VsUqiifR55Aj4wWHA90EVb2/1T6LHcGQ2s8Yg6FxOp63RPE9YG8yH:vt8VtqiifjOj4wWcLbY6zRo8COpExgYG

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\43f37415ce56073c5259ee06325c9561_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Users\Admin\AppData\Local\Temp\oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
      C:\Users\Admin\AppData\Local\Temp\oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3420
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4356
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:1824
      • C:\Windows\SysWOW64\notepad.exe
        C:\Windows\SysWOW64\notepad.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\oTToMaN.54fhlppkktf.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

    Filesize

    340KB

    MD5

    e4dd035d5fc3a0570c72a84d06480645

    SHA1

    e7b8526379ab2b5a6685eacf6014d89e03abc361

    SHA256

    bb18ea9a23f03bd48f0e55b7cf20c25ea6a84c844ad1a97707f56fd6e327cd37

    SHA512

    ad5f03038ecfa17f97e973adb469d8805252bb34cda54d63a67f6b2997cae5933feb97355631262a072c8b29701d776801de792013948e8537c14c6e1a8fca12

  • memory/1824-21-0x0000000013140000-0x000000001322D000-memory.dmp

    Filesize

    948KB

  • memory/1824-24-0x0000000013140000-0x000000001322D000-memory.dmp

    Filesize

    948KB

  • memory/1824-28-0x00000000009F0000-0x0000000000E23000-memory.dmp

    Filesize

    4.2MB

  • memory/1824-25-0x0000000013140000-0x000000001322D000-memory.dmp

    Filesize

    948KB

  • memory/1824-23-0x0000000013140000-0x000000001322D000-memory.dmp

    Filesize

    948KB

  • memory/1824-18-0x0000000013140000-0x000000001322D000-memory.dmp

    Filesize

    948KB

  • memory/3096-20-0x00000000009F0000-0x00000000009F1000-memory.dmp

    Filesize

    4KB

  • memory/3420-13-0x0000000000A50000-0x0000000000A51000-memory.dmp

    Filesize

    4KB

  • memory/3420-11-0x0000000013140000-0x000000001322D000-memory.dmp

    Filesize

    948KB

  • memory/3420-27-0x0000000013140000-0x000000001322D000-memory.dmp

    Filesize

    948KB

  • memory/4356-16-0x0000000000D50000-0x0000000000D51000-memory.dmp

    Filesize

    4KB

  • memory/5056-0-0x00007FFE6DF85000-0x00007FFE6DF86000-memory.dmp

    Filesize

    4KB

  • memory/5056-7-0x000000001BD40000-0x000000001BD8C000-memory.dmp

    Filesize

    304KB

  • memory/5056-22-0x00007FFE6DCD0000-0x00007FFE6E671000-memory.dmp

    Filesize

    9.6MB

  • memory/5056-6-0x0000000000740000-0x0000000000748000-memory.dmp

    Filesize

    32KB

  • memory/5056-5-0x000000001BCA0000-0x000000001BD3C000-memory.dmp

    Filesize

    624KB

  • memory/5056-4-0x00007FFE6DCD0000-0x00007FFE6E671000-memory.dmp

    Filesize

    9.6MB

  • memory/5056-3-0x000000001B730000-0x000000001BBFE000-memory.dmp

    Filesize

    4.8MB

  • memory/5056-2-0x00007FFE6DCD0000-0x00007FFE6E671000-memory.dmp

    Filesize

    9.6MB

  • memory/5056-1-0x000000001B120000-0x000000001B1C6000-memory.dmp

    Filesize

    664KB