Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17-10-2024 02:34
General
-
Target
505e0479271963403c89d94dc8d9297e_JaffaCakes118.exe
-
Size
773KB
-
MD5
505e0479271963403c89d94dc8d9297e
-
SHA1
0281b7e8b7bae68774a97569bcb3ba747d3c7f8e
-
SHA256
f44dad3c2f770d7ffd8234e857184d196d2251e28375c6f8e5bb499dd8fffe1b
-
SHA512
e0687467efd8924e665d4d63b478054b441cd40d2e206f9ecdd16d518bfd24d3c885e54554c856369704eac9c12ce2c08340b6fdbe2945db734a87f4c64abc2c
-
SSDEEP
12288:wYU38tWvCBtmerOuCvLmWzZsSeOqbEwFsxikVPdJV717Uji4NHv4UHolx7cjOnqH:vRrOuOmW9snobHVPdc/x4UIlgOnq8acg
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Disables RegEdit via registry modification 2 IoCs
-
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\505e0479271963403c89d94dc8d9297e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\505e0479271963403c89d94dc8d9297e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"2⤵
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD5d06bab06b90d6834fa3ca20f7721bce3
SHA1aabe13f7b43fa5a864dbeda293eddb080ab0dc3e
SHA25654be714f25b54574940c8f1f561fba8f99d54e43f944bc642a3c276c42dade03
SHA51212d21ecb86b839b8d606c0143a03bed8789b5fb3addc5e55f9956edfe64d0fb3dc4469fdbd957fa37ea1d4e9fe5ede7c6f4241e8eeb2fffb95aacd88a5984703
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
4.8MB
-
Filesize
9.6MB
-
Filesize
664KB