Overview

overview

10

Static

static

3

5b35a109fa...18.exe

windows7-x64

10

5b35a109fa...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2024 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b35a109fa6c24e5f36aa539f21b0471_JaffaCakes118.exe

  • Size

    934KB

  • MD5

    5b35a109fa6c24e5f36aa539f21b0471

  • SHA1

    7bd809e4a38ffefb07af941f2d642e190e116705

  • SHA256

    230487fbc5f787ee4c0a01bd118962c86837aab4e49855e9c54603cace4711f2

  • SHA512

    73b7a98fb2a2fe8345795dd8f8ebe134fea64a95a2217c49a2bc652128ef5ba33eff81b78cd754fbe9258a70147b83767dd64483d4ce7e8f702039c7b184576c

  • SSDEEP

    12288:tMYIWfFq6mgOmJbJPTLUfkF1w8fbN3+J86FMSaJ/q3NSo76ZBvu6Yoa/TBiFrO+s:tX3CkF1w8T1+J86F/uq3Mo6ZYoatEy5

Score
10/10
darkcometdiscoveryevasionpersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b35a109fa6c24e5f36aa539f21b0471_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5b35a109fa6c24e5f36aa539f21b0471_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4504
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\README.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:4296
    • C:\Users\Admin\AppData\Local\Temp\Counter Strike Source MultiHack v1.8.exe
      "C:\Users\Admin\AppData\Local\Temp\Counter Strike Source MultiHack v1.8.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4500
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Windows security bypass
        • Checks BIOS information in registry
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3676
        • C:\Windows\SysWOW64\notepad.exe
          C:\Windows\SysWOW64\notepad.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1804
      • C:\Windupdt\winupdate.exe
        "C:\Windupdt\winupdate.exe"
        3⤵
        • Windows security bypass
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:3964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Counter Strike Source MultiHack v1.8.exe
    Filesize

    679KB

    MD5

    1bb62291db3dd70c4e1b2e19531cc708

    SHA1

    c2e5ef6a2dc2d948ffc319b2a09140557d49f67a

    SHA256

    cbd86aa53612008d72b15db8e7a5a3ea8054f7dc15d7a40b0ac1359abd254905

    SHA512

    acb830b6789d6ec89efd955f253cff1f6af92246bc206edaad19bff7299533ff636e3679dd0a41c7878f278885aa3bfe53897419de9c7c395ffc0cb58b958357

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\README.txt
    Filesize

    64B

    MD5

    c6a480daff6e999199dfbe6c46f66e11

    SHA1

    192947450c2b5a8f70364247d6039db541f37408

    SHA256

    4985900805411ee54cf34bd311b31d25f8ceb55fc0123f5ae1b60dab8adafe9c

    SHA512

    8644c9dac2fc32d68879d7694964ca916e4f167538036bced2d1b5708f7a516b4ecf34cd87f26a054869a4058a8d5d8402129b27c75546db74fc1c17864ecd16

    Download Submit

  • memory/1804-26-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2860-30-0x0000000013140000-0x00000000131FC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/3676-27-0x0000000013140000-0x00000000131FC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/3676-23-0x0000000013140000-0x00000000131FC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/3676-22-0x0000000013140000-0x00000000131FC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/3676-29-0x0000000013140000-0x00000000131FC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/3676-28-0x0000000013140000-0x00000000131FC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/3964-31-0x0000000013140000-0x00000000131FC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/4500-17-0x00000000012F0000-0x00000000012F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4504-15-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4504-0-0x00007FFD7FAC3000-0x00007FFD7FAC5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4504-3-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4504-1-0x0000000000500000-0x00000000005EE000-memory.dmp

    Filesize

    952KB

    Download