Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
20/10/2024, 22:23
General
-
Target
645dedcf4ad1806a8194c703061f1688_JaffaCakes118.exe
-
Size
4.4MB
-
MD5
645dedcf4ad1806a8194c703061f1688
-
SHA1
86dd824ba2c80709bd47a2f5336e1636a2b031d2
-
SHA256
1f2a78766bb290fb2ed404f5ed05404986709175b39d152358087061b166dbe9
-
SHA512
b4217b88d4a2e915d35eb6f142ceccbcc31492804f31e7955b627a73c616a02fbfc6f47da2b6374a720cdb9e6398f3cd2215335810c317215255c73aa334c79c
-
SSDEEP
98304:5G48dZ7pekDE3sstJ/O9gSPCwXa+XwYDvAfg0yTcxXSUhVmz3s1nNAF:5l8dZ4kuAgkAYDvAfBfxirzciF
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 11 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 62 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\645dedcf4ad1806a8194c703061f1688_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\645dedcf4ad1806a8194c703061f1688_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\86DC.tmpC:\Users\Admin\AppData\Local\Temp\86DC.tmp2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\86DC.tmpC:\Users\Admin\AppData\Local\Temp\86DC.tmp3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.internetdownloadmanager.com/welcome.html?v=519b32⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD552ca42b538011b82dfabbb1e551183b4
SHA149e507a4af4f68c886d9ab30a3600f4554bbe8c6
SHA256861dc3f8ab8faeb8c98a191bf0cf24ab61b699a33035cff55170207de332b6cf
SHA5128b7eaf8e60dc177ec0d8db0e5494ef9b15cee41adb3827667c6c46423f302bc9fa032b7e7d767ca0f1cd7860a866d3670bc4178529eeb2f43ed936bcf7b57ac5
-
Filesize
342B
MD5e28ea7ab400dc37c2978a0cb9ed23132
SHA14f9a8b725b51c1717279e8a55fe5bf99fbb40bb0
SHA2564c1cff4216e1e75ce564bccbd6115c47b2f2e9553c0c6efa16048a34d832f160
SHA5128d4f15b3f32b646d099c1a77da1ceb01ea63a8eb7c0f88b4bb341d48d9a337d096e5e4726fcc29859b44ad6e99ecb39bb94d8c273a586a01a36dcfcb7901a203
-
Filesize
342B
MD58073cc65f82e2a9f3b759b67cb2c28b2
SHA1a512ffe74a7b37827baf8146ddd860b6dfee5443
SHA25646f89efeffd221563c93d4430928c5efee8ad8fb96da7dd4843e15cd539d1591
SHA512e87f0821951eeaccea23c3298f1bf67967600b116ad8e4ca81509a5ef0ae9859d8125fd2e45e12945333ab97cc86481c10e5d0a4a71ff2c2bc367e56adfb4660
-
Filesize
342B
MD5e487a9edd0a2c7d22ab32ea03440569d
SHA1e766ceef51867e6309d3ebaf15bee2cdb38dd823
SHA2566164e32c1856d271bc838fd10cf009bd0ed644e652c7114cc61b125d14647313
SHA51210bb9098781fdf89afff4ff14a2b3a447f4a045f54bcd0112ca7a50b6e9dce10d2fd9f4450354eeaa0f5ff8f6e26cffb109ee3a0f348e4d5529c7c6b78485e8c
-
Filesize
342B
MD527304bb3c198cee2708d64f230c8c14c
SHA1d8aad9d340b538a39b5a53b16ed2c965eedda299
SHA2563ab9cdaca567ab9254b18cf245305255fe8b4d50cce138f210aa30438b15f803
SHA51209294df44a23132c32c499996c281ff5cf45225ddf85de2ee3cb62576474db1806723da0c351e3de5a15fadc6034fa2295d2fc0e3dba439753e14743d572b898
-
Filesize
342B
MD5acc8f53b372f69d93716c8d45c553ffa
SHA199e326e6cf5763b4fc493752866916136a9d2596
SHA2562ffe7eb3e8163a7796582fb4935ef77fe96930f73692befe3e31456e459f390c
SHA5122be49944eef33cdcc30d8d5a0969af6eef89c5cd3592ee3a149ac074d65a18e2a75e247bb7338dbd7cb62da19a98da96602ee5b15cb6cdaf7562eb5cc956df36
-
Filesize
342B
MD56a7f745cec97efe1da1ecbaadc9c0812
SHA1f89196f36cacf68234c1946031bf06bbb9b8afe0
SHA2561e88d5d35348ca92fa6ceb5649f312068cedc681be052b8fdd2bda4eb87080c1
SHA512ad4fc84020f11fd65a7dc4a51004eea496b3f810def1f1f2086dac1218fc8d89b957f04fa530b814113a1abd82f7af7814d05eb315fa653e16e9efb2d57d764d
-
Filesize
342B
MD515e93291c21a418d79b67880d0ff4a4f
SHA159eb50ca5a1ce24500dc1802c7396dcdb2d3f157
SHA2566a48563be17f265046b06b644d916329d5951e6cd050b8ca0064adeaf40b5d63
SHA5122c97c2b68550ab0d99d3959db13078cb0422ee222f64760e5fa2c6a3b113e15253804ba188a4f288fd4db16653b68ddb3d965de13e429de3e90475185aa8e15c
-
Filesize
342B
MD5fd8a55485dc28595250e104090968fc6
SHA105eb84c5bde2eeb50f806135300b3cf5ccfcadc1
SHA2560e9fab56c72d57d94a28286f21b00e89fa4a7bce9c8e26114c9b63747b924eb5
SHA512ebc999e7bef04dddef25d58564f1e0f1fa2105fb165a9da93c55e160a67f865ec12a6a42895e0188dc933b4ab9097e4bc19de6f80e60b56e839c093f1c2d9915
-
Filesize
342B
MD5f5baad31cfa4d162a2c6affc8c222001
SHA12150367e76f6612a1c34c532730cc8a17a6e98de
SHA256bc41e1988dab652540e0be6520a0533df7fe33a462151bccdd383a2c7ac66dab
SHA51208aae4747f4ae64b806dcd15491d4c23bb974ceccf475a94002fb2c4291610792dd1b782acd41d632e698f2c6cbe56f588b6f3089fe5a681b64f03c8a9c2f32d
-
Filesize
342B
MD51e14d6e5d2b65088b1537850d170eeb3
SHA10d1d873b813ff3fbf3bcd40f3f8cae471423f411
SHA256b6ffa99bf59171e79cd2680bf9aa0a0c3903f427da76b9c246a59ba177739408
SHA5126e26b72ba92d8b202a4d87a3a8dd392145cd933d02ee87de27276096da0d64d16a69acbc9d903604b080784bf2f8babd42720cb75b29097a4c998c70cc748135
-
Filesize
342B
MD5360da0c9bfe4944388f62da24500fb02
SHA1f4ea3c30b8bdee82800fe5661b405b474f31efaf
SHA25670067f5d100223a0315a74f4cd36fe25cab71d5879a2742de50efc5dbf612890
SHA512105d464ad24b8193b7290b6cb966aa85548ca5c3ae7f06129876c1ed9aa46a2c21739c89ea77298b5497499159ecb4b20f1c4444ea09356d109d48825da0e6a0
-
Filesize
342B
MD5efd172ce147ac6ba19e610a7d64178a3
SHA1e8ebd84ac2d09931ffa13be5c10cb9cf0a47d8e1
SHA2561f2e5b51c5770dc9dae670dd8f6f9ba5cc82f0336cc58f769ab880e4b26ccdbf
SHA512a94f36890e5399ae41abc018ea0ac4698a013302d58c59105b6b132a29f86e34aedf64293cbdcd072a969c0449e2c87e26d26861203bafb09bd693b446a4295b
-
Filesize
342B
MD5d19750e5c3a6b309eaf9899e43507f06
SHA101d0e03cb685f92fe4d2f87b37ceba2cd025bb7c
SHA256875d8644f351f6a1b668bdaf2cc2e0c627a9f1b9efa33d4c493dc2ccd3d991d9
SHA51245195107f06fab3ea83d220cf66022ebce21ca9cec822efb9d8cf0041045a43157e4eeb8f66aca889f87644b38b9f553e0ab10dd955ef5cfc29d057d94b69661
-
Filesize
342B
MD5d16206bc8ed1b9174443b290bdac0c2f
SHA1d0391752147b841c9ff364469b5612ff1cd220c0
SHA2561eb3a46de5805524de2293b4cc01088155f5f548672f68a56875bd16d6d613c7
SHA512fa9cee8df6b175e6596564ad1d4c19620353ecf41a5e93caab57d0ac9479c82eb1401510cb41b640043da1838a9c22b3b7d87639d5e2ca4101b8318f160a4231
-
Filesize
342B
MD53f1001473704f17cf3c00032d53f9efa
SHA1ca26d2b6f214facbee70b54fd5b7087de4102c70
SHA256e6cc7608a159298954848aa2b011033c3db16686b4b91017bf7853c6e4ff4a92
SHA512469fff704404324701755f2507f2d5c77351c96c709dc7104f1ac1f8da1937d2a8a9403122489753816e017150c93a743e93066d7d89dae0398a0e843caf7fff
-
Filesize
342B
MD54723c6bc3fdf226c581f7917aabf96fa
SHA141e5ca5fc5ae3f2da24aa487c02e68f1daecfd34
SHA256d759178c9b0082604ec594c60ebecf15bca9d553f9d5ccc5b760624cb1471e78
SHA512bb6abdc51476e4c25b45eb4b1ba72f601cdfc933d43231d6b10b2bdcb6fcc367b1808e01b5e4c0505cc2a7953de3bc115d1282daea0c3af122cdc910af874d6b
-
Filesize
342B
MD570de744b6dcb561c48f79244d2a99ce0
SHA1df6b1149420ead47a8145a5c19b086ed954287c7
SHA256501c20ea62ee919407271a9257ca2927b3b9ef9dee04461648ef361caa9b6e62
SHA512a464429fe1d86752ce04e1a029973a9a7380ee2e3443d444f982fd0bfa13c04adebcaf459ccabee061da9a4686094426cf779e2969630158d38f1685f796b3fc
-
Filesize
342B
MD5546a595cf644e5558765493975928bd8
SHA1df7b8e2f2c9f5866a4562d762f0926f6df072943
SHA256e6534d0ccf0ae2366d1b2597864920c9b15bbd2581ab2458cb7e1e5229cd9d41
SHA512caa65ec93915c33b2b60cae98365516707e57a09171848eec5732c0b6360aea8d31950ea41e080357cde028e18a4fe5b1ff73040f842ceab2ccc54b944c0fedc
-
Filesize
342B
MD5b25cf65484bdff5fad2f28fb5ed9232c
SHA1abac2365715cd438184d42f1b895437b7bf243f5
SHA256328bbb02d982801d40db90b7fd7b9c0b6f5c2efede25b121d510c4ff02724f72
SHA512db807bd0ea2f387de6d09c1f12ac1353d7c24ccaf5250233b15dd176a36515ad06e0edf8a25047ca82a7d6d14b7e9c1c72bebd87c596c0f5ae88451da0ff1a82
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
14B
MD520d5a113e78088087945bff38b2df7f9
SHA1cb94c5de154d38d1da46c8a6fe3020332360278d
SHA256c1f85c8b4d73a39568082e05c1bbac8bfa63ba913f362fbdb5bb2bb8926f8037
SHA5126432878cd0afdfb5ed3696ec65057549d06cb1c28a4f6db2a02cc27eed5c9fe0b41421cc9ecfdaa9d5805572af9a1ed2c53d68512661947b1df94a9c5d6f26f2
-
Filesize
1.3MB
MD56b863c3170f533bb92a08b7fb876b7a2
SHA1580e5348c15e5698f14a9f8b685c2adeb08343a6
SHA25601c39ca09524f3372595b7c75d42fd95a88514d51df62d0ed1449852960ca68c
SHA51282c6f1d6453e4563a349e81a5a78ff52871e991eadbb41a8c164ef3f9b47af78381115cfe3202b1728c22fcabad42da96da7488bcc6a60bd73eb43b02468eced
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
768KB
-
Filesize
3.7MB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
3.7MB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
3.7MB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB