Overview

overview

10

Static

static

3

645dedcf4a...18.exe

windows7-x64

10

645dedcf4a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2024, 22:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    645dedcf4ad1806a8194c703061f1688_JaffaCakes118.exe

  • Size

    4.4MB

  • MD5

    645dedcf4ad1806a8194c703061f1688

  • SHA1

    86dd824ba2c80709bd47a2f5336e1636a2b031d2

  • SHA256

    1f2a78766bb290fb2ed404f5ed05404986709175b39d152358087061b166dbe9

  • SHA512

    b4217b88d4a2e915d35eb6f142ceccbcc31492804f31e7955b627a73c616a02fbfc6f47da2b6374a720cdb9e6398f3cd2215335810c317215255c73aa334c79c

  • SSDEEP

    98304:5G48dZ7pekDE3sstJ/O9gSPCwXa+XwYDvAfg0yTcxXSUhVmz3s1nNAF:5l8dZ4kuAgkAYDvAfBfxirzciF

Score
10/10
darkcometadwarediscoverypersistenceratstealertrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Modifies registry class 18 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\645dedcf4ad1806a8194c703061f1688_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\645dedcf4ad1806a8194c703061f1688_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:436
    • C:\Users\Admin\AppData\Local\Temp\856C.tmp
      C:\Users\Admin\AppData\Local\Temp\856C.tmp
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3984
      • C:\Users\Admin\AppData\Local\Temp\856C.tmp
        C:\Users\Admin\AppData\Local\Temp\856C.tmp
        3⤵
        • Modifies WinLogon for persistence
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4628
        • C:\Windupdt\winupdate.exe
          "C:\Windupdt\winupdate.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2228
          • C:\Windupdt\winupdate.exe
            C:\Windupdt\winupdate.exe
            5⤵
            • Checks BIOS information in registry
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\856C.tmp
    Filesize

    1.3MB

    MD5

    6b863c3170f533bb92a08b7fb876b7a2

    SHA1

    580e5348c15e5698f14a9f8b685c2adeb08343a6

    SHA256

    01c39ca09524f3372595b7c75d42fd95a88514d51df62d0ed1449852960ca68c

    SHA512

    82c6f1d6453e4563a349e81a5a78ff52871e991eadbb41a8c164ef3f9b47af78381115cfe3202b1728c22fcabad42da96da7488bcc6a60bd73eb43b02468eced

    Download Submit

  • C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\testing_1\testing_1.log
    Filesize

    298B

    MD5

    081efb97b5d20b41451267ac92b064e0

    SHA1

    5dbfdf6a6ef60f99bc6e499d828dbafa858210ef

    SHA256

    b7f1b15ca1a74fcce768ab08c8013cc337ed96699175b582dd3f1f440c3a5b92

    SHA512

    cc5a13376227aa4844bc0ba5517881a033464ac2a4fb92d05ee31c30bb9c59bab7d669c2b24f803401b373c634f677cd98cab3683abb2d5d9c55c4f828615864

    Download Submit

  • C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\testing_1\testing_1.log
    Filesize

    887B

    MD5

    01c819667671b539c84658115daeb138

    SHA1

    d60e4155d3260325aea5cef1a9e74be42dfce4fc

    SHA256

    0d78ee99d9e8b2ff972210691f7571d75e43ec437ed5b1b6548fd76ad21d4b4b

    SHA512

    7a76bb6b784ed5b5ad386844a714e4a63cddb8862c4b7a4c9aa95d56e8d25d626a7ab9d39312f60059acedf4c9b6be6b15c99d5fefe21fbe82bb03a2a61ba539

    Download Submit

  • C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\testing_1\testing_1.log
    Filesize

    1KB

    MD5

    4895973f43e500cbbd4b502bea927924

    SHA1

    b608142e70e1d69dab23ac292a140ce2a6a36a2d

    SHA256

    a0e009977680aee4887755584e147c7806888e86027bdf10fda7a0f92909ba4e

    SHA512

    94f4465ac99c2ccd8e1b02a40bb1e9af0f8d10b63fd9d21d95b70cda77bab1cf00ab1c00d772ae6a8c2eaa523f36e55caaac21c1972bd05a9ae500c8e8ff33f5

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\6EF69DFE
    Filesize

    14B

    MD5

    20d5a113e78088087945bff38b2df7f9

    SHA1

    cb94c5de154d38d1da46c8a6fe3020332360278d

    SHA256

    c1f85c8b4d73a39568082e05c1bbac8bfa63ba913f362fbdb5bb2bb8926f8037

    SHA512

    6432878cd0afdfb5ed3696ec65057549d06cb1c28a4f6db2a02cc27eed5c9fe0b41421cc9ecfdaa9d5805572af9a1ed2c53d68512661947b1df94a9c5d6f26f2

    Download Submit

  • memory/436-104-0x0000000000400000-0x0000000000864378-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/436-0-0x0000000000400000-0x0000000000864378-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2228-41-0x0000000000400000-0x00000000007BF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/3984-5-0x0000000000400000-0x00000000007BF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/3984-14-0x0000000000400000-0x00000000007BF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/4628-17-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4628-15-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4628-9-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4628-16-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4628-31-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4628-11-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4628-12-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-99-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-102-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-43-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-44-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-97-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-98-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-42-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-100-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-101-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-45-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-103-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-39-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-105-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-106-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-107-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-108-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-109-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-110-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/4760-111-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download