Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
20/10/2024, 09:29
General
-
Target
61851a26a739e934f0f325569d512d7e_JaffaCakes118.exe
-
Size
799KB
-
MD5
61851a26a739e934f0f325569d512d7e
-
SHA1
85ab82a40bdabd9381df9beeecd5c29632f873f9
-
SHA256
dcbfd8058e295d146bb8a6776821ba637e992e3217934e41c1e6bf613417e3d8
-
SHA512
74dc9f581e9a26c08fcfbb03706dee285420d324da015c15d0e6ed1bc441de3252bc4256f4a06d63b5fc18eb06558e153e242fb34cdbaf3bd77a4cb94c1cb7fa
-
SSDEEP
12288:CUAveojxhN5YSl10R/IqSBk58uKTGPMiLeFv6uqos2mbqkNwdPsr0270yVyTy:LbSIR/998ZGPMXJkNcscyVyG
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Windows security bypass 2 TTPs 2 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\61851a26a739e934f0f325569d512d7e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\61851a26a739e934f0f325569d512d7e_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"2⤵
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD57965674b863b5a0b858f170c60c5ed0c
SHA1843de36143c9fa478a2a8c3f1b6dc48ef027930d
SHA256b2358bd771419a3b88f9b5a8124e017c1c15e378f9e85abf6e4d5f2b397d5c3d
SHA512ab6370f5d38738fab755ceb2af4a7e7e8c08ad4152333c9833166ee6362bd28b4c0c07f6eb4033790d42cb85f2d727ad1d0c58eacc47e6e3c6f95e6be9ca0591
-
Filesize
716KB
-
Filesize
4KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
4KB
-
Filesize
716KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB