Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-10-2024 11:12
General
-
Target
79575764ecacaf8e91677fd21bd7b7f4_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
79575764ecacaf8e91677fd21bd7b7f4
-
SHA1
4222470d724237d30f5b4dc0321eff96bf987440
-
SHA256
b16cecf93f1740fe9bb268d4ae730f55243479993efe7b5f9add81026ac04c11
-
SHA512
e9eae65e0198115b9138db083dcebf138c00f1b48710f8ec93f65ff69eb07960acaa1918ff76979e447ec0d22abe56240e14fa0bef34992cb640fff75fbf7fc5
-
SSDEEP
24576:7W/myG7H1QVtKDYb++V19Hfjq+dSg7Zmn4pkE3KWTrXYZcD942h:KtKDYbxVrPdz4nY3XYOD9Dh
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\79575764ecacaf8e91677fd21bd7b7f4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\79575764ecacaf8e91677fd21bd7b7f4_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\\java.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Roaming\invs.vbs" "C:\Users\Admin\AppData\Roaming\java2.bat3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\java2.bat" "4⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
-
-
-
\??\c:\svhost.exec:\svhost.exe2⤵
-
-
\??\c:\svhost.exec:\svhost.exe2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
Filesize
53B
MD51896de26a454df8628034ca3e0649905
SHA176b98d95a85d043539706b89194c46cf14464abe
SHA256d85e713743c7e622166fb0f79478de5eabd53d3fe92bd2011ab441bc85ef2208
SHA512ef69dacd7e717dff05f8a70c5b9a94011f2df3201cc41d5f8cc030f350b069dc090c5b0d3d0bd19098a187977a82d570e1ee153849f609a65889ba789da953d2
-
Filesize
160B
MD5e8170b6565dfb34d114cfa398ba77296
SHA19079335b0ec9a509b7344cb98713fc0b52afa36e
SHA25676ff7c88cc815c8acd61f835033baf5b92eee085e7316c7230f7c363d1e1974b
SHA5121b473fe0a68642ff1741f4619f819b040f8d54696d40e74dd9ad692b56729e455bbe54cb76b382bb1fce5e1eae97dd8c99aeb762915f7147bba59d0ba60d004d
-
Filesize
1.4MB
MD579575764ecacaf8e91677fd21bd7b7f4
SHA14222470d724237d30f5b4dc0321eff96bf987440
SHA256b16cecf93f1740fe9bb268d4ae730f55243479993efe7b5f9add81026ac04c11
SHA512e9eae65e0198115b9138db083dcebf138c00f1b48710f8ec93f65ff69eb07960acaa1918ff76979e447ec0d22abe56240e14fa0bef34992cb640fff75fbf7fc5
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
4KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB