Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
25-11-2024 06:38
General
-
Target
99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
-
Size
5.0MB
-
MD5
99d2656e3599ba235242dc9763b3940b
-
SHA1
2ac901d260222eed2c8d7f1cdc92ae8d11b50c7b
-
SHA256
bb14ef332f01f1db8ce7a225adc9fe5f6ee5c4a6ffd2038478065e270080abad
-
SHA512
af8c8fd9e842ad21feb9da2c06637dc484927714a7c562f2916e1fe4f349bf2a12fd513e750440a02280ee773a8bcaf9df0f97dba5b8cbc7d81c521adee78ce3
-
SSDEEP
98304:Bp0K5DI69NeNw/V/dMBJ5Yr0M1oDBoMqnE6oNv7rW:BDB/tN/YJOozDBiE667rW
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies security service 2 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 4 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 28 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
NSIS installer 2 IoCs
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CCSETUP305.EXE"C:\Users\Admin\AppData\Local\Temp\CCSETUP305.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"4⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"5⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"6⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\CCSETUP305.EXE"C:\Users\Admin\AppData\Local\Temp\CCSETUP305.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5bf670074262a7e29da8c0ff2d94c1438
SHA15d608a1cb519e5751a4736a6b8e9f3e80477f3e3
SHA2561ea1d0a8b0302840b2ba4743fdef788c93517ac083b7a9da7dd25640251ce061
SHA5126c974589ba1e2939e86216078b5ec8bf750346fa77ee81e85a7842aee42cd33f858de9fd2d6837e264f73ab18c1b1d26c4a29336da4e4b41e83c465371c94ca8
-
Filesize
2.9MB
MD5a0c156da60803807cf6b46ec340c9739
SHA124aeaf6ff4d2ad611f2e6f61a0e38c46602cae97
SHA256fc35a0c9f5604f78e2c4673d815e493638819d534acc73b834bd4f9fd9d49d48
SHA5125bec9c0cf64cde95267d44b1dba299b7299a827467132400656eaf8b2225b2710a0e986d6a1e9db00f6f94b922ae6592372519a91b03230e92de26052aa5b3ca
-
Filesize
4KB
MD5fad9d09fc0267e8513b8628e767b2604
SHA1bea76a7621c07b30ed90bedef4d608a5b9e15300
SHA2565d913c6be9c9e13801acc5d78b11d9f3cd42c1b3b3cad8272eb6e1bfb06730c2
SHA512b39c5ea8aea0640f5a32a1fc03e8c8382a621c168980b3bc5e2897932878003b2b8ef75b3ad68149c35420d652143e2ef763b6a47d84ec73621017f0273e2805
-
Filesize
62KB
MD5f6400e8bdca118c6b5170c172fcbc06e
SHA1992d2d0ee1f1621dd6fc0452d26ffcb65c30a95f
SHA256c66dedc708c1ff94b16c46951570887f528e542bbb3e5574ba314fbb736a9cb4
SHA51215fb3eb080e91284709d759b9b051051f64f47850b2a108d7c8f9b334237a630573c5c96eaee2a70b635ce74eabeb46c53178f1986e985819140d8fe88b3f143
-
Filesize
71KB
MD561bc40d1fad9e0faa9a07219b90ba0e4
SHA15b5c3badedba915707000d2047eaf13f27b8925e
SHA25689e157a4f61d7d18180cb7f901c0095da3b7a5cc5a9fd58d710099e5f0ee505a
SHA512fa341aa975c471082b4b6c380f794d1e9ab3939382972cfb9e1dbb3491f68296ad1cedc8f03736921c8e133f62432997de29642e223c2a97f1cab5ce91d68af9
-
Filesize
9KB
MD5c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
-
Filesize
5KB
MD59384f4007c492d4fa040924f31c00166
SHA1aba37faef30d7c445584c688a0b5638f5db31c7b
SHA25660a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA51268f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
4KB
MD57579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
Filesize
5.0MB
MD599d2656e3599ba235242dc9763b3940b
SHA12ac901d260222eed2c8d7f1cdc92ae8d11b50c7b
SHA256bb14ef332f01f1db8ce7a225adc9fe5f6ee5c4a6ffd2038478065e270080abad
SHA512af8c8fd9e842ad21feb9da2c06637dc484927714a7c562f2916e1fe4f349bf2a12fd513e750440a02280ee773a8bcaf9df0f97dba5b8cbc7d81c521adee78ce3
-
Filesize
1.1MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1.1MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
1.1MB
-
Filesize
3.6MB
-
Filesize
1.1MB
-
Filesize
3.6MB
-
Filesize
3.6MB
