Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 23:32

General

  • Target

    d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe

  • Size

    3.4MB

  • MD5

    d4285e886b4d81728de778b39b211e07

  • SHA1

    7c9cfafda829af1f6bac158ade9b900441d84983

  • SHA256

    73f8e850ab930de45a313a06b622f999e810e6edce5e3eabc6baeb728b94cabc

  • SHA512

    c1ca7f058c12348102efeec7e20177cafd71bc8b39bf10bfb084e1b2698b8a5af0ea56e2d9bb476b59ee29e0bce6bd7181ba41694f23a724c49e3978edcf501e

  • SSDEEP

    98304:/jduqnnua0zdqNQoJYVVI/vQ2iUP/lAyT3N3s:/jgqnnu1zdqN/+VaQ2Hl9zNc

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 22 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 18 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2420
    • C:\Users\Admin\AppData\Local\Temp\Output.exe
      "C:\Users\Admin\AppData\Local\Temp\Output.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops autorun.inf file
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1856
      • C:\Users\Admin\AppData\Local\Temp\Output.exe
        "C:\Users\Admin\AppData\Local\Temp\Output.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2860
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\SysWOW64\explorer.exe"
          4⤵
          • Drops autorun.inf file
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          PID:2548
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\SysWOW64\explorer.exe"
            5⤵
            • Checks BIOS information in registry
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1412
            • C:\Windows\SysWOW64\notepad.exe
              C:\Windows\SysWOW64\notepad.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1364
        • C:\Users\Admin\AppData\Roaming\GoogleToolbar\GoogleUpdate.exe
          "C:\Users\Admin\AppData\Roaming\GoogleToolbar\GoogleUpdate.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops autorun.inf file
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          PID:1012
          • C:\Users\Admin\AppData\Roaming\GoogleToolbar\GoogleUpdate.exe
            "C:\Users\Admin\AppData\Roaming\GoogleToolbar\GoogleUpdate.exe"
            5⤵
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:1568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Autorun.inf

    Filesize

    35B

    MD5

    934aa9eb81516482c6367fb116ec9b1f

    SHA1

    1a97f913ef76ff83b1ba87c735b597b7b7564ae6

    SHA256

    ecb5eb3c67cb390de6fca259684385d1b839f2fa9b96c3198eb5837ebb65c609

    SHA512

    608d4a3dffb258db8418197dbc28c5bd814ca15517b4a96e6b51a3f36da586379c724ba32f4d413cd9d155bcd47780964567860df7352f2c437de297ab30d118

  • \Users\Admin\AppData\Local\Temp\Output.exe

    Filesize

    728KB

    MD5

    9c3dbd2ab74b4700c37db25700941c3d

    SHA1

    f13b850a988924658f11b9b0a7b57f7b306edbcf

    SHA256

    72c34b37c51263fd1661f3597e1aeb3e6383c247a5aaf1ecbf2361d0c3f7adc8

    SHA512

    96e85901470e278d6e6d30bcc865b9710f98e6b3a17b7d824b92ed9fd8c1dddfc64bc5320247009f63646e511a067018a9f94bbadc5179caea33626c22eb24ea

  • \Users\Admin\AppData\Local\Temp\Setup.exe

    Filesize

    2.6MB

    MD5

    83d8747e88517d0b2caa0de6f51cdb0b

    SHA1

    0cd091f5b282e887e407950629c89fd808c9803c

    SHA256

    6ddbe7bc2b9b330973353729a49532d5bfc8325ab025ef0034feb5bb8650bc2c

    SHA512

    ee5eea6538a4076d824f7d703b1ca16ff5da8128fd544234ff44489cc253dfbdc6762205a17cd87ff1b18e88fd7f38ee16b8c44f10cd406630e4c83ddf0915c7

  • \Users\Admin\AppData\Local\Temp\nsjB9EE.tmp\AdvSplash.dll

    Filesize

    6KB

    MD5

    13cc92f90a299f5b2b2f795d0d2e47dc

    SHA1

    aa69ead8520876d232c6ed96021a4825e79f542f

    SHA256

    eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb

    SHA512

    ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

  • \Users\Admin\AppData\Local\Temp\nsjB9EE.tmp\StartMenu.dll

    Filesize

    7KB

    MD5

    a4173b381625f9f12aadb4e1cdaefdb8

    SHA1

    cf1680c2bc970d5675adbf5e89292a97e6724713

    SHA256

    7755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b

    SHA512

    fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82

  • memory/2628-46-0x0000000013140000-0x00000000131F7000-memory.dmp

    Filesize

    732KB

  • memory/2628-42-0x0000000013140000-0x00000000131F7000-memory.dmp

    Filesize

    732KB

  • memory/2628-51-0x0000000013140000-0x00000000131F7000-memory.dmp

    Filesize

    732KB

  • memory/2628-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2628-49-0x0000000013140000-0x00000000131F7000-memory.dmp

    Filesize

    732KB

  • memory/2628-34-0x0000000013140000-0x00000000131F7000-memory.dmp

    Filesize

    732KB

  • memory/2628-44-0x0000000013140000-0x00000000131F7000-memory.dmp

    Filesize

    732KB

  • memory/2628-40-0x0000000013140000-0x00000000131F7000-memory.dmp

    Filesize

    732KB

  • memory/2628-66-0x0000000013140000-0x00000000131F7000-memory.dmp

    Filesize

    732KB

  • memory/2628-61-0x0000000013140000-0x00000000131F7000-memory.dmp

    Filesize

    732KB

  • memory/2628-38-0x0000000013140000-0x00000000131F7000-memory.dmp

    Filesize

    732KB

  • memory/2628-36-0x0000000013140000-0x00000000131F7000-memory.dmp

    Filesize

    732KB

  • memory/2860-68-0x0000000000090000-0x0000000000091000-memory.dmp

    Filesize

    4KB

  • memory/3052-0-0x0000000010000000-0x0000000010008000-memory.dmp

    Filesize

    32KB

  • memory/3052-1-0x0000000010000000-0x0000000010008000-memory.dmp

    Filesize

    32KB