Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 23:32

General

  • Target

    d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe

  • Size

    3.4MB

  • MD5

    d4285e886b4d81728de778b39b211e07

  • SHA1

    7c9cfafda829af1f6bac158ade9b900441d84983

  • SHA256

    73f8e850ab930de45a313a06b622f999e810e6edce5e3eabc6baeb728b94cabc

  • SHA512

    c1ca7f058c12348102efeec7e20177cafd71bc8b39bf10bfb084e1b2698b8a5af0ea56e2d9bb476b59ee29e0bce6bd7181ba41694f23a724c49e3978edcf501e

  • SSDEEP

    98304:/jduqnnua0zdqNQoJYVVI/vQ2iUP/lAyT3N3s:/jgqnnu1zdqN/+VaQ2Hl9zNc

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 12 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d4285e886b4d81728de778b39b211e07_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3292
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1408
    • C:\Users\Admin\AppData\Local\Temp\Output.exe
      "C:\Users\Admin\AppData\Local\Temp\Output.exe"
      2⤵
      • Executes dropped EXE
      • Drops autorun.inf file
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Users\Admin\AppData\Local\Temp\Output.exe
        "C:\Users\Admin\AppData\Local\Temp\Output.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3596
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2156
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\SysWOW64\explorer.exe"
          4⤵
            PID:1440
          • C:\Users\Admin\AppData\Roaming\GoogleToolbar\GoogleUpdate.exe
            "C:\Users\Admin\AppData\Roaming\GoogleToolbar\GoogleUpdate.exe"
            4⤵
            • Executes dropped EXE
            • Drops autorun.inf file
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:772
            • C:\Users\Admin\AppData\Roaming\GoogleToolbar\GoogleUpdate.exe
              "C:\Users\Admin\AppData\Roaming\GoogleToolbar\GoogleUpdate.exe"
              5⤵
              • Checks BIOS information in registry
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Enumerates system info in registry
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1968
              • C:\Windows\SysWOW64\notepad.exe
                C:\Windows\SysWOW64\notepad.exe
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1128

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Output.exe

      Filesize

      728KB

      MD5

      9c3dbd2ab74b4700c37db25700941c3d

      SHA1

      f13b850a988924658f11b9b0a7b57f7b306edbcf

      SHA256

      72c34b37c51263fd1661f3597e1aeb3e6383c247a5aaf1ecbf2361d0c3f7adc8

      SHA512

      96e85901470e278d6e6d30bcc865b9710f98e6b3a17b7d824b92ed9fd8c1dddfc64bc5320247009f63646e511a067018a9f94bbadc5179caea33626c22eb24ea

    • C:\Users\Admin\AppData\Local\Temp\Setup.exe

      Filesize

      2.6MB

      MD5

      83d8747e88517d0b2caa0de6f51cdb0b

      SHA1

      0cd091f5b282e887e407950629c89fd808c9803c

      SHA256

      6ddbe7bc2b9b330973353729a49532d5bfc8325ab025ef0034feb5bb8650bc2c

      SHA512

      ee5eea6538a4076d824f7d703b1ca16ff5da8128fd544234ff44489cc253dfbdc6762205a17cd87ff1b18e88fd7f38ee16b8c44f10cd406630e4c83ddf0915c7

    • C:\Users\Admin\AppData\Local\Temp\nsmB075.tmp\AdvSplash.dll

      Filesize

      6KB

      MD5

      13cc92f90a299f5b2b2f795d0d2e47dc

      SHA1

      aa69ead8520876d232c6ed96021a4825e79f542f

      SHA256

      eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb

      SHA512

      ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

    • C:\Users\Admin\AppData\Local\Temp\nsmB075.tmp\StartMenu.dll

      Filesize

      7KB

      MD5

      a4173b381625f9f12aadb4e1cdaefdb8

      SHA1

      cf1680c2bc970d5675adbf5e89292a97e6724713

      SHA256

      7755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b

      SHA512

      fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82

    • F:\Autorun.inf

      Filesize

      35B

      MD5

      934aa9eb81516482c6367fb116ec9b1f

      SHA1

      1a97f913ef76ff83b1ba87c735b597b7b7564ae6

      SHA256

      ecb5eb3c67cb390de6fca259684385d1b839f2fa9b96c3198eb5837ebb65c609

      SHA512

      608d4a3dffb258db8418197dbc28c5bd814ca15517b4a96e6b51a3f36da586379c724ba32f4d413cd9d155bcd47780964567860df7352f2c437de297ab30d118

    • memory/772-79-0x0000000010000000-0x0000000010008000-memory.dmp

      Filesize

      32KB

    • memory/772-80-0x0000000010000000-0x0000000010008000-memory.dmp

      Filesize

      32KB

    • memory/1128-89-0x0000000000F20000-0x0000000000F21000-memory.dmp

      Filesize

      4KB

    • memory/1968-88-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB

    • memory/1968-90-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB

    • memory/1968-92-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB

    • memory/1968-87-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB

    • memory/1968-91-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB

    • memory/2156-44-0x0000000000560000-0x0000000000561000-memory.dmp

      Filesize

      4KB

    • memory/3292-1-0x0000000010000000-0x0000000010008000-memory.dmp

      Filesize

      32KB

    • memory/3292-0-0x0000000010000000-0x0000000010008000-memory.dmp

      Filesize

      32KB

    • memory/3596-32-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB

    • memory/3596-78-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB

    • memory/3596-42-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB

    • memory/3596-41-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB

    • memory/3596-30-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB