Overview

overview

10

Static

static

3

d00c318220...18.exe

windows7-x64

10

d00c318220...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d00c31822087142a7addaf6051bd0812_JaffaCakes118.exe

  • Size

    449KB

  • MD5

    d00c31822087142a7addaf6051bd0812

  • SHA1

    c02363c122ea1a2dc1a6a48037ec7d06f3908caf

  • SHA256

    0eb05ea65682f093007fd38a0bfa99b66a3a059b54dbb8a1ce4bae7c0d890059

  • SHA512

    86152091d1df0a12c906a5f4cdb9e1e1d8f8762ec77fc4136fffadc338d0f6d5009d7c9da317cba62f161d928c61d26d155e1a1ee53ca9fb598a457743e157b6

  • SSDEEP

    12288:pVTHy8bZiuDS925JNwbdM9VQasIwe3/Sckv9Yf:phtbgr925J2baQahVMFYf

Score
10/10
darkcometdiscoverypersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d00c31822087142a7addaf6051bd0812_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d00c31822087142a7addaf6051bd0812_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Users\Admin\AppData\Local\Temp\splash.exe
      "C:\Users\Admin\AppData\Local\Temp\splash.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe
        "C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2744
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\foto.jpg
    Filesize

    6KB

    MD5

    cc40dfa4892e5116c0ea78bd0b266bc4

    SHA1

    ad81d4c91c742573c1c4f585435b8031690b7d71

    SHA256

    a6125385fc637aafa30d1dedd0ae955bb0b877a6476474c5f152b01d0e70b906

    SHA512

    a7ca6e8699b8e193eadbf27331133548e5eb3201f90733e67164abc88c52915c8d1c9f426cde1301a883b98b85ff38006515cbcd8f22e46847bc37ad211be6b6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\splash.exe
    Filesize

    276KB

    MD5

    8ba1a492c6bf52df90cd908fbaca88ba

    SHA1

    3df03cf51ed0f09dabb77ed8dda9be7c687d6e7f

    SHA256

    b81048c7c949e1f453f20ab5d0d58cafa48b98b91d2f7a4ee92aff4af655eeab

    SHA512

    70053dd61676672ec49602d74ee82e0b6f01e2f024015a3618c516a36efeddd71f6a1827715dd1fdd3c0f307a4f528570d4d63571de0d10e664f71e96428107b

    Download Submit

  • memory/2072-14-0x0000000002B20000-0x0000000002B22000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2744-36-0x0000000000400000-0x00000000004CAE40-memory.dmp

    Filesize

    811KB

    Download

  • memory/2744-34-0x0000000000400000-0x00000000004CAE40-memory.dmp

    Filesize

    811KB

    Download

  • memory/2744-29-0x0000000000400000-0x00000000004CAE40-memory.dmp

    Filesize

    811KB

    Download

  • memory/2744-30-0x0000000000400000-0x00000000004CAE40-memory.dmp

    Filesize

    811KB

    Download

  • memory/2744-31-0x0000000000400000-0x00000000004CAE40-memory.dmp

    Filesize

    811KB

    Download

  • memory/2744-32-0x0000000000400000-0x00000000004CAE40-memory.dmp

    Filesize

    811KB

    Download

  • memory/2744-33-0x0000000000400000-0x00000000004CAE40-memory.dmp

    Filesize

    811KB

    Download

  • memory/2744-42-0x0000000000400000-0x00000000004CAE40-memory.dmp

    Filesize

    811KB

    Download

  • memory/2744-35-0x0000000000400000-0x00000000004CAE40-memory.dmp

    Filesize

    811KB

    Download

  • memory/2744-41-0x0000000000400000-0x00000000004CAE40-memory.dmp

    Filesize

    811KB

    Download

  • memory/2744-37-0x0000000000400000-0x00000000004CAE40-memory.dmp

    Filesize

    811KB

    Download

  • memory/2744-38-0x0000000000400000-0x00000000004CAE40-memory.dmp

    Filesize

    811KB

    Download

  • memory/2744-39-0x0000000000400000-0x00000000004CAE40-memory.dmp

    Filesize

    811KB

    Download

  • memory/2744-40-0x0000000000400000-0x00000000004CAE40-memory.dmp

    Filesize

    811KB

    Download

  • memory/2988-15-0x0000000000460000-0x0000000000462000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3052-24-0x0000000000400000-0x00000000004CAE40-memory.dmp

    Filesize

    811KB

    Download