Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 03:33

General

  • Target

    d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe

  • Size

    911KB

  • MD5

    d07687c1ad211e9b05d1fddf8a093cab

  • SHA1

    c5f0ad91e998d41e79b6e54a9f868c641076007e

  • SHA256

    bf45dedf03288636a2674b70d3fd42ee69cdcdfb4c7351e7ef972fb41465a90f

  • SHA512

    5287164700a1676bcdf69536a94707d370487956fc1aeb9c47a81d0b8ce590708419d8d87940a564190264b561fb4757bd941f2e7f271514176dbccdc55cded6

  • SSDEEP

    24576:Qg3UqSjMikbvWd88NatBgCbEuo276MKsQ31dW:UqSjNi+bsfVbEuo27+j31dW

Score
10/10

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Suspicious use of SetThreadContext 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
      2⤵
        PID:2700
      • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
          C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
          3⤵
            PID:2712
          • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
            C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2404
            • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
              C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
              4⤵
                PID:2608
              • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                4⤵
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2624
                • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                  C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                  5⤵
                    PID:1680
                  • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                    C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                    5⤵
                    • Suspicious use of SetThreadContext
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:536
                    • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                      C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                      6⤵
                        PID:576
                      • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                        C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                        6⤵
                        • Suspicious use of SetThreadContext
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2856
                        • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                          C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                          7⤵
                            PID:2536
                          • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                            C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                            7⤵
                            • Suspicious use of SetThreadContext
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2452
                            • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                              C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                              8⤵
                                PID:1940
                              • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                8⤵
                                • Suspicious use of SetThreadContext
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2872
                                • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                  C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                  9⤵
                                    PID:1800
                                  • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                    C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                    9⤵
                                    • Suspicious use of SetThreadContext
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2612
                                    • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                      C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                      10⤵
                                        PID:1856
                                      • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                        C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                        10⤵
                                        • Suspicious use of SetThreadContext
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1612
                                        • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                          C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                          11⤵
                                            PID:2384
                                          • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                            C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                            11⤵
                                            • Suspicious use of SetThreadContext
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1996
                                            • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                              C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                              12⤵
                                                PID:3048
                                              • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                12⤵
                                                • Suspicious use of SetThreadContext
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1164
                                                • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                  C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                  13⤵
                                                    PID:672
                                                  • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                    C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                    13⤵
                                                    • Suspicious use of SetThreadContext
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2036
                                                    • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                      C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                      14⤵
                                                        PID:1548
                                                      • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                        C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                        14⤵
                                                        • Suspicious use of SetThreadContext
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:444
                                                        • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                          C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                          15⤵
                                                            PID:1932
                                                          • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                            C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                            15⤵
                                                            • Suspicious use of SetThreadContext
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2508
                                                            • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                              C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                              16⤵
                                                                PID:1392
                                                              • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                16⤵
                                                                • Suspicious use of SetThreadContext
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1552
                                                                • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                  17⤵
                                                                    PID:916
                                                                  • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                    C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                    17⤵
                                                                    • Suspicious use of SetThreadContext
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:952
                                                                    • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                      C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                      18⤵
                                                                        PID:1760
                                                                      • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                        18⤵
                                                                        • Suspicious use of SetThreadContext
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2380
                                                                        • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                          19⤵
                                                                            PID:2312
                                                                          • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                            19⤵
                                                                            • Suspicious use of SetThreadContext
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1804
                                                                            • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                              C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                              20⤵
                                                                                PID:1604
                                                                              • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                                20⤵
                                                                                • Suspicious use of SetThreadContext
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1712
                                                                                • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                                  C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                                  21⤵
                                                                                    PID:2808
                                                                                  • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                                    C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                                    21⤵
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:3064
                                                                                    • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                                      C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                                      22⤵
                                                                                        PID:2572
                                                                                      • C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\d07687c1ad211e9b05d1fddf8a093cab_JaffaCakes118.exe
                                                                                        22⤵
                                                                                          PID:2716

                                              Network

                                              MITRE ATT&CK Matrix

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • memory/2404-50-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

                                                Filesize

                                                9.6MB

                                              • memory/2404-40-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

                                                Filesize

                                                9.6MB

                                              • memory/2432-0-0x000007FEF565E000-0x000007FEF565F000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/2432-1-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

                                                Filesize

                                                9.6MB

                                              • memory/2432-2-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

                                                Filesize

                                                9.6MB

                                              • memory/2432-3-0x00000000004F0000-0x00000000004F8000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/2432-4-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

                                                Filesize

                                                9.6MB

                                              • memory/2432-22-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

                                                Filesize

                                                9.6MB

                                              • memory/2756-11-0x0000000000400000-0x00000000004CD000-memory.dmp

                                                Filesize

                                                820KB

                                              • memory/2756-19-0x0000000000400000-0x00000000004CD000-memory.dmp

                                                Filesize

                                                820KB

                                              • memory/2756-17-0x0000000000400000-0x00000000004CD000-memory.dmp

                                                Filesize

                                                820KB

                                              • memory/2756-15-0x0000000000400000-0x00000000004CD000-memory.dmp

                                                Filesize

                                                820KB

                                              • memory/2756-13-0x0000000000400000-0x00000000004CD000-memory.dmp

                                                Filesize

                                                820KB

                                              • memory/2756-9-0x0000000000400000-0x00000000004CD000-memory.dmp

                                                Filesize

                                                820KB

                                              • memory/2756-21-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

                                                Filesize

                                                9.6MB

                                              • memory/2756-23-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

                                                Filesize

                                                9.6MB

                                              • memory/2756-7-0x0000000000400000-0x00000000004CD000-memory.dmp

                                                Filesize

                                                820KB

                                              • memory/2756-41-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

                                                Filesize

                                                9.6MB

                                              • memory/2756-5-0x0000000000400000-0x00000000004CD000-memory.dmp

                                                Filesize

                                                820KB