Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 05:05

General

  • Target

    d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe

  • Size

    371KB

  • MD5

    d0c9cde6f5ad0af2666aebad26e363b9

  • SHA1

    799aa6bc3aa8bc4b97bd8360a2ff21db3c54c834

  • SHA256

    e709fbb8d14c11e567d5b6e82f9378a8eb9358fb5499f277acec2ac713932891

  • SHA512

    8a2558dc0c43cf5248d262aee5bb3f69a99670191f373e49d0f290130f67b0dc1dfeed4d2a01db963526102e875340ec12568f1b6ac291efa2157a6f8bd714b2

  • SSDEEP

    6144:LVZdkKATJe4CFfifD2gVKVTQQ249HZ52KTh9XKOCgLJacj5/AZtRsTo:L9bXgr8VMQDT52WXKq9fj5/AZjo

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
          PID:2724
        • C:\Program Files\Sys32\windupdt\svchîst.exe
          "C:\Program Files\Sys32\windupdt\svchîst.exe"
          3⤵
          • Checks BIOS information in registry
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2952
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\3a59a0f61dbd.gif
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:275457 /prefetch:2
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2844

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      e3a392347a05fd05e5b4ae8bf4c0a944

      SHA1

      dbce23e30c667e17bec757e9a514a8886c1f73f0

      SHA256

      b3b00aff6870f9ab6112b2993368d4bce52bb0330dd9d8a5de582b8e493b1f47

      SHA512

      3cdb8bcb70fd04b8f2a32686094319f78811bf95c688cba8a4ddf45b17b98b485b64e71ca643a7f8abe2a1b5645f437b98cc48624eb58ba8fbc9edad66eccd0a

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      b1d5d6606c87aeeb04e083334cf276a3

      SHA1

      4883587fb43e5d1b1fc5dedc0379c09728ed2619

      SHA256

      9f95c1b09fffaa0e9f86bc9c9551623f3809304eb8d6b7b77c6e300fc1514b6c

      SHA512

      b0845c3cb099bb93217e8b0c6c1fb78c4eeee43cfe4e0bdcf2cbeb784bc63b5c828cb559dbc4b8de7baf644035a5659f8074a72ae34a3053ad8d0a91a6eafd9d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      a9ed6b38039dc0aae88ba56d4d599c59

      SHA1

      ec9faf564ad216fc07eea0bb3d9b006e7f4d386a

      SHA256

      2634bb3ca07b15fee9c5ce9409a1c544c6a09bb4432c5ed5dbe770c2a09fd417

      SHA512

      e366d6717b09a51ce0786a980ddef1ad9dc92d99f2314f48a250c1f3a681c793939c01cc8e80260c9485c3c793089abfd92c7593fd6cbc1ec1e7e28e144033a0

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      603ba40847ae59ed97f6c533c2af9d7f

      SHA1

      d0abd4318a0fde223d0700e34fbfe90d3278c575

      SHA256

      4fde60e86fece7c0bc12ed9ae7c129edade1f04df71a9e3e730e25a08c486452

      SHA512

      18aba028fd68cefbb0da2f20932fd8e1b1a847102f1213df7a56c8f5ce4919de2ab6c731e53f5bbfa8b5e9355640e005022f457d432e48d2f397b49bcc31d23a

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      6ada6a79a83ba773406cc4084edc7317

      SHA1

      1c76405ee9d10588a9d52a21ba61f8db206a235c

      SHA256

      eb629364bcecf6acb16aeda80100b4e433768d58a18e5a19da11083dabd3c741

      SHA512

      36404a04e18777add096b04e87488ce8c84c3a25d338db933811f8cae70a8dcc9c7de603993d6bc6e2f065d343027882d681d2ebbdcefc97e87d49c25b64c84b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      01688e35f5c22998b605531d3961878f

      SHA1

      18ad0871481b5d64406dc387c781204016383351

      SHA256

      c72bd828583479efe007171ac9eb365f5daec220614c5b033d06152637075c3d

      SHA512

      0f2b5da25baa506464b21b101d351e707d85786e44adff602fd2a011b61ae5dfb6644423c75928283a80140fb8d501e773bfd9c0aa2e547d9f89a8d8a159d1ab

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      6f4b750bbce004ab08e8e9c71ed7ce35

      SHA1

      79f10a65e14497d72982f06d835264b0e9892e62

      SHA256

      a3e18afe5376806527f441881a07eba18c87049c8a926bcef80f52529cae5159

      SHA512

      d2aac5da02d9ac53ec8bafe6a908e2e7f80176fccc3ecc7ed32e4df362695c604f28a10b4774198ecbf91bcec65e8713b72ef724cc659d501b3e1f3a3d3fd302

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      15ea0d4b02c50a75177fbc11cc6d2587

      SHA1

      fa4b7918bdc16a026a3828c4b44cd186f613fc04

      SHA256

      1d93e287239fe3564fa54d33c9463ba4c0943dae369b8b1e30d61c4f049edba8

      SHA512

      106d67ef05476b885f749071676c6ae2a9f0ed9de4277bf03d4fc995c8017ace8ebe38749bc38622905977a0186b726e0035a3a772715138a45665481100edd5

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      2c2240debb8a8fc5ad2f9098655332b6

      SHA1

      26cd5146539b24075e13af08b1d68ff788c08285

      SHA256

      5821c4bee3765b4dcd8cd7c90419cffc3cae5d5a3bbba67af1007658fe28d62b

      SHA512

      3be5273a6b8480d7f44955a95771a56e1fd42edb087be32ff6518b3b1005bc7623962b0ecf81d8d66cf1b4b1c383b456109f7c0a6b0cbdf4166f0a9d92c8e87c

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      cf2a6ebdb92c51939ca5d11e4526a94e

      SHA1

      37fe0b7b40756fb43493cd167f676138a39c2ed5

      SHA256

      8cab7add61a3c7ec242640191b1778449bb1c92bd7376ebe63c5c0acfb9e98fd

      SHA512

      7a3976e9fe71b49360361632a42ad1efb34b0377c2394cf5b59a739d98bb9b9bcee048de3178fc7327bab05be379ca7f8f519a6a92a13fd86fc057db38717248

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      100d854d459a93c088bc956e605a9d76

      SHA1

      12e82b8b647c7b0d2b1d62e454e502e423bef992

      SHA256

      ad6001ece7ef4a913e4d1012b2e439b2f0f16f1ed9e1ac3a76cb88e93982a8c8

      SHA512

      e55b4130f7b0f2cc743e1d106fa89f02ee102265a2b91a6401033d54a7a9d8cf32a156a41721a7f89e55811a220d8a660fdac115dcbaa9013a73adcbc38cb890

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      3c5b94ce5e6db454a8c38f10605ca592

      SHA1

      439b3a3c77d5fd22998c97a20b8e4fe97b7c9d08

      SHA256

      5f0c32cd964997ebbd5f9bb269450f7803900a16783bac7460bd5e54cde09102

      SHA512

      96e99137e632226e538ff5a16975164f0443033d59f3a33f23e3b21ef74bfed80cbd8dc252bed48cab0c228a0bdf0f4a8a90980c6dc97a5081c003988722db01

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      e71a4f7625d5205a2a298a7b22eb304c

      SHA1

      ee8ff256ec3c6aa8c0ab32077ec1502ae028f573

      SHA256

      4a690e509d1bcafd13e185f23b9d4e4f4d189b9dc7c9c75f23eda8dc51bb937e

      SHA512

      ba633a96c7d50fc52382e6eab8fb958a7801ea1375078c70a66af150a7c5ee59441721d670e3fb2ee49cc4972ea232e0f7a40511561b396e49d55c6268beb143

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      1b83414c7d0fc9759300ee77f9308a45

      SHA1

      ceae0d78af0c615ada08d3474af4960be9a75a18

      SHA256

      84cefda823aeae62c48f36beb8bef478ca7962fd74965a4b8ccc07de70067bad

      SHA512

      3852a55097020b6cc60c7a2efc9e48f6450835c29af85ef5a4c3b7625b33b1f425d5f685f7d3fa23b955184aca32b76bf7c786931fd20698dbe96d3d22f45177

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      6a5c8069a86495594fcbb5f6ba891e8d

      SHA1

      5e1f4267ea8d291c7fd761b3920e7057e9f25a69

      SHA256

      c72d091e79cbd78609c6834f8b172a3fd0fe84b4ded3e9bcd5a55eea98317c07

      SHA512

      7daa92ae38cd83446d12b06a202f8b14c406458e4e61c5af863f9c9b7355e79b256a217010598fee2e328840275196b1b25dd26940367053ceafdf361deb8a79

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      5e1c2d1f5ec4a6a6adf06628088aabbc

      SHA1

      846507b6bd1f23e125af459a7752f1a7ffd3985a

      SHA256

      a68545bcb9c7aeac984eca1fb627d6bb8f7a79d5935800140a28d9d5a4a6496f

      SHA512

      b5d055f7d27bae4a5baf2227df9edecfd8d73752b32bcb0694d55f260bfc89f6a28792f48295cc70f115246f721efadb60cced2da99dd3571b860b620bcd7d9a

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      67e3df9b7045db772268cb11f2c526ef

      SHA1

      7706f996d36fdf301ca0849ce3462120ea7c94c5

      SHA256

      6529f8c1dff25936fed4679c9f146991e6887ec3d9b073f7369bc8002bfc4e04

      SHA512

      41fbd6ccf568ef207eee67672b302b8a249b5dd7b4c22302bcafa8a6e6e25f2d916d27a09d81b3d8e24e5e4d4f05cadc16c95924c5debfbf2a008f3ada7e6d81

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      acb79a208e5f097f0ae2280af9bb0e39

      SHA1

      d8872622bb6c5e786d0445c06fc39888c0075095

      SHA256

      decb1a259d8398ea23bca753c9c8db273f5d9bea7022f829f19e12aa2bb8ed38

      SHA512

      8db6786ba64451457a42f85eb175da6be03a7c06f41fad39c8c5d1577834f1e45f5d4b3c3c4bc27e277878623ccc4b08a615972bd1d53291864f85301398f4de

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      9b818ab7259baa50ccc18a9f1fb32096

      SHA1

      3591c5935831f863b369498a0e11a220bba22245

      SHA256

      239a7e3c6decf7fd99fa2a7467ba2bdb878595f04e351b6aeff20baec556e79d

      SHA512

      c241341ddd15e501795745c90a857543b3c25a1d3ce4ef73a86f629908ec12942ecdde7f31db6bd61c5dcd147fddddcc40e3086ab3b109553302fcd907b53ea1

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      7adc5c9072ba5748bc0185f66f9b6430

      SHA1

      7da0f609e3884f263212168d1802da99318bb7fc

      SHA256

      e74122d394b5768adea9739831e456f3a02a33c7d8cff2d508c7d5300fb5ba21

      SHA512

      608dedc5dff25bd1235d64837fd6b024f8d86a773a79e5b06e82349ab4e0afb3eb752d3ed4e92ebc348a50f90611d8319aab4d6d7263de2b5821b459b014c0a2

    • C:\Users\Admin\AppData\Local\Temp\3a59a0f61dbd.gif

      Filesize

      3KB

      MD5

      80488340cdb819016bf9dc201c8827b6

      SHA1

      30937d432220406714d58a11872d8b6bd81046da

      SHA256

      74d5b991020a9003ef108e34192afac1d66b5d42a6f4653777508073edb26ad4

      SHA512

      7e299ce63eb83111e8987c9111dbb29ce8cab61fafb74d811ef1353367036db156d354ba7cf2e8ab6e923d74929812cddc74a93dc6863a304a1fb01bab77beac

    • C:\Users\Admin\AppData\Local\Temp\CabBF99.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\TarC02A.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\AppData\Local\Temp\server.exe

      Filesize

      320KB

      MD5

      52a9e1572e9e1ab39e923b120e99a56e

      SHA1

      cc65aedab9a85fea2951ee8710a71df5efde1360

      SHA256

      76cee4187d7d27fbafce5515fe488c055861c226d0670e5097713d8343ebf86d

      SHA512

      7c29c3d99c112b1779adb133764e45de8b8afbedb6dbefe5eabb15a3f392e7953f44c945f1782003d74b2d891c173e585eed9ef0f560a3ec1d703e155774257b

    • memory/1964-33-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/1964-30-0x0000000003F00000-0x0000000003FC5000-memory.dmp

      Filesize

      788KB

    • memory/1964-16-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2952-465-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2952-463-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2952-909-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2952-908-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2952-469-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2952-467-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2952-907-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2952-466-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2952-464-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2952-31-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2952-390-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2952-902-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2952-903-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2952-904-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2952-905-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2952-906-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/3068-13-0x0000000002CB0000-0x0000000002D75000-memory.dmp

      Filesize

      788KB

    • memory/3068-15-0x0000000002CB0000-0x0000000002D75000-memory.dmp

      Filesize

      788KB

    • memory/3068-14-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB