Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 05:05

General

  • Target

    d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe

  • Size

    371KB

  • MD5

    d0c9cde6f5ad0af2666aebad26e363b9

  • SHA1

    799aa6bc3aa8bc4b97bd8360a2ff21db3c54c834

  • SHA256

    e709fbb8d14c11e567d5b6e82f9378a8eb9358fb5499f277acec2ac713932891

  • SHA512

    8a2558dc0c43cf5248d262aee5bb3f69a99670191f373e49d0f290130f67b0dc1dfeed4d2a01db963526102e875340ec12568f1b6ac291efa2157a6f8bd714b2

  • SSDEEP

    6144:LVZdkKATJe4CFfifD2gVKVTQQ249HZ52KTh9XKOCgLJacj5/AZtRsTo:L9bXgr8VMQDT52WXKq9fj5/AZjo

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3464
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
          PID:4636
        • C:\Program Files\Sys32\windupdt\svchîst.exe
          "C:\Program Files\Sys32\windupdt\svchîst.exe"
          3⤵
          • Checks BIOS information in registry
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2104
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\3a59a0f61dbd.gif
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1132
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1132 CREDAT:17410 /prefetch:2
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4048

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

      Filesize

      471B

      MD5

      043565b7c83bfd884eb1fde2e7ccdcc5

      SHA1

      1a3239dfa9752084ed7465130943c5d912df308d

      SHA256

      80a1700dd6e600a6b8fa4a0f2a118778c903d2966690103d7e582407fb447126

      SHA512

      1c987485aed7cbe03747cb28f035f799c78b48781991da89a09462e190b2aff3ec1eae0ba0c8a6be9cedde19387b4ed95394ca9d01dac24632aa48f8a3e22257

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

      Filesize

      404B

      MD5

      58eff8a90ac04eafb6cd7328ebac5980

      SHA1

      ab3a4e91abe1018dcc02d13d8b89ff072fba9c35

      SHA256

      e4375ccb05a05a4ee3aedf66b8e7b3531dcba9afa76bdb0455d7959516b9e415

      SHA512

      0f1096163ab33fd833617080862eb3919c77dd36f31d0398cb1a4f3ff0d9c305506512ea0c75ecb66c23b499dd20c652139c3743e099e3c88bb2c4542518cc54

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\suggestions[1].en-US

      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    • C:\Users\Admin\AppData\Local\Temp\3a59a0f61dbd.gif

      Filesize

      3KB

      MD5

      80488340cdb819016bf9dc201c8827b6

      SHA1

      30937d432220406714d58a11872d8b6bd81046da

      SHA256

      74d5b991020a9003ef108e34192afac1d66b5d42a6f4653777508073edb26ad4

      SHA512

      7e299ce63eb83111e8987c9111dbb29ce8cab61fafb74d811ef1353367036db156d354ba7cf2e8ab6e923d74929812cddc74a93dc6863a304a1fb01bab77beac

    • C:\Users\Admin\AppData\Local\Temp\server.exe

      Filesize

      320KB

      MD5

      52a9e1572e9e1ab39e923b120e99a56e

      SHA1

      cc65aedab9a85fea2951ee8710a71df5efde1360

      SHA256

      76cee4187d7d27fbafce5515fe488c055861c226d0670e5097713d8343ebf86d

      SHA512

      7c29c3d99c112b1779adb133764e45de8b8afbedb6dbefe5eabb15a3f392e7953f44c945f1782003d74b2d891c173e585eed9ef0f560a3ec1d703e155774257b

    • memory/1048-21-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

    • memory/2104-86-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2104-74-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2104-58-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2104-59-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2104-92-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2104-54-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2104-69-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2104-72-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2104-73-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2104-57-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2104-91-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2104-85-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2104-90-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2104-87-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2104-88-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2104-89-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/3464-9-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/3464-13-0x0000000000B40000-0x0000000000B41000-memory.dmp

      Filesize

      4KB

    • memory/3464-56-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB