Analysis

  • max time kernel
    91s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2024 13:26

General

  • Target

    d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    d7456007a18e3ef753d878fd4b609738

  • SHA1

    81943936080b6eee006281d7bb00a4ba071758ba

  • SHA256

    32bf0fadc0f91e74293232f370828869df6ba1c1ce27473874eb67451bddd696

  • SHA512

    d8ba24c51e57ce0cc8dadd97beb9c3edbd0cc001ace33a46b43992bd63c688f92bdb7c553c5b2b70ee647874cfc2bded0ea75649eb4d324f980f8dd589dd8666

  • SSDEEP

    24576:Rg8fQRCIOE7SUI0Pz1Xd8wENGS7H/GTf3tj4aZBbIUpbT:+yQRLOQ7p5Xd8weJ/Ulj4aZFIUpv

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 4 IoCs
  • Blocks application from running via registry modification 2 IoCs

    Adds application to list of disallowed applications.

  • Disables RegEdit via registry modification 1 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe"
    1⤵
    • UAC bypass
    • Blocks application from running via registry modification
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3464
    • C:\Windows\SysWOW64\Netsh.exe
      "Netsh" Advfirewall set Currentprofile State off
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:1116
    • C:\Users\Admin\AppData\Local\Temp\d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d7456007a18e3ef753d878fd4b609738_JaffaCakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3488
      • C:\Windows\SysWOW64\Windupdt32\windowsxupdate.exe
        "C:\Windows\system32\Windupdt32\windowsxupdate.exe"
        3⤵
        • UAC bypass
        • Blocks application from running via registry modification
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4016
        • C:\Windows\SysWOW64\Windupdt32\windowsxupdate.exe
          "C:\Windows\SysWOW64\Windupdt32\windowsxupdate.exe"
          4⤵
            PID:884
          • C:\Windows\SysWOW64\Netsh.exe
            "Netsh" Advfirewall set Currentprofile State off
            4⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:748

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Windupdt32\windowsxupdate.exe

      Filesize

      1.2MB

      MD5

      d7456007a18e3ef753d878fd4b609738

      SHA1

      81943936080b6eee006281d7bb00a4ba071758ba

      SHA256

      32bf0fadc0f91e74293232f370828869df6ba1c1ce27473874eb67451bddd696

      SHA512

      d8ba24c51e57ce0cc8dadd97beb9c3edbd0cc001ace33a46b43992bd63c688f92bdb7c553c5b2b70ee647874cfc2bded0ea75649eb4d324f980f8dd589dd8666

    • C:\Windows\system32\drivers\etc\hosts

      Filesize

      292B

      MD5

      419ee5be7f8b23452255119dfd809a59

      SHA1

      f58ad3700e3c4e7ca58e33c2e7bc72ff4aeca49b

      SHA256

      8cc549a22b58d9839c478c973f137509381ee6d01a06f00c5d0ee5ccb5943f2c

      SHA512

      704e84b674004b7dc65501006383c8fd7d139953de0cf60bec2aa207107b44b64305463f118c87020966bd3575d002fd0a5e22905915c66af0a8d66dc7131c18

    • memory/3464-10-0x0000000074740000-0x0000000074CF1000-memory.dmp

      Filesize

      5.7MB

    • memory/3464-1-0x0000000074740000-0x0000000074CF1000-memory.dmp

      Filesize

      5.7MB

    • memory/3464-2-0x0000000074740000-0x0000000074CF1000-memory.dmp

      Filesize

      5.7MB

    • memory/3464-3-0x0000000074740000-0x0000000074CF1000-memory.dmp

      Filesize

      5.7MB

    • memory/3464-0-0x0000000074742000-0x0000000074743000-memory.dmp

      Filesize

      4KB

    • memory/3488-11-0x0000000000400000-0x00000000004C8000-memory.dmp

      Filesize

      800KB

    • memory/3488-12-0x0000000000400000-0x00000000004C8000-memory.dmp

      Filesize

      800KB

    • memory/3488-13-0x0000000000400000-0x00000000004C8000-memory.dmp

      Filesize

      800KB

    • memory/3488-17-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

      Filesize

      4KB

    • memory/3488-5-0x0000000000400000-0x00000000004C8000-memory.dmp

      Filesize

      800KB

    • memory/3488-76-0x0000000000400000-0x00000000004C8000-memory.dmp

      Filesize

      800KB

    • memory/3488-6-0x0000000000400000-0x00000000004C8000-memory.dmp

      Filesize

      800KB