Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 10:44

General

  • Target

    d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    d9388137a0f9300f73f8df37ad58c0a0

  • SHA1

    7b8d85b70c5c5be9c112f4806df8c28e28a76fd5

  • SHA256

    547956561b1714de667c3ec27fc147b26cff8cc8e7b7d44b8b8c2dd5330d00f5

  • SHA512

    aea1bb6d89da9bdbebd654e665c21903c54d80334e929ac0b6be4b25c60f5b4a45987c857e93fcf478ee6f4f4a82d7583541e0df0679d06d6cdc6d5dbfa0eeb8

  • SSDEEP

    12288:QB8gZtTfGQ6jrHPGB6qUYRUDUXNCiVu/wjE1ymyoTfgsCwpqIWHvY4/b2XyvUOvp:QCfe9MjeBjE7swkTy67Os5jgZY3HYTa

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d9388137a0f9300f73f8df37ad58c0a0_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rzjotwqn.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F60.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8F5F.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4436
    • C:\Users\Admin\AppData\Roaming\ctfmon.exe
      C:\Users\Admin\AppData\Roaming\ctfmon.exe
      2⤵
      • Executes dropped EXE
      PID:4488
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 12
        3⤵
        • Program crash
        PID:3928
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jsme5xwh.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES900C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC900B.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5036
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4488 -ip 4488
    1⤵
      PID:880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES8F60.tmp

      Filesize

      1KB

      MD5

      eab39a89556ff7cad4b579234d04cd40

      SHA1

      2b680792527aa22402d652941586987e59568b24

      SHA256

      058c0ad8455b178eb5410df97e5d3c376dde1f59a344a994cd807c3ef890785c

      SHA512

      f0d4e94aee99814f2243f093fb6da0ff87d628f8234a6286c27786c9a3208bd87b7bfb9a9097461c29b7332463ddfeaf3535d8f274057124f36aac82d91945f6

    • C:\Users\Admin\AppData\Local\Temp\RES900C.tmp

      Filesize

      1KB

      MD5

      15e06611762f37c5e86c88d63ada6690

      SHA1

      036b5591e25ee7cfbd779dc0b51acc9a12ae25c0

      SHA256

      2500cdcc77a4658dc41b36ba800e57cd88820b1c973010f9107bab3e714316dc

      SHA512

      282f708ebc9a43c5f736320d3b9aa487422baa23f02fd9bcb488e5b1736704b397b6b488dc931869e5ae794c7d5efafaedc3e19fe9aa0743b7263e3ec934261d

    • C:\Users\Admin\AppData\Local\Temp\jsme5xwh.dll

      Filesize

      5KB

      MD5

      5fd65aeec23812ef4748346f620787c7

      SHA1

      4f49060b5fbd3a0f547fe0d7f261d479c7d9edae

      SHA256

      98d37bb81d9a73adf173a947a065107e3e8280f1c0b9c654cde70bcdc847f3e1

      SHA512

      2c616ee8b195fde3112f7de01c58bedbdbaf96902cd90986bdc819be9eefcf57b819cbb425a9fb52f130f9352d93b78f98be0653fc775a7a1b246d7901cd0906

    • C:\Users\Admin\AppData\Local\Temp\rzjotwqn.dll

      Filesize

      8KB

      MD5

      cedd5308880d5aae54a0f515ee6b3139

      SHA1

      05ef6ee69a3d99e8a065358d7fed15a9858bd54b

      SHA256

      5859be1b01e8d7e3952cdc83e0b1101b88ec2b30a76423a4ef77bf7153874ef7

      SHA512

      a05eb72a37a4d711ed07eae4b4cf56ddc84a97cba65f91fee2a26ebe0d7155d876c96b2015368b5577f6d48d16c278c015cea1ca0e4902f1da79afca4042d7ba

    • C:\Users\Admin\AppData\Roaming\ctfmon.exe

      Filesize

      1024B

      MD5

      5680aa2cc0b5884b9fc96b8a3e1379eb

      SHA1

      912ee1aec2d6532af837a5deb3b31bc82988b864

      SHA256

      1dd485f826b051aff3788bf3f2b7a055b62378bd3501f5d2eece9eb2b34e9999

      SHA512

      5d4382d008de4513349f5c464e2807fd214e193b43e58e024e2fb131650c94e92dbec02aec4eae3bca9bbf2405baa1c1aaf71841a69eda6a163fd6cfb5e12aa4

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC8F5F.tmp

      Filesize

      652B

      MD5

      a9576c231dfdd9ac464a514cb78b09c1

      SHA1

      d5acf072fc6b3a67f3c80e89287253b5c33cbe6e

      SHA256

      fe183fc467f59604a456b84c5639c641ef93aa75fbe22a99ca56913d75713e51

      SHA512

      9962a59a4152d8cbe6eac63a58a715bb926a6766a1b514ddc46aa15a4ff60ec6227c6bb7901cc4ccacf17850091fe43e62d2459a7bbc9eadc6106e448cbd08a0

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC900B.tmp

      Filesize

      652B

      MD5

      ee0cd16f0288d29433419647c80b505d

      SHA1

      1330810d8fa4fc428b83110ec144ecd67a2da3c8

      SHA256

      17525f7d7247258470b4c62e00d1bfbece01ce8a6ae28a69d41ad9d65bd5ddba

      SHA512

      ba6912121a8c1e0f6bdc8cdd9e753d0b71e9a0ced18be2a05414f897fb9fec007136c892395b950b1565689f6875add6165b0c0d92c0b6077c665b20bbb79815

    • \??\c:\Users\Admin\AppData\Local\Temp\jsme5xwh.0.cs

      Filesize

      3KB

      MD5

      412e1c803f61cea207aa4b53c9b4a3bb

      SHA1

      79b56c2016e0eb4e0de20ef8085dd8caa2b0a810

      SHA256

      03928f10904ba363d8e763f42883e9c9e6a54f5514b323c48fca4ace6f8d2b71

      SHA512

      9cb9f92cee9e2b22424c8c0f60b53143ff7799a61a06a02291102912208311fb41ea95e16a175f46fbf0cce41b2f18f4eacaa5ae60625aa0e89beec5ac299b3b

    • \??\c:\Users\Admin\AppData\Local\Temp\jsme5xwh.cmdline

      Filesize

      187B

      MD5

      e0c8f029d081cf37a2bb9cda301e5000

      SHA1

      9553652860c5e6cbed9500592ba4f4a7d480cab2

      SHA256

      2c424edb9f243ebe199ec89a1b89187cd6e4b0fe43818b234ae4b4b3279bca24

      SHA512

      e6039fc4d32f4129da7586bb22eeabb8dcc360e71fbd81b2d1a8a3c960a739b02c72d604dd1e4de2f5daafde1f616bea989c6fcea627a6b5ed0294f6b90b0d32

    • \??\c:\Users\Admin\AppData\Local\Temp\rzjotwqn.0.cs

      Filesize

      6KB

      MD5

      ec02f26fb5424b5fbc9bcef4abb87993

      SHA1

      86082c6c15bdf457dcabdbab286457d0bf92b24c

      SHA256

      321952c2c98fb6c307deff53b2534c63df40bc2739d654cdc1c02f98bc64c7b1

      SHA512

      1de05d23a61dd39d240855559d481208eb91b034c71a331e9f70e6930473eab7a014f375446116bde627635184d6bc7340ebcfe08ee10d801b7ba5dc9ffaedb2

    • \??\c:\Users\Admin\AppData\Local\Temp\rzjotwqn.cmdline

      Filesize

      187B

      MD5

      6fd16f7a742b94ffe661b13a8c8fce84

      SHA1

      eca75aa8fa36886f482669e4d2d3213abb7a8b65

      SHA256

      e5c85fe0ad09567480d580b0ba7896051196c2967b0dcfa62880c38cf169ec2e

      SHA512

      ef3883562357dfb1b897f304996e6bcf187d7cdec6cc27c14dbe4d5ded1702df8f0146989b05c9d7777c9b57a066ad99be48382bee8b88d442b8f84f6fb36f21

    • memory/1028-9-0x00000000748D0000-0x0000000074E81000-memory.dmp

      Filesize

      5.7MB

    • memory/1028-16-0x00000000748D0000-0x0000000074E81000-memory.dmp

      Filesize

      5.7MB

    • memory/2944-30-0x00000000748D0000-0x0000000074E81000-memory.dmp

      Filesize

      5.7MB

    • memory/2944-35-0x00000000748D0000-0x0000000074E81000-memory.dmp

      Filesize

      5.7MB

    • memory/3668-0-0x00000000748D2000-0x00000000748D3000-memory.dmp

      Filesize

      4KB

    • memory/3668-2-0x00000000748D0000-0x0000000074E81000-memory.dmp

      Filesize

      5.7MB

    • memory/3668-1-0x00000000748D0000-0x0000000074E81000-memory.dmp

      Filesize

      5.7MB

    • memory/3668-38-0x00000000748D2000-0x00000000748D3000-memory.dmp

      Filesize

      4KB

    • memory/3668-39-0x00000000748D0000-0x0000000074E81000-memory.dmp

      Filesize

      5.7MB

    • memory/3668-40-0x00000000748D0000-0x0000000074E81000-memory.dmp

      Filesize

      5.7MB

    • memory/4488-20-0x0000000013140000-0x00000000131F6000-memory.dmp

      Filesize

      728KB