Overview

overview

10

Static

static

3

e61acbbe8d...18.exe

windows7-x64

10

e61acbbe8d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    20s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12-12-2024 11:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e61acbbe8d56d25353e59ad455fc2d0f_JaffaCakes118.exe

  • Size

    703KB

  • MD5

    e61acbbe8d56d25353e59ad455fc2d0f

  • SHA1

    8a1732f7181c45cec4392dbe6ec8bac518fa8e75

  • SHA256

    d2fae7ef9a11f7775d69a40f704e276966680da6f3789a5babfcd18fd943529a

  • SHA512

    12027b8eb60c647c2a560980c2c7cca96c65991593563af321a1dae0351b42d733f6fda68cd0fc050e4c06dfbae9480a78d1778dc725b390a58b032d87785969

  • SSDEEP

    12288:o1iq/ujdrDqfnDqPoM7yowPeLddpSa/M4bkFzK/igahDyXhGr76:o1A4f4+owyO4AFzbBhuX06

Score
10/10
darkcometdiscoverypersistenceratspywarestealertrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e61acbbe8d56d25353e59ad455fc2d0f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e61acbbe8d56d25353e59ad455fc2d0f_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Users\Admin\AppData\Local\Temp\e61acbbe8d56d25353e59ad455fc2d0f_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e61acbbe8d56d25353e59ad455fc2d0f_JaffaCakes118.exe
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Users\Admin\AppData\Local\Temp\e61acbbe8d56d25353e59ad455fc2d0f_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\e61acbbe8d56d25353e59ad455fc2d0f_JaffaCakes118.exe
        3⤵
        • Modifies WinLogon for persistence
        • Checks BIOS information in registry
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\SysWOW64\explorer.exe"
          4⤵
            PID:2752
          • C:\Windows\SysWOW64\syshost.exe
            "C:\Windows\system32\syshost.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2884
            • C:\Windows\SysWOW64\syshost.exe
              C:\Windows\SysWOW64\syshost.exe
              5⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2536
              • C:\Windows\SysWOW64\syshost.exe
                C:\Windows\SysWOW64\syshost.exe
                6⤵
                • Modifies WinLogon for persistence
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Checks processor information in registry
                • Enumerates system info in registry
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2116
                • C:\Windows\SysWOW64\explorer.exe
                  "C:\Windows\SysWOW64\explorer.exe"
                  7⤵
                    PID:1020
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 460
                    7⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:2800
              • C:\Windows\SysWOW64\syshost.exe
                C:\Windows\SysWOW64\syshost.exe
                5⤵
                • Executes dropped EXE
                • Modifies Internet Explorer settings
                • Modifies Internet Explorer start page
                PID:2196
        • C:\Users\Admin\AppData\Local\Temp\e61acbbe8d56d25353e59ad455fc2d0f_JaffaCakes118.exe
          C:\Users\Admin\AppData\Local\Temp\e61acbbe8d56d25353e59ad455fc2d0f_JaffaCakes118.exe
          2⤵
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          PID:2296

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\www.google.com.htm
        Filesize

        827B

        MD5

        ef3e0b6971207c43b73b95205871c958

        SHA1

        7faff4ddec0cade5a7432b5bfd7a5a0283e6a3ce

        SHA256

        14c4de9a9dbd129e1393f27f7cffe0516bc80e18a71f5599e4ff78807cdade89

        SHA512

        9f25b14941083b849995394a695cd52cd3c43cd136e91ccf99bd85d81e0c938e377ad9214bd67027e7d584843ab2d7b976583814eebc35689d647bf644f4a70a

        Download Submit

      • \Windows\SysWOW64\syshost.exe
        Filesize

        703KB

        MD5

        e61acbbe8d56d25353e59ad455fc2d0f

        SHA1

        8a1732f7181c45cec4392dbe6ec8bac518fa8e75

        SHA256

        d2fae7ef9a11f7775d69a40f704e276966680da6f3789a5babfcd18fd943529a

        SHA512

        12027b8eb60c647c2a560980c2c7cca96c65991593563af321a1dae0351b42d733f6fda68cd0fc050e4c06dfbae9480a78d1778dc725b390a58b032d87785969

        Download Submit

      • memory/2116-119-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/2116-115-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/2116-101-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/2296-20-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2296-12-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2296-89-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2296-22-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2296-18-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2296-16-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2296-14-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2296-24-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2296-10-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2536-105-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2660-23-0x0000000000400000-0x0000000000487000-memory.dmp

        Filesize

        540KB

        Download

      • memory/2660-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2884-88-0x0000000000400000-0x0000000000487000-memory.dmp

        Filesize

        540KB

        Download

      • memory/2884-60-0x0000000000400000-0x0000000000487000-memory.dmp

        Filesize

        540KB

        Download

      • memory/2916-34-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/2916-27-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/2916-29-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/2916-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2916-41-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/2916-43-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/2916-42-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/2916-45-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/2916-44-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/2916-30-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/2916-35-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/2916-59-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/2916-33-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/3008-38-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3008-7-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3008-9-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3008-1-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3008-3-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3008-5-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download