Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
02-01-2025 23:45
General
-
Target
JaffaCakes118_68f1f029e4ef2b3a1cf44871655d6b8f.exe
-
Size
980KB
-
MD5
68f1f029e4ef2b3a1cf44871655d6b8f
-
SHA1
665cc7627b7fd651fcb3661a68a4cd01780240ca
-
SHA256
a925a49e9633b53e0b4daffab9e9a3a9ed84db69d98d378c5bdc54acd1312ab0
-
SHA512
5eba946d239e3ad74538c4b38f5490d3117792fc91de6afa4642f3b419d238ed3fe895d51438af48a73455b4beafc0c6d18a20e896c01a439bc37d4196b09967
-
SSDEEP
12288:zaAchpWsuVTv7ItY8XljyypHP7cOLBev03hlULsmWZ++09ZcKDVsVCG:WAEENIq8XwyVPQclDq/+WnpssG
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68f1f029e4ef2b3a1cf44871655d6b8f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68f1f029e4ef2b3a1cf44871655d6b8f.exe"1⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
988KB
-
Filesize
4KB
-
Filesize
988KB
-
Filesize
4KB