Overview

overview

10

Static

static

10

JaffaCakes...68.exe

windows7-x64

10

JaffaCakes...68.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-01-2025 02:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_623a670eb93c9578fe74a42eda1dde68.exe

  • Size

    1.2MB

  • MD5

    623a670eb93c9578fe74a42eda1dde68

  • SHA1

    d0ad967bee0b0d6c8c699003f742f44f3bf4b6a4

  • SHA256

    46468f8938461d033c5d583a9a2251368f425b4c19dfce1c68b2f6b4791a9b01

  • SHA512

    20b3e498ab3a8fed294c95966b4f5a4d801806d7b4c5fd8afb11aa113a59558c3039de5b8af8a694af640e12015429d2037d4a7b4824d1ea14dda892edacdbdf

  • SSDEEP

    24576:iAmBpVKHu0Mu9Xo20VGLVP5H3xGUweEqAZKrUZrCqiuP+oM:iAmKZVZDHLAZIe7M

Score
10/10
darkcometdiscoveryevasionrattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_623a670eb93c9578fe74a42eda1dde68.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_623a670eb93c9578fe74a42eda1dde68.exe"
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Windows security bypass
    • Drops file in Drivers directory
    • Windows security modification
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2280
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1030-MATRIX.JPG
    Filesize

    598KB

    MD5

    e0eccd2adc4b3c4f08fe128540f8a76c

    SHA1

    1d606873456c31693ecc3d324d75dabacdbfc05e

    SHA256

    4e5ff553fa1d9de55e03193a148d591c915ab8b9f83a57f0c0942ad13040a70e

    SHA512

    b4a5d48b8b26580fbf09fbbe60c9f97e2444c63ca218650de7f3a19fdcff0cf3f733c5683c72c79d4a9a148ae4686931c33b371c2b8010920039b3049eb2a8fa

    Download Submit

  • memory/2280-0-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2280-3-0x0000000003750000-0x0000000003752000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2280-9-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2280-12-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2948-4-0x00000000000C0000-0x00000000000C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2948-5-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2948-10-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download