Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
04-01-2025 14:17
General
-
Target
JaffaCakes118_7a257c21d2ba245b7738e890174fc3a3.exe
-
Size
636KB
-
MD5
7a257c21d2ba245b7738e890174fc3a3
-
SHA1
2befbb3b7d0fe3e1d275318679d8d54b72438eb1
-
SHA256
b6392d37cb3db67b615d1443b0dfc1fbe757ef21afb31dba98f84c8bef595990
-
SHA512
0e14db7327dd07c81f886992afa61705e63f36a9611720321f24c83733f47f79c97c2c5bc9ac68467a40cca91732f58ae919527b97fbc21f3cfc64960fc67b49
-
SSDEEP
12288:TpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/t:1wAcu99lPzvxP+Bsz2XjWTRMQckkIXnV
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a257c21d2ba245b7738e890174fc3a3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a257c21d2ba245b7738e890174fc3a3.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a257c21d2ba245b7738e890174fc3a3.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD554a47f6b5e09a77e61649109c6a08866
SHA14af001b3c3816b860660cf2de2c0fd3c1dfb4878
SHA256121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
SHA51288ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419
-
Filesize
4KB
-
Filesize
704KB