Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
12-01-2025 16:00
General
-
Target
JaffaCakes118_1298c60186fbfa7134485df1c48c6e5b.exe
-
Size
678KB
-
MD5
1298c60186fbfa7134485df1c48c6e5b
-
SHA1
595ca17b786b4d6b7d2d80e711199f5ebefc902f
-
SHA256
4ba66678f757c0c2cb9b6469e14f02c403faba9b95e17600dc2a7a7d92bcb0ff
-
SHA512
0cae4195d607492fd94254487ae8642198b2f37ffac3b0eba45f8a78f3e11801d38162a041d94edf96f92cd1b69b90f3857806e2d620b1bab2e6bc451433bc1e
-
SSDEEP
12288:VoVTm259rPA2aHlEXpuOn850DLrh1QZZeetfKoF/xELQdD4aqt:uX5hPA2aHlsBDLV10ZeUf2kZno
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1298c60186fbfa7134485df1c48c6e5b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1298c60186fbfa7134485df1c48c6e5b.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe"C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe"2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
331KB
MD532b9a74643fa934e63f3d53af1b2e7c1
SHA1b71b62ed3bad11c878660fcfb4414cfbad304462
SHA256becdc86144b08999c4cc55ea685d34dd67cfe37d139b635903b47af73593bfde
SHA5127d810203f193bfe7e6c247ae814a1a9cb9b2ddfb8a6e5852f064dba38339f339ef83216ed8c822aaf29ad06b620b731b0609c520c90f83859e8daa7904efcfd3
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
916KB
-
Filesize
916KB
-
Filesize
916KB
-
Filesize
916KB
-
Filesize
916KB
-
Filesize
916KB
-
Filesize
916KB
-
Filesize
916KB
-
Filesize
916KB
-
Filesize
4KB
-
Filesize
916KB
-
Filesize
916KB
-
Filesize
916KB
-
Filesize
916KB
-
Filesize
916KB
-
Filesize
916KB
-
Filesize
916KB