Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-01-2025 07:54
General
-
Target
JaffaCakes118_c1cab2d45f394c1fb0ac454b67f964c6.exe
-
Size
892KB
-
MD5
c1cab2d45f394c1fb0ac454b67f964c6
-
SHA1
4ba5dc2630e08424872bee5260dcfe109b6e567a
-
SHA256
4bdd9384bf7eaa1634b150f749bf926097a5a5e314238b35fc2c3b32b1e830de
-
SHA512
7b2a1ed3aeb0a2d2ab6679c8fa07dbc53dc9163fff60aa4b48d795fcf629d19bbd431671cf85e97901bdb78bafa8fc8468046b64b79c83e4253cea8bdc4805ab
-
SSDEEP
12288:BcDXi/thiq/8hYI26SuzuS9pW9AVzDGd19YO82exf+qGYWjmj91jGlYtdB2:Bc4hiwB+V9o9AVzDcOO8261x5GOs
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1cab2d45f394c1fb0ac454b67f964c6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1cab2d45f394c1fb0ac454b67f964c6.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\JaffaCakes118_c1cab2d45f394c1fb0ac454b67f964c6.exe"C:\Users\Admin\Documents\JaffaCakes118_c1cab2d45f394c1fb0ac454b67f964c6.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5e99f74ae594c1b373fa0d34193dce208
SHA13933f949724a6702e0038295287a39c53592b11e
SHA2561dbb3b418bd78abb49d583f2b9cea6b20fe9fece0a59c118ddf104a672e29ebd
SHA512355a2a3955e0f50b0c41a24589b9283892689faa61aea6360a1b762f5f2f58166c579b37dc0b003e716c1dc760f1931b73faf6fa3e2b21f8571dbdf5ee37c030
-
Filesize
892KB
MD5c1cab2d45f394c1fb0ac454b67f964c6
SHA14ba5dc2630e08424872bee5260dcfe109b6e567a
SHA2564bdd9384bf7eaa1634b150f749bf926097a5a5e314238b35fc2c3b32b1e830de
SHA5127b2a1ed3aeb0a2d2ab6679c8fa07dbc53dc9163fff60aa4b48d795fcf629d19bbd431671cf85e97901bdb78bafa8fc8468046b64b79c83e4253cea8bdc4805ab
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
4KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
1.1MB