Overview

overview

10

Static

static

3

JaffaCakes...1f.exe

windows7-x64

10

JaffaCakes...1f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2025 10:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_e3ebdb9bfe2411714d3a5e460156151f.exe

  • Size

    704KB

  • MD5

    e3ebdb9bfe2411714d3a5e460156151f

  • SHA1

    0dbbfc0f06de9f7efc87aae2d4e653cdd83fcdf6

  • SHA256

    1bc68880ab0a6f9798a0ea42b12d278956deaa65e44c06056a0130da92b2736b

  • SHA512

    3dd7fdae85dad0d459ba990cfe1c669af1aa9acc2d9a6ec9c48edd0dab8954cbc89c5132b751c68470f62291bd6b06d3fd49da1a4b52737338eaf10c81041943

  • SSDEEP

    12288:yBCnAb9XwwnsAGkfPVn2VrYFKf+0ZgKU3MBmD3aJME3DZTnZAQgwBc:ysnAbRwssAGkfPVn2VrCKf+0ZgXLaJMB

Score
10/10
darkcometdiscoveryevasionpersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e3ebdb9bfe2411714d3a5e460156151f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e3ebdb9bfe2411714d3a5e460156151f.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Users\Admin\AppData\Local\Temp\winini.exe
      "C:\Users\Admin\AppData\Local\Temp\winini.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
        C:\Users\Admin\AppData\Local\Temp\cvtres.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2456
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" +s +h
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2768
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" +s +h
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2832
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2888
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2848
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
            PID:2520

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
      Filesize

      31KB

      MD5

      ed797d8dc2c92401985d162e42ffa450

      SHA1

      0f02fc517c7facc4baefde4fe9467fb6488ebabe

      SHA256

      b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

      SHA512

      e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\winini.exe
      Filesize

      468KB

      MD5

      fd1faff4775c6c9dd7d22a5624d2b10b

      SHA1

      a328364ad519e024c6f8d9add2852e48c1d0720d

      SHA256

      89e82099d3238dd4eb985a6788136aaa1b3dc3da6733af201abb93d4e654d15e

      SHA512

      9ae7c03397bce9c60ac5bd677bda0a4ad2b36e92d71d16dc33ac1c1569eca7a48949677b24e32c6fd0485abf220522c8e077c54b935888f1b8f11db0bd43b71f

      Download Submit

    • memory/1840-0-0x00000000746F1000-0x00000000746F2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1840-1-0x00000000746F0000-0x0000000074C9B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1840-2-0x00000000746F0000-0x0000000074C9B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1840-13-0x00000000746F0000-0x0000000074C9B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2456-39-0x0000000000400000-0x00000000004B6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2456-19-0x0000000000400000-0x00000000004B6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2456-21-0x0000000000400000-0x00000000004B6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2456-38-0x0000000000400000-0x00000000004B6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2456-20-0x0000000000400000-0x00000000004B6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2456-36-0x0000000000400000-0x00000000004B6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2456-32-0x0000000000400000-0x00000000004B6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2456-45-0x0000000000400000-0x00000000004B6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2456-34-0x0000000000400000-0x00000000004B6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2456-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2456-29-0x0000000000400000-0x00000000004B6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2456-28-0x0000000000400000-0x00000000004B6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2456-26-0x0000000000400000-0x00000000004B6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2456-25-0x0000000000400000-0x00000000004B6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2456-23-0x0000000000400000-0x00000000004B6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2520-41-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2804-37-0x00000000746F0000-0x0000000074C9B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2804-15-0x00000000746F0000-0x0000000074C9B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2804-35-0x00000000746F0000-0x0000000074C9B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2804-46-0x00000000746F0000-0x0000000074C9B000-memory.dmp

      Filesize

      5.7MB

      Download