Overview

overview

10

Static

static

7

JaffaCakes...72.exe

windows7-x64

10

JaffaCakes...72.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/01/2025, 13:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe

  • Size

    1.2MB

  • MD5

    e884c8639a6e449cd7b42b6564e78972

  • SHA1

    e2ee3571fc9b89d664f94e2a4e3046f31c1b00e3

  • SHA256

    1a11a573468395c178bcd689dda500a55140d21c70860c1b727c3fedbfbff836

  • SHA512

    9c2127f348ac756304548bf6586bb35fe210bc8f900031fb82703f88d0915cc27aa715d60998bd976ffd412653b94cfd1edaeebfbfe91d8a4fb84e1beb20a588

  • SSDEEP

    24576:kuGkPWqtpDX9iD0jG371rTaOO5+Uc6JlxXRq4F:kuG4WqHXQ0STN4la4F

Score
10/10
darkcometmodiloaderdiscoveryevasionratthemidatrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 4 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe"
    1⤵
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Local\Temp\346356326.scr
      "C:\Users\Admin\AppData\Local\Temp\346356326.scr" /S
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\346356326.scr
    Filesize

    712KB

    MD5

    211b5f2b0388d20ee28e8682c86b3664

    SHA1

    a8dfb9767284f9ac96baa95a8918487607eceabb

    SHA256

    fd1d6217a3c70f0809297e61e9213b8c41fa5df822e62edc2deaeab1e008e731

    SHA512

    4963313e3ddbb4fe79593d5cfcb5d11d71389adbd894add96dc1c3c07adaba43c50432122bc1c3002b27b1f6f25734f3029485b58b814e1de426b79d1c835692

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\9cf00d54c42b605a211afd0bc2615380.jpg
    Filesize

    7KB

    MD5

    4f67e46669703411d4d3521f8e7dcd1b

    SHA1

    71488659cdbfd9efe10f8a051054c20c4e2134de

    SHA256

    8f5994e316c345ef0d21393a0deecfa7d5fd1c60592327a51605d729ad3759f9

    SHA512

    db234ad40f267097cead6a5ecea141fb6920f029fdfa991b0da35b95e0c49d1be422ad47173b49a4701266d5620af9ef6e2f63580810ef10dfd6348610d935b0

    Download Submit

  • memory/2672-1-0x0000000000401000-0x0000000000409000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2672-3-0x0000000000400000-0x0000000000595000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2672-0-0x0000000000400000-0x0000000000595000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2672-14-0x00000000048B0000-0x00000000048B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2672-16-0x0000000000400000-0x0000000000595000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2672-17-0x0000000000401000-0x0000000000409000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2788-15-0x00000000001A0000-0x00000000001A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2808-21-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2808-25-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2808-20-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2808-13-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2808-22-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2808-23-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2808-24-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2808-19-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2808-26-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2808-27-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2808-28-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2808-29-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2808-30-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2808-31-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2808-32-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2808-33-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download