Overview

overview

10

Static

static

3

JaffaCakes...db.exe

windows7-x64

10

JaffaCakes...db.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2025, 12:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_0da6a5a744a20f2307bea6ac4b2ae6db.exe

  • Size

    1.7MB

  • MD5

    0da6a5a744a20f2307bea6ac4b2ae6db

  • SHA1

    03287ae1adcc2b751d6f70f2e129b131924bd4bf

  • SHA256

    ba48e7607c54f5a5c943c46bbe060a2ee24c51ac98c9f35ab8442d7fc3cf1eb1

  • SHA512

    c846375071041b1dc6701de64f8ea6250b68052236f15af0946f11291e47b4be3068ece459f349723c5adc887f7edbda25c2d89adcd06d59d37e40e5f948bb1e

  • SSDEEP

    49152:+hKLFggNIOFQGbFpDsGX9zCVtVZy/Tyw0Dy:+ddoo8wRUTyw0O

Score
10/10
darkcometdefense_evasiondiscoverypersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Windows security bypass 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0da6a5a744a20f2307bea6ac4b2ae6db.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0da6a5a744a20f2307bea6ac4b2ae6db.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4396
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0da6a5a744a20f2307bea6ac4b2ae6db.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0da6a5a744a20f2307bea6ac4b2ae6db.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4768
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
          PID:2648
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\SysWOW64\explorer.exe"
          3⤵
            PID:4208
          • C:\Windupdt\winupdate.exe
            "C:\Windupdt\winupdate.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1888
            • C:\Windupdt\winupdate.exe
              "C:\Windupdt\winupdate.exe"
              4⤵
              • Modifies security service
              • Windows security bypass
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Enumerates system info in registry
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2620
              • C:\Windows\SysWOW64\notepad.exe
                C:\Windows\SysWOW64\notepad.exe
                5⤵
                • System Location Discovery: System Language Discovery
                PID:636

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windupdt\winupdate.exe
        Filesize

        1.7MB

        MD5

        0da6a5a744a20f2307bea6ac4b2ae6db

        SHA1

        03287ae1adcc2b751d6f70f2e129b131924bd4bf

        SHA256

        ba48e7607c54f5a5c943c46bbe060a2ee24c51ac98c9f35ab8442d7fc3cf1eb1

        SHA512

        c846375071041b1dc6701de64f8ea6250b68052236f15af0946f11291e47b4be3068ece459f349723c5adc887f7edbda25c2d89adcd06d59d37e40e5f948bb1e

        Download Submit

      • memory/636-79-0x0000000000D00000-0x0000000000D01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-0-0x0000000013140000-0x00000000132FC000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1728-2-0x0000000013140000-0x00000000132FC000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1728-3-0x0000000013140000-0x00000000132FC000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1728-4-0x0000000000710000-0x0000000000711000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-1-0x0000000013140000-0x00000000132FC000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1728-72-0x0000000013140000-0x00000000132FC000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2620-81-0x0000000013140000-0x00000000132FC000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2620-76-0x0000000013140000-0x00000000132FC000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2620-77-0x0000000013140000-0x00000000132FC000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2620-82-0x0000000013140000-0x00000000132FC000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2620-80-0x0000000013140000-0x00000000132FC000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2620-78-0x0000000013140000-0x00000000132FC000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2620-83-0x0000000013140000-0x00000000132FC000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/4208-13-0x0000000000BD0000-0x0000000001003000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/4208-11-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/4208-12-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/4208-10-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/4768-6-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

        Filesize

        4KB

        Download