Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
03-02-2025 23:17
General
-
Target
JaffaCakes118_8d906b9ed7ab800c234db4f13fb173ec.exe
-
Size
479KB
-
MD5
8d906b9ed7ab800c234db4f13fb173ec
-
SHA1
23114352fa03b7765c7528dea58d39a580c0b5e2
-
SHA256
5c2b4e2807ae47b64c730470b31b356e9ec7d5076cf2a273582ef65d05659221
-
SHA512
4852ac66adecf6e66841b95556508bf2ec544ff78bd68ddc9f8d01cf10e39060cb455aeeb493d7955ec81c9134271f22b43ee50f880959c2acaeccdf7c7a3f34
-
SSDEEP
12288:wYU38tWvCBk0+d4Ouz90NWkja7ZRawg1qj136pS8rtft6FJDMI:vgd4OLkk+f+qF6o8hft6Fd
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d906b9ed7ab800c234db4f13fb173ec.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d906b9ed7ab800c234db4f13fb173ec.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1605492906-110174581-1538989834630409091538511656152641505-456252145815715391"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
364KB
MD506f5d39b957927fbf88e7bd337a54c95
SHA11e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99
SHA25637dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5
SHA51242b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98
-
Filesize
50B
MD5b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701
-
Filesize
257B
MD5ae32a6e147918a68cb3333d0f3c7125f
SHA18a0b463883eae5e184b68aee063bdb723e327c32
SHA25640b907e33dae893e7e1ca1e98430bf2d0015ec23a104371b179e44d9ca18cd86
SHA51220f9ec6991c4a732abeb8bb6bd2f6fc049ce6b4ac5db935dde4308f33302dbfad898ced89302cabf3583a335e33d560748c4c91c80c1359788fd59c1afcc65d5
-
Filesize
804KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
880KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
880KB
-
Filesize
880KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
880KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
880KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
880KB
-
Filesize
16.6MB