Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
16-02-2025 02:54
General
-
Target
JaffaCakes118_fed30a16e3b1dbda2f4d15b2aae34168.exe
-
Size
714KB
-
MD5
fed30a16e3b1dbda2f4d15b2aae34168
-
SHA1
604e8a9aa82f44bf55775916094d0d18e8282751
-
SHA256
eda2e447c8bc5d389b98c20385112b9f054b56343731c9b103e7528788a29f46
-
SHA512
4b5043f502a0d002a226d95c1f14f6e66e9e9bfaf080683621467612a479c7bf624d258d5a57e70ccd84157a78242dc1cb46817bc1203b6c5bf4ca2d4fc49295
-
SSDEEP
12288:qaAchpWsuVTv7ItY8XljyypHP7cOLBev03hlULsmWZ++09ZcKDVsgdW:rAEENIq8XwyVPQclDq/+WnpsSW
Malware Config
Extracted
darkcomet
Guest16
192.168.1.100:1604
DC_MUTEX-0PH35V6
-
InstallPath
Windupdt\winupdate.exe
-
gencode
=lr$etRb$*1C
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
winupdater
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fed30a16e3b1dbda2f4d15b2aae34168.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fed30a16e3b1dbda2f4d15b2aae34168.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119B
MD5bcfc62e042294d2127e2aa5d246b7f7f
SHA1bc5de31d0300058496b2b9a5bb3346f2c9b3b620
SHA256c3d92dd7d5a434bfa1102a476bf01dffaa8b3f87e44aa29edf0524a4f1ff9a30
SHA51297bdaa1c6bf5e59fd8f0652f5f27c7ee304980a5f0c74a98455afad1e50b4466ba7ec2c6a27826ebaaa55941e686baf5b8f6b1fb514df4a51a573f1af29decba
-
Filesize
714KB
MD5fed30a16e3b1dbda2f4d15b2aae34168
SHA1604e8a9aa82f44bf55775916094d0d18e8282751
SHA256eda2e447c8bc5d389b98c20385112b9f054b56343731c9b103e7528788a29f46
SHA5124b5043f502a0d002a226d95c1f14f6e66e9e9bfaf080683621467612a479c7bf624d258d5a57e70ccd84157a78242dc1cb46817bc1203b6c5bf4ca2d4fc49295
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
4KB
-
Filesize
772KB