Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-04-2024 02:33

General

  • Target

    f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    f27bcaa1644a3d59b1dbfb38c5aa0d6c

  • SHA1

    d19334e7313a329b264b1236c579136e7e4ea1b0

  • SHA256

    4fdecee78958b17a98fee1b0afa23d35bdf11b38bd543c8b66428bb149dd38c2

  • SHA512

    47096764fcb520594421fe10382739769c0b363fdb3922af52ab18fc6d77db5226bdf8358ff28c4a53f0ed4f87626c8593afa35fabafa083cbdb84a8dbaeccab

  • SSDEEP

    12288:zUZsL8GPNmld8eiGb8f+F54+e6kT6D6BTqU8PfiVp+Xc9gw9z3UKhrhOniBkbdnL:gK3KF+wkP8UYs9NzkTmrRbaS0Vrdvr

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

ultrafucker.no-ip.org:1604

Mutex

DC_MUTEX-XKL4MDM

Attributes
  • InstallPath

    MSDCSC\svchost.exe

  • gencode

    wBVkapugtdJz

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    svchost

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Sets file to hidden 1 TTPs 4 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 7 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        3⤵
        • Modifies WinLogon for persistence
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
          4⤵
            PID:2600
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
              5⤵
              • Sets file to hidden
              • Drops file in Windows directory
              • Views/modifies file attributes
              PID:580
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
            4⤵
              PID:2560
              • C:\Windows\SysWOW64\attrib.exe
                attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
                5⤵
                • Sets file to hidden
                • Drops file in Windows directory
                • Views/modifies file attributes
                PID:584
            • C:\Windows\SysWOW64\notepad.exe
              notepad
              4⤵
                PID:2896
              • C:\Windows\SysWOW64\MSDCSC\svchost.exe
                "C:\Windows\system32\MSDCSC\svchost.exe"
                4⤵
                • Executes dropped EXE
                PID:1200
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            2⤵
            • Modifies WinLogon for persistence
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1184
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
              3⤵
                PID:2672
                • C:\Windows\SysWOW64\attrib.exe
                  attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
                  4⤵
                  • Sets file to hidden
                  • Drops file in Windows directory
                  • Views/modifies file attributes
                  PID:2380
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
                3⤵
                  PID:2424
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
                    4⤵
                    • Sets file to hidden
                    • Drops file in Windows directory
                    • Views/modifies file attributes
                    PID:268
                • C:\Windows\SysWOW64\notepad.exe
                  notepad
                  3⤵
                    PID:2572
                  • C:\Windows\SysWOW64\MSDCSC\wBVkapugtdJz\svchost.exe
                    "C:\Windows\system32\MSDCSC\wBVkapugtdJz\svchost.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:2356

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Windows\SysWOW64\MSDCSC\svchost.exe

                Filesize

                1.1MB

                MD5

                34aa912defa18c2c129f1e09d75c1d7e

                SHA1

                9c3046324657505a30ecd9b1fdb46c05bde7d470

                SHA256

                6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

                SHA512

                d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

              • memory/1184-19-0x0000000000400000-0x00000000004B2000-memory.dmp

                Filesize

                712KB

              • memory/1184-81-0x0000000000400000-0x00000000004B2000-memory.dmp

                Filesize

                712KB

              • memory/1184-21-0x0000000000250000-0x0000000000251000-memory.dmp

                Filesize

                4KB

              • memory/1184-6-0x0000000000400000-0x00000000004B2000-memory.dmp

                Filesize

                712KB

              • memory/1184-8-0x0000000000400000-0x00000000004B2000-memory.dmp

                Filesize

                712KB

              • memory/1184-10-0x0000000000400000-0x00000000004B2000-memory.dmp

                Filesize

                712KB

              • memory/2528-79-0x0000000000400000-0x00000000004B2000-memory.dmp

                Filesize

                712KB

              • memory/2528-20-0x0000000000250000-0x0000000000251000-memory.dmp

                Filesize

                4KB

              • memory/2528-12-0x0000000000400000-0x00000000004B2000-memory.dmp

                Filesize

                712KB

              • memory/2580-5-0x0000000074B20000-0x00000000750CB000-memory.dmp

                Filesize

                5.7MB

              • memory/2580-4-0x00000000022B0000-0x00000000022F0000-memory.dmp

                Filesize

                256KB

              • memory/2580-3-0x0000000074B20000-0x00000000750CB000-memory.dmp

                Filesize

                5.7MB

              • memory/2580-87-0x0000000074B20000-0x00000000750CB000-memory.dmp

                Filesize

                5.7MB

              • memory/2580-88-0x00000000022B0000-0x00000000022F0000-memory.dmp

                Filesize

                256KB

              • memory/2896-22-0x00000000000C0000-0x00000000000C1000-memory.dmp

                Filesize

                4KB

              • memory/2896-64-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

              • memory/2916-0-0x0000000074B20000-0x00000000750CB000-memory.dmp

                Filesize

                5.7MB

              • memory/2916-2-0x0000000000220000-0x0000000000260000-memory.dmp

                Filesize

                256KB

              • memory/2916-1-0x0000000074B20000-0x00000000750CB000-memory.dmp

                Filesize

                5.7MB

              • memory/2916-85-0x0000000074B20000-0x00000000750CB000-memory.dmp

                Filesize

                5.7MB

              • memory/2916-86-0x0000000000220000-0x0000000000260000-memory.dmp

                Filesize

                256KB