Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-04-2024 02:33

General

  • Target

    f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    f27bcaa1644a3d59b1dbfb38c5aa0d6c

  • SHA1

    d19334e7313a329b264b1236c579136e7e4ea1b0

  • SHA256

    4fdecee78958b17a98fee1b0afa23d35bdf11b38bd543c8b66428bb149dd38c2

  • SHA512

    47096764fcb520594421fe10382739769c0b363fdb3922af52ab18fc6d77db5226bdf8358ff28c4a53f0ed4f87626c8593afa35fabafa083cbdb84a8dbaeccab

  • SSDEEP

    12288:zUZsL8GPNmld8eiGb8f+F54+e6kT6D6BTqU8PfiVp+Xc9gw9z3UKhrhOniBkbdnL:gK3KF+wkP8UYs9NzkTmrRbaS0Vrdvr

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

ultrafucker.no-ip.org:1604

Mutex

DC_MUTEX-XKL4MDM

Attributes
  • InstallPath

    MSDCSC\svchost.exe

  • gencode

    wBVkapugtdJz

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    svchost

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Modifies WinLogon for persistence
      • Adds Run key to start application
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4188
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • Views/modifies file attributes
          PID:380
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3084
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • Views/modifies file attributes
          PID:4868
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:4484
        • C:\Windows\SysWOW64\MSDCSC\svchost.exe
          "C:\Windows\system32\MSDCSC\svchost.exe"
          3⤵
          • Executes dropped EXE
          PID:5080
      • C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4772
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Modifies firewall policy service
          • Modifies security service
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3852
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            4⤵
              PID:5044

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe

        Filesize

        1.0MB

        MD5

        f27bcaa1644a3d59b1dbfb38c5aa0d6c

        SHA1

        d19334e7313a329b264b1236c579136e7e4ea1b0

        SHA256

        4fdecee78958b17a98fee1b0afa23d35bdf11b38bd543c8b66428bb149dd38c2

        SHA512

        47096764fcb520594421fe10382739769c0b363fdb3922af52ab18fc6d77db5226bdf8358ff28c4a53f0ed4f87626c8593afa35fabafa083cbdb84a8dbaeccab

      • C:\Windows\SysWOW64\MSDCSC\svchost.exe

        Filesize

        1.1MB

        MD5

        d881de17aa8f2e2c08cbb7b265f928f9

        SHA1

        08936aebc87decf0af6e8eada191062b5e65ac2a

        SHA256

        b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

        SHA512

        5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

      • memory/3516-35-0x0000000000D30000-0x0000000000D40000-memory.dmp

        Filesize

        64KB

      • memory/3516-34-0x00000000745C0000-0x0000000074B71000-memory.dmp

        Filesize

        5.7MB

      • memory/3516-33-0x00000000745C0000-0x0000000074B71000-memory.dmp

        Filesize

        5.7MB

      • memory/3516-0-0x00000000745C0000-0x0000000074B71000-memory.dmp

        Filesize

        5.7MB

      • memory/3516-2-0x0000000000D30000-0x0000000000D40000-memory.dmp

        Filesize

        64KB

      • memory/3516-1-0x00000000745C0000-0x0000000074B71000-memory.dmp

        Filesize

        5.7MB

      • memory/3852-23-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/3852-25-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/3852-21-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/3852-20-0x0000000002180000-0x0000000002181000-memory.dmp

        Filesize

        4KB

      • memory/3852-18-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/4188-6-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/4188-7-0x0000000002710000-0x0000000002711000-memory.dmp

        Filesize

        4KB

      • memory/4188-30-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/4188-5-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/4188-4-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/4188-3-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/4484-22-0x00000000003E0000-0x00000000003E1000-memory.dmp

        Filesize

        4KB

      • memory/4772-14-0x00000000745C0000-0x0000000074B71000-memory.dmp

        Filesize

        5.7MB

      • memory/4772-13-0x0000000000940000-0x0000000000950000-memory.dmp

        Filesize

        64KB

      • memory/4772-12-0x00000000745C0000-0x0000000074B71000-memory.dmp

        Filesize

        5.7MB

      • memory/4772-36-0x00000000745C0000-0x0000000074B71000-memory.dmp

        Filesize

        5.7MB

      • memory/4772-37-0x0000000000940000-0x0000000000950000-memory.dmp

        Filesize

        64KB

      • memory/5044-24-0x0000000000400000-0x000000000051F000-memory.dmp

        Filesize

        1.1MB