Overview

overview

10

Static

static

1

payload.jar

windows7-x64

1

payload.jar

windows10-1703-x64

7

payload.jar

windows10-2004-x64

7

payload.jar

windows11-21h2-x64

10

Resubmissions

16-04-2024 20:34

240416-zcl5asde61 10

16-04-2024 17:52

240416-wfp4ksge93 7

Analysis

  • max time kernel
    212s
  • max time network
    281s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-04-2024 20:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payload.jar

  • Size

    28KB

  • MD5

    b504eb2fb8e625e6967e4bccad1088e8

  • SHA1

    9ca5a29c1f66de5367c30854adb9ed173d7a3fed

  • SHA256

    56c93c26d3305315c2c63442163c6f8d22a6c425013bfe9ee0007849a7f8426b

  • SHA512

    c1ec4d9659f1ebc8f7fec8f85f527262856ae5eca5a9e35514b7f16ece703e19e3cdf8fae3830732fe2bfb3fef56fabc6f36487170220af3b96df7c662d64e5e

  • SSDEEP

    768:I+DjklfoxTKo7eI18lhVzEGtD7JkLg7/swgUCQy6xGHr:I4qo4ZE8VKL8m9QZUHr

Score
10/10
darkgateadmin888discoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

backupssupport.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    rNDPYLnH

  • minimum_disk

    50

  • minimum_ram

    4000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\payload.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:4572
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\downloads\index.wsf
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\CuS6\Autohotkey.exe
        "C:\CuS6\Autohotkey.exe" "c:\CuS6\script.ahk"
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\CuS6\AutoHotkey.exe
    Filesize

    892KB

    MD5

    a59a2d3e5dda7aca6ec879263aa42fd3

    SHA1

    312d496ec90eb30d5319307d47bfef602b6b8c6c

    SHA256

    897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

    SHA512

    852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

    Download Submit

  • C:\CuS6\file.zip
    Filesize

    777KB

    MD5

    60817831fc3ea259d45c9a537172f080

    SHA1

    bc6be7d44565b13e1008a3b962abc9bc6ee44217

    SHA256

    75d89fd4aa29e97e8859bdf734602490da0f90a4fd5213f737857d971c82e80c

    SHA512

    02fc5b1202897e0d1d99ff636ab43b9d4bb6335f1fc538bd63d361b4025584f8196504f4366668dc919c1c8cb52eea3742fdf8746748dae00bef4af0c606ebdd

    Download Submit

  • C:\CuS6\test.txt
    Filesize

    930KB

    MD5

    09d0df57b9e2d00852322828d9791bec

    SHA1

    9c31734e88aaa19934cfd490a088d1d255103db7

    SHA256

    51163c6eb169dfe30ebdbdc3193c25ecb264b7bd6e2e250be9824563f383464f

    SHA512

    11479b5c09a3bb0b0216908895b7f6c6f6f640fc493b7463402ce796c3cd54bfca8443e8889f5a4f352d830074c08c6e75035618ee17db4f144023b853709ba6

    Download Submit

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    c9663cdddec1bffac7e331260603ebc9

    SHA1

    ea0ea3a6ddae1ce1924864049f8dfb344823c905

    SHA256

    ac7705f313d1f9f68a6913f72797f41c80609b4d1444cacce42fbc5826b84185

    SHA512

    ff4ef3458fa48b943ba4b1377994512a9e9a85f41e4d0630320d16a9122304b6f499b6e1aacb0d6be020770e99d7b7d6a39734af7b725da613934cf4ac6cc515

    Download Submit

  • C:\downloads\index.wsf
    Filesize

    243KB

    MD5

    60e923dc50030bf27a8aa27c0eeff59c

    SHA1

    047262b4503b784dfe7d13b4bc990ebefa9056a0

    SHA256

    a5e655ef647c441240212e9544ffde5583a81546775a4388e64f5952308ab58a

    SHA512

    542895a3a0e20e8cf3488189323bccb4fdc2d5af108811335baaae2ab384edcc92ecab63d3ee6378529371346ec2fcc7206019fa37df17ddf923507945816795

    Download Submit

  • \??\c:\CuS6\script.ahk
    Filesize

    441B

    MD5

    334f3fd6c9fe35fa7d5e7d2780d636ee

    SHA1

    127f6bc9b9a42bf7036c3f39d66c87d32cddeaa2

    SHA256

    1c4d704dcf8a341a8a6129743b1eb84681d53c4459cdb62fe2954e41adfed961

    SHA512

    03389f83f96d6641e60003b6787a2f2726fc0affb6de9b9f92512fc79c49ca1c8d5448e3111f696ca1aa1c2b7268017f819e56292e8a3ed7d2d5f9224efb8e22

    Download Submit

  • memory/2208-18-0x00000254A3420000-0x00000254A4420000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2208-38-0x00000254A3420000-0x00000254A4420000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2208-41-0x00000254A3420000-0x00000254A4420000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2208-47-0x00000254A3420000-0x00000254A4420000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2208-50-0x00000254A1AF0000-0x00000254A1AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2208-55-0x00000254A1AF0000-0x00000254A1AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2208-33-0x00000254A3420000-0x00000254A4420000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2208-25-0x00000254A3420000-0x00000254A4420000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2208-4-0x00000254A3420000-0x00000254A4420000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2208-13-0x00000254A1AF0000-0x00000254A1AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2208-12-0x00000254A1AF0000-0x00000254A1AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4592-123-0x0000000004B40000-0x0000000004BB5000-memory.dmp

    Filesize

    468KB

    Download

  • memory/4592-125-0x0000000004B40000-0x0000000004BB5000-memory.dmp

    Filesize

    468KB

    Download