Overview

overview

10

Static

static

3

f9197d5a2e...18.exe

windows7-x64

10

f9197d5a2e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-04-2024 00:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9197d5a2e2d7a2b2f80bb387f7d2c28_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    f9197d5a2e2d7a2b2f80bb387f7d2c28

  • SHA1

    4852766feb4948903bc09c9a493bf0f0398c0095

  • SHA256

    5bfa91a23214f1a4bba7efffd224e5fdde2e7b69ecd9fe286b62451585c577a9

  • SHA512

    6a53efdd665ccc6cc0bcd287809326ec9af28b584d14bf448d944fdbca27abde5362353c5793277bd29cffb79a322d034721d120060574aa667335551eff8718

  • SSDEEP

    24576:Y2O/GlDHqFHHVDFNEzQbCG3/QJfSPXYuTfx8n2VuFSWVxNu:nHUYQjQhUo0WbsGxQ

Score
10/10
darkcometnewbaby2evasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

NEWBABY2

C2

dcthings.changeip.org:988

Mutex

DC_MUTEX-HMSY2RH

Attributes
  • gencode

    a2CQEonCR87h

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9197d5a2e2d7a2b2f80bb387f7d2c28_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f9197d5a2e2d7a2b2f80bb387f7d2c28_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Users\Admin\85yd658866kut\ppirvcydqcw.exe
      "C:\Users\Admin\85yd658866kut\ppirvcydqcw.exe" qzkhxqu
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\85YD65~1\vyxlzmmjau.KRY
    Filesize

    146B

    MD5

    f8f28e7c74bd6a4cc7df56669afa88cf

    SHA1

    7bb80e39c9110df945606e130487d9d6640b070b

    SHA256

    c77b3f14f6b629c255ca6a3a670a2a74c745fb81eaaa889b48f1e6f40b2204dd

    SHA512

    36ce3e93494ab29b2993053915848719d2323767fc728eb48bec9fb2b779e134fd4bf8af6e2c3a62308ec1cf103146c6af63d83afd870cd7293fd4d7f34e1a52

    Download Submit

  • C:\Users\Admin\85YD65~1\xoutq.UQF
    Filesize

    251KB

    MD5

    ee86c399347a94cc72e7f7265beaad5f

    SHA1

    fac42d67f75805b995f5e64cdb1396f931b93373

    SHA256

    bbbc1f71ad5a62ee9c0d79027b92d8e8507e53ca0e25cb6927f05dc3f488cd11

    SHA512

    728c9f1e38d91af7aa9cc3e02960c666891103cba59db77aa332937c9dc158b8e7d5c866f34831b18381e87d8c10fd8e6dc5918e33c40481c1d7aa73e885e80d

    Download Submit

  • C:\Users\Admin\85yd658866kut\qzkhxqu
    Filesize

    710.9MB

    MD5

    040c0ca4e6d406e859e4b3d3a762d801

    SHA1

    239418df64e0282a85ac8f2485314c905fcd5c7e

    SHA256

    67f2a26a4a4c06ddaec5cc24766ec91706e2035f92397b28c4d84bf510bb565a

    SHA512

    ab845c212d7ef3d66c8fb37e76ed70fadb1caf5d9958abbf101e23710a8a819c31571161668143b6adf3645a4e6727287b63ce757a6e1986677c46e65073d6fb

    Download Submit

  • \Users\Admin\85yd658866kut\ppirvcydqcw.exe
    Filesize

    910KB

    MD5

    330c70c8a9a4add2f13b5d896e335574

    SHA1

    8b50e8ed46359453ddd2f95fb666eaa0688e33f9

    SHA256

    767e7e13b2dd575a03e92e687c973248bef7a0f17984a69cdf052ea0d342dc16

    SHA512

    0c0eaabd34d93440df485a0f2682de919417fc6eefb18b296354eee49aae45b9f117a580e6bdbc9d9480f80e67ac14943f364e8f8b4c4342656331ca5d7aede3

    Download Submit

  • memory/2612-30-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2612-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2612-28-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2612-32-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2612-33-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2612-35-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2612-36-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2612-37-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2612-38-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2612-39-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2612-40-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download