Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    02-05-2024 00:30

General

  • Target

    0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    0cfbd4e91dea075e7f3731ed5116c945

  • SHA1

    ab10a58d6cdfa713405c6f3ea32bcea5fb01567a

  • SHA256

    e01c2cb5400fc2b1739f6705ecd0b4ce42c7339f0101c4d92d40ec2db07a0956

  • SHA512

    0bfc21a4c6b54433b91d37036f2d72f51cdce0edfa7ab3422635f6b4925c142a6c156a0fb1151006f1de1c19460e1e47c46a61ec5418ce8c109b4a1b932407f7

  • SSDEEP

    24576:vZ1xuVVjfFoynPaVBUR8f+kN10EByZ1xuVVjfFoynPaVBUR8f+kN10EB8:RQDgok30VQDgok30L

Malware Config

Extracted

Family

darkcomet

Botnet

Áàòàðåéêà

C2

178.46.120.54:1604

Mutex

DC_MUTEX-NSKK5Q3

Attributes
  • InstallPath

    APP#\msdcsc.exe

  • gencode

    LasvCxAaw4RN

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2436
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe" +s +h
          4⤵
          • Sets file to hidden
          • Drops startup file
          • Views/modifies file attributes
          PID:292
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:2408
      • C:\Users\Admin\AppData\Roaming\APP#\msdcsc.exe
        "C:\Users\Admin\AppData\Roaming\APP#\msdcsc.exe"
        3⤵
        • Modifies security service
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2444
    • C:\Users\Admin\AppData\Local\Temp\Ìàêðîñ.exe
      "C:\Users\Admin\AppData\Local\Temp\Ìàêðîñ.exe"
      2⤵
      • Executes dropped EXE
      PID:2636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Ìàêðîñ.exe

    Filesize

    668KB

    MD5

    2269a69bf8d016c3916631603fbdcad3

    SHA1

    26c8d00cb8b1c0eb64c11b15c8db46ccb3ac1ff0

    SHA256

    e8b8d67fe55fe4530b29b5a0e3cec32740fbe2b56235729046d5011cf3dccc09

    SHA512

    ed66c85f78cab40c07cc87b80b6cc4a9c3ec3429cae58132520312d199ba2ba051950188f14b702ca4033bd81cca61a88e7f6b1191cad150968150de90d2d3e6

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe

    Filesize

    659KB

    MD5

    26144f316dc5f581b868123ead319687

    SHA1

    46f870dd0033323a629676309e19d2ce48a8dc3a

    SHA256

    6321ae811ff96e6ddf1fe35abb80a6fa6a3f6866793c5d7e8de2bb191fd206e1

    SHA512

    1921b066907984e4d1cc4e87a195154538ed779e794aba0f5eec8eaa9d17fde0b7df13d0333f1c562a2b19d7a1544a020432fa693d47fffe2fda5c29ba36223c

  • memory/2444-33-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2444-35-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2444-37-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2444-39-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2636-19-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

  • memory/2872-17-0x0000000000400000-0x0000000000555000-memory.dmp

    Filesize

    1.3MB

  • memory/3004-32-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB