Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    03-05-2024 15:32

General

  • Target

    10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe

  • Size

    658KB

  • MD5

    10d86ea86bf22d7dfdfd4fe1e5f174e5

  • SHA1

    c150c81bbd9e79265449e386dd4f2c597de51801

  • SHA256

    9fa03c7aff5ea9ad90dc5f178b87ee4d79b414814ec1b8c7ee6d2f5685157d07

  • SHA512

    548f55237310a8d1bcd07b939364391832e58829b1bf5eaa11cdad7a7ffb58e51a90a7cf7fb29dc992ee5cb6bf9d21a21bd8d40996ea22548346655f03ea22dc

  • SSDEEP

    12288:u9HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyFE:6iBIGkbxqEcjsWiDxguehC2Sr

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-ECAZT3D

Attributes
  • gencode

    j6rbVHgXif2y

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe"
    1⤵
    • Modifies firewall policy service
    • Disables RegEdit via registry modification
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:2688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:2560
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
        PID:2952

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2912-0-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

    • memory/2912-27-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/2912-28-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/2912-30-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/2912-32-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/2912-33-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/2912-34-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/2952-1-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

    • memory/2952-26-0x00000000001E0000-0x00000000001E1000-memory.dmp

      Filesize

      4KB