Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-05-2024 15:32

General

  • Target

    10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe

  • Size

    658KB

  • MD5

    10d86ea86bf22d7dfdfd4fe1e5f174e5

  • SHA1

    c150c81bbd9e79265449e386dd4f2c597de51801

  • SHA256

    9fa03c7aff5ea9ad90dc5f178b87ee4d79b414814ec1b8c7ee6d2f5685157d07

  • SHA512

    548f55237310a8d1bcd07b939364391832e58829b1bf5eaa11cdad7a7ffb58e51a90a7cf7fb29dc992ee5cb6bf9d21a21bd8d40996ea22548346655f03ea22dc

  • SSDEEP

    12288:u9HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyFE:6iBIGkbxqEcjsWiDxguehC2Sr

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-ECAZT3D

Attributes
  • gencode

    j6rbVHgXif2y

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe"
    1⤵
    • Modifies firewall policy service
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\10d86ea86bf22d7dfdfd4fe1e5f174e5_JaffaCakes118.exe" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:1384
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:1740
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
        PID:1624
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 80
          3⤵
          • Program crash
          PID:4448
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1624 -ip 1624
      1⤵
        PID:4540

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1624-1-0x0000000001050000-0x0000000001051000-memory.dmp

        Filesize

        4KB

      • memory/2180-0-0x0000000002270000-0x0000000002271000-memory.dmp

        Filesize

        4KB

      • memory/2180-3-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB