Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 07:29

General

  • Target

    1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe

  • Size

    6.7MB

  • MD5

    1b6b13653278e38989a3ab4025a69a97

  • SHA1

    4d9573df4054a6cfc2d2d3ea91876368a95e405a

  • SHA256

    1b75e1edeb875c5218baebebc304a5acab2de18c8970506d4fb0dfcae2ef13c4

  • SHA512

    7b9e554a6414f1751addce0b158bfbc107f772c13e6dd52d16989f0f33c0afabe11a4d854afe2614166401cdffdf77564b79db894f2f61556cb91dc5525f325b

  • SSDEEP

    196608:nwk9Yh8IRzdq9DK+C/J4X3hDzFLcje2x1Rzf+Qkc5OsHuyDjKa:nw79q9DdCJ41Geu1Rzf+lA7uyDjKa

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

andreprivet.ddns.net:1604

Mutex

DC_MUTEX-RWR5U28

Attributes
  • InstallPath

    zh-PH\WWAHost.exe

  • gencode

    WolGzuCR4Xlr

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    WAHost

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\start.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4856
      • C:\Users\Admin\AppData\Roaming\11.exe
        11.exe -p03658512984 -dC:\Users\Admin\AppData\Roaming
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Users\Admin\AppData\Roaming\po.exe
          "C:\Users\Admin\AppData\Roaming\po.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2652
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\po.exe" +s +h
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4168
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Roaming\po.exe" +s +h
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:2812
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2484
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Roaming" +s +h
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:1312
          • C:\Windows\SysWOW64\zh-PH\WWAHost.exe
            "C:\Windows\system32\zh-PH\WWAHost.exe"
            5⤵
            • Modifies firewall policy service
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2132
            • C:\Windows\SysWOW64\notepad.exe
              notepad
              6⤵
                PID:4920
          • C:\Program Files\VideoLAN\VLC\vlc.exe
            "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\12.mp3"
            4⤵
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:5104
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x3d0 0x464
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4984

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\11.exe

      Filesize

      6.6MB

      MD5

      eea149721c01291896b69895fd414964

      SHA1

      cd7f559e2847a6d26679472040ecc05ab8eef548

      SHA256

      5c4bf3713ff356a995d6fa59b7e68105ab4385cd22f6f519fbe3bdf993add823

      SHA512

      e01aec03356ac64b704d42bf764e89bb286a966f5c2da65201737a5af1accab04d5be8be5f07833a96b5525c9697334bcbddde2ad6f1e6932d7d526a352ea7a7

    • C:\Users\Admin\AppData\Roaming\12.mp3

      Filesize

      7.1MB

      MD5

      994ed675fa3c1ec9be2dc88f80a54d6c

      SHA1

      0be3478c5cbe848ea920d87c7853aec2c3d990fa

      SHA256

      95012f310436a52c4e083fabdf42db4c8d3242bc42689b63e8e613f73696d924

      SHA512

      38e04c70da86d6a1b473188789712236c09967139581da9578c23804d56f2866b3b1fb2cf115658624c0d6e044f00ba804b8c4efbbb77926b4affdc84af6f901

    • C:\Users\Admin\AppData\Roaming\po.exe

      Filesize

      251KB

      MD5

      010b72d9045c7aede13473e1f4514ca9

      SHA1

      50cc0ba901b8bc1cfd34a277af34b7f666d1f693

      SHA256

      67bd0a65268d058dbf0ca7cd6a4b30060a4aa60bfd3d59c04768b1422d7f433a

      SHA512

      1c492a8927196c028c49931bbc99f6f1dd26f4d97eca35d576c953786d3101119910bb39d9a22b1a65289ad3d66c703bc69305ca616372f03443a17bfc0b3a65

    • C:\Users\Admin\AppData\Roaming\start.bat

      Filesize

      32B

      MD5

      d9b4214e353ba616f5edc2633ba76e36

      SHA1

      a69e0090704947fd72fbfab013699aa56896121b

      SHA256

      f027b25ce42d032279e22532ebae52023482a4fb278d4c3159ccab3102e0fc28

      SHA512

      9d89a0fa65de20b5a089e304939f0da1a34d5ee0509564c42de63e164a1216df31f5e0f0a208f2b9851c33902ef568853322f3df02a0415c78ed66be16b78121

    • memory/2132-39-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

    • memory/2132-53-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

    • memory/2132-110-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

    • memory/2132-91-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

    • memory/2132-72-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

    • memory/2652-25-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

    • memory/2652-42-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

    • memory/4920-40-0x0000000001180000-0x0000000001181000-memory.dmp

      Filesize

      4KB

    • memory/5104-71-0x00007FF81A4E0000-0x00007FF81A4FB000-memory.dmp

      Filesize

      108KB

    • memory/5104-64-0x00007FF819620000-0x00007FF81982B000-memory.dmp

      Filesize

      2.0MB

    • memory/5104-62-0x00007FF81AAC0000-0x00007FF81AADD000-memory.dmp

      Filesize

      116KB

    • memory/5104-70-0x00007FF81A500000-0x00007FF81A511000-memory.dmp

      Filesize

      68KB

    • memory/5104-69-0x00007FF81A520000-0x00007FF81A531000-memory.dmp

      Filesize

      68KB

    • memory/5104-68-0x00007FF81A540000-0x00007FF81A551000-memory.dmp

      Filesize

      68KB

    • memory/5104-67-0x00007FF81AA30000-0x00007FF81AA48000-memory.dmp

      Filesize

      96KB

    • memory/5104-66-0x00007FF81A560000-0x00007FF81A581000-memory.dmp

      Filesize

      132KB

    • memory/5104-65-0x00007FF81AA50000-0x00007FF81AA91000-memory.dmp

      Filesize

      260KB

    • memory/5104-61-0x00007FF81AAE0000-0x00007FF81AAF1000-memory.dmp

      Filesize

      68KB

    • memory/5104-56-0x00007FF81AD40000-0x00007FF81AFF6000-memory.dmp

      Filesize

      2.7MB

    • memory/5104-60-0x00007FF81AB00000-0x00007FF81AB17000-memory.dmp

      Filesize

      92KB

    • memory/5104-59-0x00007FF828A60000-0x00007FF828A71000-memory.dmp

      Filesize

      68KB

    • memory/5104-58-0x00007FF829520000-0x00007FF829537000-memory.dmp

      Filesize

      92KB

    • memory/5104-57-0x00007FF829860000-0x00007FF829878000-memory.dmp

      Filesize

      96KB

    • memory/5104-63-0x00007FF81AAA0000-0x00007FF81AAB1000-memory.dmp

      Filesize

      68KB

    • memory/5104-55-0x00007FF829790000-0x00007FF8297C4000-memory.dmp

      Filesize

      208KB

    • memory/5104-54-0x00007FF747D90000-0x00007FF747E88000-memory.dmp

      Filesize

      992KB