Overview

overview

10

Static

static

3

4971cbda2c...18.exe

windows7-x64

1

4971cbda2c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 04:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4971cbda2ce4bdf86dec04ac74312294_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    4971cbda2ce4bdf86dec04ac74312294

  • SHA1

    6210ca0a46cf544c43ab17b04097900b75c59a60

  • SHA256

    cdcff159a39016096b8e853db27c3769c74a2701cc8f5449c560f635c0f1eb49

  • SHA512

    88e8ddbafa13b2034472ded0120601d87b5edc8de68de8e3bf8978bb8f7eb63bf36ae86440c5e2477fe2172ea15a98e1b27b9141f1aea060c7a5f17883234f99

  • SSDEEP

    24576:lMDMXJRHMTFbwtDTA4HwjonDRMy3IMj1dwlfj:lBRsT5GDTNHwAM4IMfwNj

Score
10/10
darkcometnostaleevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Nostale

C2

nostalehackerteam23.ddns.net:1605

Mutex

DC_MUTEX-6B09PS6

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    tRYKJDK6obFj

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4971cbda2ce4bdf86dec04ac74312294_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4971cbda2ce4bdf86dec04ac74312294_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Users\Admin\AppData\Local\Temp\Encryptado.exe
      "C:\Users\Admin\AppData\Local\Temp\Encryptado.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Encryptado.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4428
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\Encryptado.exe" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4748
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1684
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4656
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:4896
        • C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
          "C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"
          3⤵
          • Modifies firewall policy service
          • Modifies security service
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:768
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            4⤵
              PID:2244

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Defense Evasion

      Modify Registry

      6
      T1112

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      2
      T1562.001

      Hide Artifacts

      2
      T1564

      Hidden Files and Directories

      2
      T1564.001

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Encryptado.exe
        Filesize

        756KB

        MD5

        4480f6a6936492314fb069023d45274a

        SHA1

        83de4c2c45ac4f190c47c88f237761bf7bcfd248

        SHA256

        c7045a77c41067048f52cbe1bcce1e8dc09bb0264e4f2acbc882798272fe962d

        SHA512

        7b5f18719cf50cb3e41032d11efb34241f901aa1f3ddcb2ed28a29f31bd55a105747f4314a3caa1b6d0046cc6075299e35a9189781c6ba8169cdacdb67e50be2

        Download Submit
      • memory/768-97-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/768-95-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/768-100-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/768-99-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/768-98-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/768-89-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/768-96-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/768-101-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/768-94-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/768-102-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/768-93-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/768-92-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/768-91-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/768-90-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/2244-86-0x0000000001290000-0x0000000001291000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4884-21-0x00000000022C0000-0x00000000022C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4884-87-0x0000000000400000-0x00000000004CA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/4896-27-0x0000000000710000-0x0000000000711000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5088-8-0x0000000074B60000-0x0000000075310000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/5088-26-0x0000000074B60000-0x0000000075310000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/5088-9-0x0000000074B60000-0x0000000075310000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/5088-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5088-7-0x0000000074B60000-0x0000000075310000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/5088-6-0x00000000051A0000-0x00000000051F6000-memory.dmp
        Filesize

        344KB

        Download
      • memory/5088-5-0x0000000004F10000-0x0000000004F1A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/5088-4-0x0000000004F50000-0x0000000004FE2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/5088-3-0x0000000005460000-0x0000000005A04000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/5088-2-0x0000000004E10000-0x0000000004EAC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/5088-1-0x0000000000460000-0x00000000004BE000-memory.dmp
        Filesize

        376KB

        Download