Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
18-05-2024 22:51
General
-
Target
573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe
-
Size
659KB
-
MD5
573dd6b96b2cb193e39ab445b2e83394
-
SHA1
00a40367a59949abf338a9ec2f8f9e21f46f62aa
-
SHA256
daadde44c8f95623f5d49dee98b69a9e929a4e15c02bbaef9ade1a3a5c8362f6
-
SHA512
73b96a148fc898011ff4faff2eff125fc55ef9bf86c1efc3897edfc9082878d45c953194f7b51c9cbf819c6486e31701a4116ceda5b47c2e185892c5d7a1a15a
-
SSDEEP
12288:S9HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZK3/X:+iBIGkbxqEcjsWiDxguehC2+
Malware Config
Extracted
darkcomet
Guest17
mining1399.no-ip.biz:8080
DC_MUTEX-PB1VQWK
-
InstallPath
Memory\System.exe
-
gencode
jb09jTdM48qG
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\Memory\System.exe"C:\Users\Admin\AppData\Roaming\Memory\System.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Memory\System.exeFilesize
659KB
MD5573dd6b96b2cb193e39ab445b2e83394
SHA100a40367a59949abf338a9ec2f8f9e21f46f62aa
SHA256daadde44c8f95623f5d49dee98b69a9e929a4e15c02bbaef9ade1a3a5c8362f6
SHA51273b96a148fc898011ff4faff2eff125fc55ef9bf86c1efc3897edfc9082878d45c953194f7b51c9cbf819c6486e31701a4116ceda5b47c2e185892c5d7a1a15a
-
memory/2056-71-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-73-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-69-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-70-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-64-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-65-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-66-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-67-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-77-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-68-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-76-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-75-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-72-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-61-0x00000000022A0000-0x00000000022A1000-memory.dmpFilesize
4KB
-
memory/2056-74-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4280-0-0x0000000002140000-0x0000000002141000-memory.dmpFilesize
4KB
-
memory/4280-63-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4340-62-0x0000000001170000-0x0000000001171000-memory.dmpFilesize
4KB