Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
20-05-2024 18:48
General
-
Target
60a23c51894524a344bfecab6532dc7f_JaffaCakes118.exe
-
Size
541KB
-
MD5
60a23c51894524a344bfecab6532dc7f
-
SHA1
fb84a84cb7e6ce0ecf8fc75ffcf162ddcaffcdd7
-
SHA256
57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f
-
SHA512
a43f13af5fc0beeec1802a8541cd79104766e82b4770221e0e8bfe78df48b04267d0b777a457badee7a548d90bcd7786048e616e666e566a80e20d8cf4a3ca52
-
SSDEEP
12288:T2ghLvPhXpe3PliT+tcuncgmkJx6uWyQ9I0xyWgs+1r:1XhZgPloumkJx/PCILWl+l
Malware Config
Extracted
darkcomet
Guest16
37.45.181.235:1604
coldwarn.ddns.net:1604
coldwarn.ddns.net:8621
valparusfive.ddns.net:1604
DC_MUTEX-J03NXGL
-
InstallPath
MSDC1SC\msd1csc.exe
-
gencode
jyVpYcNsHGRM
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate1
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\60a23c51894524a344bfecab6532dc7f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\60a23c51894524a344bfecab6532dc7f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Gekon.exe"C:\Users\Admin\AppData\Roaming\Gekon.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Gekon.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Gekon.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exe"C:\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
memory/620-76-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/2312-16-0x0000000000E30000-0x0000000000E31000-memory.dmpFilesize
4KB
-
memory/3700-83-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3700-75-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3700-79-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3700-81-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3700-85-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3700-87-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3700-89-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3700-90-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3700-92-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3892-13-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/3892-77-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3892-12-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB