Malware Analysis Report

2024-08-06 18:55

Sample ID 240620-2qwl1avfql
Target 09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118
SHA256 4cb109b18917d283ae89a8b0c09b063d6e0a381fce44c3d6cb6abada4d0d5822
Tags
darkcomet persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4cb109b18917d283ae89a8b0c09b063d6e0a381fce44c3d6cb6abada4d0d5822

Threat Level: Known bad

The file 09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet persistence rat trojan

Darkcomet

Uses the VBS compiler for execution

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Script User-Agent

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-20 22:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 22:47

Reported

2024-06-20 22:50

Platform

win7-20240419-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2052 set thread context of 2464 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2052 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2052 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2052 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2052 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2052 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2052 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2052 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2052 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 s7eezy.azok.org udp
US 64.91.249.20:80 s7eezy.azok.org tcp
US 8.8.8.8:53 ww12.azok.org udp
US 75.2.81.221:80 ww12.azok.org tcp

Files

memory/2052-0-0x0000000074361000-0x0000000074362000-memory.dmp

memory/2052-1-0x0000000074360000-0x000000007490B000-memory.dmp

memory/2052-2-0x0000000074360000-0x000000007490B000-memory.dmp

memory/2464-7-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2464-13-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2464-5-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2464-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2464-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2464-17-0x0000000000240000-0x000000000029F000-memory.dmp

memory/2464-19-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2052-24-0x0000000074360000-0x000000007490B000-memory.dmp

memory/2464-23-0x0000000002B90000-0x0000000002CC3000-memory.dmp

memory/2464-25-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 22:47

Reported

2024-06-20 22:50

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4592 set thread context of 3172 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4592 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4592 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4592 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4592 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4592 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4592 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4592 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4592 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09ec09c02754eb0f1908db7ae95c961e_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 s7eezy.azok.org udp

Files

memory/4592-0-0x0000000074DB2000-0x0000000074DB3000-memory.dmp

memory/4592-1-0x0000000074DB0000-0x0000000075361000-memory.dmp

memory/4592-2-0x0000000074DB0000-0x0000000075361000-memory.dmp

memory/3172-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3172-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4592-9-0x0000000074DB0000-0x0000000075361000-memory.dmp

memory/3172-13-0x0000000000400000-0x0000000000409000-memory.dmp