Overview

overview

10

Static

static

3

044bf3b147...18.exe

windows7-x64

10

044bf3b147...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe

  • Size

    714KB

  • MD5

    044bf3b1471af9d566e2d16e1d00439f

  • SHA1

    2a74f0b0390ac3c3117cf386b33a967a7c06a553

  • SHA256

    646eb9be1126e03369f16af5e3d4870cb3ff7a88f453ba738fa946edadebdd69

  • SHA512

    31d48bb9a9872f68da3a4273e7e546ef698e2d26d30551cad0a6e6905f16e38b690265c3e36a5522bca2de2a2540054bb160590761c7c3bc6f0cc84bc26a3e30

  • SSDEEP

    12288:i+lUsErG0Q4G8ORN7GuyMZxE02p3IqlVD1D1XKEC91zhjwbQvUPBG2/oOgw6o:urvG8ORlGavE0Fqlhixhjwkvv2lgxo

Score
10/10
darkcometebppersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

EBP

C2

dcservertet.no-ip.biz:1604

Mutex

DC_MUTEX-AHF4VQL

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    AgWGVtEfaTpP

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 13 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2264
    • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe
      "C:\Users\Admin\Documents\EpicBotPatcher.exe.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1372
      • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@APPDATALOCAL@\Temp\EPICBOTPATCHER.EXE
        "C:\Users\Admin\AppData\Local\Temp\EPICBOTPATCHER.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2488
      • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\EPICBOTPATCHER.EXE
    Filesize

    50KB

    MD5

    d32b48eaeaef877b69751c9045ead30c

    SHA1

    e7374a048b87e4feeda2d109be82686a42917ab8

    SHA256

    c35f17e36a09b55445e04285b053aea29b4a52efec7d6a9014f9cdf2164e6f23

    SHA512

    cc31b9bcf13d9a37e407ed65042876a6742ab9f4bc43fb99666cf6320c2a051825ed97207979c10f8f2820c15c0cc23e84b39dc58d676fb06b25324a92ae2aa7

    Download Submit
  • C:\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@APPDATALOCAL@\Temp\EPICBOTPATCHER.EXE
    Filesize

    17KB

    MD5

    c26241506736859b04732bdc6c379f22

    SHA1

    d9bb520ad8a96d2b1686e27e84c6e8a5613ecab7

    SHA256

    de001a73956e284932132531e164e6486a2e029ecc5fd0c59cc69dd06574ebfe

    SHA512

    98e44d11b481375c6936cee467295975ba6c6bc409d9eff5b3b1d881d52a5778e319d100c381b389aa1de8a9a651fb9daf420f93a251f83c3a43da4fd408c2fd

    Download Submit
  • \Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe
    Filesize

    17KB

    MD5

    f7d526c3ff55b4b5ab8338ce3421c35e

    SHA1

    dfae8d46cf52382c4ec71f2c5ff4d82be1cdb1df

    SHA256

    583a345058cad9b24938402ecb7cbbcea3ef2c5ac766d08b97f3802026cdb057

    SHA512

    938f95b9ba53137506a62847311b665afff874fb47dff7c726aff4bec18f6e7fbfdc0b81ed78e70ac78bb4a657a892b3c04e4b41ec0da6ad5d03c6efa69d1d18

    Download Submit
  • \Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\MODIFIED\@DOCUMENTS@\EpicBotPatcher.exe.exe
    Filesize

    717KB

    MD5

    8e45f24897782dfd4e205b82d328e6b5

    SHA1

    699fc852a712238be2ff1a1adfb5e719c3de4645

    SHA256

    b4bde29a37502ddccab1a0a330ada64a3c241f115db1daba3fb8958d2b61d73c

    SHA512

    aa97a4c93f9dfa87f140188016c21dbf909b859a6a2a26bfc666af2a4466bacb55b5668385aab687df8f09791c8576621a650a6301a2ca0e78c9f6b767ea8cca

    Download Submit
  • \Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe
    Filesize

    17KB

    MD5

    5c1bd8d183bc09e617fac8a0ef0c4c28

    SHA1

    9dc878eb7cc4c3e3e3ee663471c2a5040f13a1f6

    SHA256

    971aa6db0ef9a0e7e86a39ba61e825a6b4ada79eafa321dd6673ed0c9e348c80

    SHA512

    f43741cbd92ed12f7e3c134564c535c582b343cf0f2b86b412faa9632a64114c0658740e3605270e5137a5706dd5bb5f748813e5eb29bb4db485a2b98dd4bf6e

    Download Submit
  • memory/1372-43-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-38-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-89-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-87-0x0000000000830000-0x00000000008A2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1372-21-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-11-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-13-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-23-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-35-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-34-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-33-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-32-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-31-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-30-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-36-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-29-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-42-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-46-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-47-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-12-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-15-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-52-0x0000000000830000-0x00000000008A2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1372-45-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-44-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-16-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-17-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-86-0x0000000000830000-0x00000000008A2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1372-19-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-18-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-72-0x0000000000830000-0x00000000008A2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1372-20-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-41-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-40-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-39-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-22-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-37-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-28-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-27-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-26-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-25-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1372-24-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/2264-1-0x0000000077E00000-0x0000000077E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2264-4-0x0000000010000000-0x0000000010037000-memory.dmp
    Filesize

    220KB

    Download
  • memory/2264-3-0x0000000010000000-0x0000000010037000-memory.dmp
    Filesize

    220KB

    Download
  • memory/2264-5-0x0000000010000000-0x0000000010037000-memory.dmp
    Filesize

    220KB

    Download
  • memory/2264-6-0x0000000010000000-0x0000000010037000-memory.dmp
    Filesize

    220KB

    Download
  • memory/2264-94-0x0000000000380000-0x00000000003F2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2264-0-0x0000000000380000-0x00000000003F2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2264-2-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2264-51-0x0000000000380000-0x00000000003F2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2264-8-0x0000000000380000-0x00000000003F2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2264-7-0x0000000010000000-0x0000000010037000-memory.dmp
    Filesize

    220KB

    Download
  • memory/2488-70-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2488-71-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2488-73-0x0000000000330000-0x00000000003A2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2488-69-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download