Overview

overview

10

Static

static

3

0529d67672...18.exe

windows7-x64

10

0529d67672...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0529d67672dae586e351a9ee52d41578_JaffaCakes118.exe

  • Size

    725KB

  • MD5

    0529d67672dae586e351a9ee52d41578

  • SHA1

    b0b0f00591e257f0209680e764f3e7a89b6e4783

  • SHA256

    7634a9fc59d55c2c6825af629eec999b3c8f59e1a00eba5afa672c93ce81bba1

  • SHA512

    a6d496ab1df8f0e0d39957b712d3dc93ba95cfa7097e59d54037ed06034e948c61e90c4976e960bf8d7e0247447d2e8ffff20d3f1785add5742686d98886a09b

  • SSDEEP

    12288:UR/MxDiuJuP8OVWXN2/Y321+Hl3aW0bRPwhWEI/XMmeFZGuKPr:Iuo0vNyerHl3aWIwhWD/XMlu

Score
10/10
darkcometfacebookrattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Facebook

C2

bl4cks0ul.no-ip.info:1338

Mutex

DC_MUTEX-W4MYS1V

Attributes
  • gencode

    pTh6taM9e32j

  • install

    false

  • offline_keylogger

    true

  • password

    1234

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0529d67672dae586e351a9ee52d41578_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0529d67672dae586e351a9ee52d41578_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:2792
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\networkexplorer.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\networkexplorer.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2172
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 532
          3⤵
          • Loads dropped DLL
          PID:2508
        • C:\Users\Admin\AppData\Local\Temp\winrsmgr.exe
          "C:\Users\Admin\AppData\Local\Temp\winrsmgr.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3032
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:308

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\winrsmgr.exe
      Filesize

      725KB

      MD5

      0529d67672dae586e351a9ee52d41578

      SHA1

      b0b0f00591e257f0209680e764f3e7a89b6e4783

      SHA256

      7634a9fc59d55c2c6825af629eec999b3c8f59e1a00eba5afa672c93ce81bba1

      SHA512

      a6d496ab1df8f0e0d39957b712d3dc93ba95cfa7097e59d54037ed06034e948c61e90c4976e960bf8d7e0247447d2e8ffff20d3f1785add5742686d98886a09b

      Download Submit
    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\networkexplorer.exe
      Filesize

      7KB

      MD5

      0279c2146d62cae9662118f4e8800deb

      SHA1

      8d0da4b751a854bb0d915f3391a4bb90c439b7ed

      SHA256

      995b97bbe99a22c37fe19b1f2119c652520f2d6871ab4f40dfddddc6bbe85efb

      SHA512

      259afe5223f2354102fa5c6ebe12d7feb6be5d5039820052d81551e1ddb53308644b6649781b393da79c96c217eade74fc7620f1208bce4dc15b1b44bbac4001

      Download Submit
    • memory/2792-29-0x0000000000090000-0x0000000000091000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2792-55-0x0000000000230000-0x0000000000231000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2884-2-0x00000000744E0000-0x0000000074A8B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2884-1-0x00000000744E0000-0x0000000074A8B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2884-82-0x00000000744E0000-0x0000000074A8B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2884-0-0x00000000744E1000-0x00000000744E2000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2912-24-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2912-19-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2912-13-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2912-23-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2912-9-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2912-11-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2912-25-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2912-27-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2912-28-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2912-17-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2912-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2912-57-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2912-56-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2912-15-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2912-8-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2912-7-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2912-83-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download