Overview

overview

10

Static

static

10

074b37dbc8...18.exe

windows7-x64

10

074b37dbc8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    074b37dbc85dcc235f8f6f33a1d56953_JaffaCakes118.exe

  • Size

    1015KB

  • MD5

    074b37dbc85dcc235f8f6f33a1d56953

  • SHA1

    e36b7444d38ad4026937824101ce5e6c17a1dc19

  • SHA256

    a9e50afef81424a18bc6013efabd3710f0e74d32a2ea8bf031e27b7f59ff2d03

  • SHA512

    cd3f83604ed6f9e845ebcc8adc428a428888d76e879f84e011cb1b2633231ea7415028526d43bf997c61f4e1722c239f677dd77b8be1adb136da39c6ac7d2b82

  • SSDEEP

    24576:PaMw2WWeFcfbP9VPSPMTSPL/rWvzq4JJfpks6SXsa:dLbVMTrOq4YSXsa

Score
10/10
darkcometall.tamashi.geevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

all.tamashi.ge

C2

jajaxparkour.no-ip.org:81

jajaxparkour.no-ip.org:82

jajaxparkour.no-ip.org:83
Mutex

DC_MUTEX-HNXAZ4N

Attributes
  • InstallPath

    msdcsc.exe

  • gencode

    JmA4p7WaU7N1

  • install

    true

  • offline_keylogger

    true

  • password

    jajaXparkourjajaXparkour

  • persistence

    true

  • reg_key

    WinUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 39 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\074b37dbc85dcc235f8f6f33a1d56953_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\074b37dbc85dcc235f8f6f33a1d56953_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Local\Temp\%temp%\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\%temp%\cmd.exe"
      2⤵
      • Executes dropped EXE
      PID:2924
    • C:\Users\Admin\AppData\Local\Temp\%temp%\alltamashige.exe
      "C:\Users\Admin\AppData\Local\Temp\%temp%\alltamashige.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Windows\svchost.exe
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\%temp%\alltamashige.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Users\Admin\AppData\Local\Temp\%temp%\alltamashige.exe
          "C:\Users\Admin\AppData\Local\Temp\%temp%\alltamashige.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2588
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\%temp%\alltamashige.exe" +s +h
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2276
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\alltamashige.exe" +s +h
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:2820
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\%temp%" +s +h
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2364
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp" +s +h
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:3012
          • C:\Windows\msdcsc.exe
            "C:\Windows\msdcsc.exe"
            5⤵
            • Modifies firewall policy service
            • Modifies security service
            • Windows security bypass
            • Executes dropped EXE
            • Windows security modification
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2488
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              6⤵
              • Modifies firewall policy service
              • Modifies security service
              • Windows security bypass
              • Adds Run key to start application
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1852
              • C:\Windows\SysWOW64\notepad.exe
                notepad
                7⤵
                  PID:1252
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2644

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Defense Evasion

    Modify Registry

    6
    T1112

    Impair Defenses

    3
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Disable or Modify System Firewall

    1
    T1562.004

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\%temp%\alltamashige.exe
      Filesize

      697KB

      MD5

      25a7087745e3be52602ed9a2b753fb92

      SHA1

      9baf48e9603f4a4e478a856bd2bf08a0522001f3

      SHA256

      c93cc41f09f3fc4dcbe7013e1705fad1f54ffea6978cc53935a5c426cb271a0e

      SHA512

      ee04c15369a18f5c8b858fb7c441ed47f955d13e8048ee19ca23aa701bf6786c414944a36f0967c640723f493aabc62b2c9d9484067b4f8874a050eef3a8a65e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\%temp%\alltamashige.exe
      Filesize

      661KB

      MD5

      4caab89f32f901eea758095fc05173d5

      SHA1

      f1440d734982b2f7d3536f8a0ea2246f3b2ff8e4

      SHA256

      13e040a602b573848e1d9a6f60944271efcff6251c25a39f9aa98eb2c77dc477

      SHA512

      73713e2edd11203c2359181621032565197912b144cb0d3177a1f796a413e7fd1a698c964b45a0774647d1bc4b085d90bc7521535dd7e9989bb4b7d5fda75e33

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\%temp%\cmd.exe
      Filesize

      295KB

      MD5

      ad7b9c14083b52bc532fba5948342b98

      SHA1

      ee8cbf12d87c4d388f09b4f69bed2e91682920b5

      SHA256

      17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

      SHA512

      e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

      Download Submit
    • C:\Windows\svchost.exe
      Filesize

      35KB

      MD5

      9e3c13b6556d5636b745d3e466d47467

      SHA1

      2ac1c19e268c49bc508f83fe3d20f495deb3e538

      SHA256

      20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

      SHA512

      5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

      Download Submit
    • memory/1252-55-0x0000000000080000-0x0000000000081000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1252-93-0x00000000001E0000-0x00000000001E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1640-18-0x0000000000400000-0x000000000040D000-memory.dmp
      Filesize

      52KB

      Download
    • memory/1852-53-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2488-54-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2508-25-0x0000000000400000-0x0000000000411000-memory.dmp
      Filesize

      68KB

      Download
    • memory/2588-50-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2636-38-0x0000000000400000-0x000000000040D000-memory.dmp
      Filesize

      52KB

      Download
    • memory/2644-96-0x0000000000400000-0x000000000040D000-memory.dmp
      Filesize

      52KB

      Download
    • memory/2644-102-0x0000000000400000-0x000000000040D000-memory.dmp
      Filesize

      52KB

      Download
    • memory/2644-111-0x0000000000400000-0x000000000040D000-memory.dmp
      Filesize

      52KB

      Download