Analysis
-
max time kernel
131s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
20-06-2024 17:48
General
-
Target
085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
085a4a5430ccb482aaf5e1f428b2e035
-
SHA1
a1a22b49b830728849e84e4c2bb686f73eb252e4
-
SHA256
e4c9e8116827030fee7a80a2d2fbbadb2f0b0fc353dbe8833e57f7852ea86810
-
SHA512
71cd748b221f990e28c7978dd9213ebb711c346fb7bceaf8d01acf115c55afeec3450fd0dbf0b64dd8ab7232a7d92792acab158e681d51049f589b8ab820c1bf
-
SSDEEP
24576:/CSakkVYTNLqPY3Oz8zmpbZipBw8QVJBTyjCtAscY7EAqGvgbidbGFn15jnpCXmO:1k03o3lV3/tAs97EAqGTdban15jnAXd
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 12 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259399632.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe" /f3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\service.exe"C:\Users\Admin\AppData\Roaming\Microsoft\service.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\service.exeC:\Users\Admin\AppData\Roaming\Microsoft\service.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\service.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Microsoft" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Microsoft" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"5⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 8206⤵
-
C:\Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXE"C:\Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXE"5⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 8286⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\MSDCSC\msdcsc.exe"C:\MSDCSC\msdcsc.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\MSDCSC\msdcsc.exeC:\MSDCSC\msdcsc.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\MSDCSC\msdcsc.exe7⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259399632.batFilesize
146B
MD57eee65b102f30fd1ead48a8cd3b99827
SHA12f74a754019f280c6186c11531d460006814952e
SHA2565748c60056db288b67e61148b339778816279e36907977f4fe03b5df04f6b57f
SHA512a06de9e35ada579a95b2ba399e4c65b074d642788d456e10e0ae967896ac729c552f715261d9dc8c17fffca8d6b9144a6155ff11ab8569a82bdbd9d26109bd85
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
69B
MD5983852d880a609ff25817b47f0c436f8
SHA16603aa3e0cb33794344aaadfde3b1f561e1b8f49
SHA256f1c5798294612fde0df50d42e530b2013aea877f49cce2aef78df42ce1e53203
SHA512b5b2681c27258dd428f7c26bcb277ab2069fa3f82f1945d9879b50c3734ef738be5de5bdb37699fe9522bb138b554f49821e05529011c7c3166cb3cab6aa0b58
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
57B
MD5960ff9f0fdcc7fe6180f159185b228dd
SHA1562e42c0f4c5c1b30b086cd1c110645391bb9cb2
SHA256527513b95baf56c82cc823317b90be26f3d3f3ece8046152cdbb0e8092e7d44d
SHA512a3a4d87968efc28b2d736ebd2d9b818c2e7d58d2588124e05f71d82a1a9b0dd5ae8c145b5b8098089d480da93ad535a427d648f6230f6e2bacfda9056110dc62
-
\Users\Admin\AppData\Local\Temp\SERVICES.EXEFilesize
6KB
MD50b3db22d987384297d6d3e37bbb42525
SHA1505682a108f0cf55caaeca6c781f4d49cc2d8edf
SHA256883b8f25dec2a5f565c45363f81402969ce5b5e4d03fc565ccc2fd162916aa00
SHA512b03cae2a2fcd46b0fde982214a11db50f6443d85efcf67b51ef60bb5a9fa3b0ad4b6b274c6175c634c7d343ee9253877d52712d1fee0e5b8843e1d3301273ae8
-
\Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXEFilesize
6KB
MD5d52e36ac4ab591f5cac32b433d2134fc
SHA1868df7e02042482a37cae9c1b1b7cc25e63b7ab2
SHA256968266055dfa20300ee91a14f3344864b07cd1505054186f91946cccfcb96207
SHA512c77c10dbcf58a86a384b413bb064df1af535af48744fe744d03cdfee16df1efa8275216b9cbe083294dac4cfd9e3445e7bb5e1f9051f462be484ae95ab622541
-
\Users\Admin\AppData\Roaming\Microsoft\service.exeFilesize
1.7MB
MD5d0a34581ffb8d6d99ef29b6e46e06ab8
SHA15a169f12cf42262ffd62cc1bab213654d7a4dac6
SHA256e59240de73344a6cb74551be43702ca23b8c0156ba8cbcb842118509360657f1
SHA512515068e21b1fbb018651e0e53394a5171d92d65eb3de4105efe067cb05f173d6e68d5b908c6684bcf5c53b1891a5752b4b4176044f63e805d7d0896e6c3fd941
-
memory/2016-148-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2116-150-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-155-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-162-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-161-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-160-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-159-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-158-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-157-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-156-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-146-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-154-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-153-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-152-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-151-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-142-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-143-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-144-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-145-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2116-147-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2700-45-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2700-39-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2700-63-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2844-64-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2844-51-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2844-50-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2844-48-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2844-62-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2844-65-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2844-114-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2844-46-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2844-52-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2844-53-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2844-54-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2844-55-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2844-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2844-58-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB