Overview

overview

10

Static

static

3

085a4a5430...18.exe

windows7-x64

10

085a4a5430...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    20/06/2024, 17:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    085a4a5430ccb482aaf5e1f428b2e035

  • SHA1

    a1a22b49b830728849e84e4c2bb686f73eb252e4

  • SHA256

    e4c9e8116827030fee7a80a2d2fbbadb2f0b0fc353dbe8833e57f7852ea86810

  • SHA512

    71cd748b221f990e28c7978dd9213ebb711c346fb7bceaf8d01acf115c55afeec3450fd0dbf0b64dd8ab7232a7d92792acab158e681d51049f589b8ab820c1bf

  • SSDEEP

    24576:/CSakkVYTNLqPY3Oz8zmpbZipBw8QVJBTyjCtAscY7EAqGvgbidbGFn15jnpCXmO:1k03o3lV3/tAs97EAqGTdban15jnAXd

Score
10/10
darkcometevasionpersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 12 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\259399632.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2736
    • C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2700
        • C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2844
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2888
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Roaming\Microsoft" +s +h
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:1960
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3040
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Roaming\Microsoft" +s +h
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:1576
          • C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
            "C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"
            5⤵
            • Executes dropped EXE
            PID:1620
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
              dw20.exe -x -s 820
              6⤵
                PID:1704
            • C:\Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXE
              "C:\Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXE"
              5⤵
              • Executes dropped EXE
              PID:1824
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
                dw20.exe -x -s 828
                6⤵
                • Suspicious behavior: GetForegroundWindowSpam
                PID:2956
            • C:\MSDCSC\msdcsc.exe
              "C:\MSDCSC\msdcsc.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1376
              • C:\MSDCSC\msdcsc.exe
                C:\MSDCSC\msdcsc.exe
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                PID:2016
                • C:\MSDCSC\msdcsc.exe
                  7⤵
                  • Modifies firewall policy service
                  • Modifies security service
                  • Windows security bypass
                  • Executes dropped EXE
                  • Windows security modification
                  • Adds Run key to start application
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:2116

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\259399632.bat
            Filesize

            146B

            MD5

            7eee65b102f30fd1ead48a8cd3b99827

            SHA1

            2f74a754019f280c6186c11531d460006814952e

            SHA256

            5748c60056db288b67e61148b339778816279e36907977f4fe03b5df04f6b57f

            SHA512

            a06de9e35ada579a95b2ba399e4c65b074d642788d456e10e0ae967896ac729c552f715261d9dc8c17fffca8d6b9144a6155ff11ab8569a82bdbd9d26109bd85

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
            Filesize

            69B

            MD5

            983852d880a609ff25817b47f0c436f8

            SHA1

            6603aa3e0cb33794344aaadfde3b1f561e1b8f49

            SHA256

            f1c5798294612fde0df50d42e530b2013aea877f49cce2aef78df42ce1e53203

            SHA512

            b5b2681c27258dd428f7c26bcb277ab2069fa3f82f1945d9879b50c3734ef738be5de5bdb37699fe9522bb138b554f49821e05529011c7c3166cb3cab6aa0b58

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
            Filesize

            57B

            MD5

            960ff9f0fdcc7fe6180f159185b228dd

            SHA1

            562e42c0f4c5c1b30b086cd1c110645391bb9cb2

            SHA256

            527513b95baf56c82cc823317b90be26f3d3f3ece8046152cdbb0e8092e7d44d

            SHA512

            a3a4d87968efc28b2d736ebd2d9b818c2e7d58d2588124e05f71d82a1a9b0dd5ae8c145b5b8098089d480da93ad535a427d648f6230f6e2bacfda9056110dc62

            Download Submit

          • \Users\Admin\AppData\Local\Temp\SERVICES.EXE
            Filesize

            6KB

            MD5

            0b3db22d987384297d6d3e37bbb42525

            SHA1

            505682a108f0cf55caaeca6c781f4d49cc2d8edf

            SHA256

            883b8f25dec2a5f565c45363f81402969ce5b5e4d03fc565ccc2fd162916aa00

            SHA512

            b03cae2a2fcd46b0fde982214a11db50f6443d85efcf67b51ef60bb5a9fa3b0ad4b6b274c6175c634c7d343ee9253877d52712d1fee0e5b8843e1d3301273ae8

            Download Submit

          • \Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXE
            Filesize

            6KB

            MD5

            d52e36ac4ab591f5cac32b433d2134fc

            SHA1

            868df7e02042482a37cae9c1b1b7cc25e63b7ab2

            SHA256

            968266055dfa20300ee91a14f3344864b07cd1505054186f91946cccfcb96207

            SHA512

            c77c10dbcf58a86a384b413bb064df1af535af48744fe744d03cdfee16df1efa8275216b9cbe083294dac4cfd9e3445e7bb5e1f9051f462be484ae95ab622541

            Download Submit

          • \Users\Admin\AppData\Roaming\Microsoft\service.exe
            Filesize

            1.7MB

            MD5

            d0a34581ffb8d6d99ef29b6e46e06ab8

            SHA1

            5a169f12cf42262ffd62cc1bab213654d7a4dac6

            SHA256

            e59240de73344a6cb74551be43702ca23b8c0156ba8cbcb842118509360657f1

            SHA512

            515068e21b1fbb018651e0e53394a5171d92d65eb3de4105efe067cb05f173d6e68d5b908c6684bcf5c53b1891a5752b4b4176044f63e805d7d0896e6c3fd941

            Download Submit

          • memory/2016-148-0x0000000000400000-0x000000000040C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2116-150-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-155-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-162-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-161-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-160-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-159-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-158-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-157-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-156-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-146-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-154-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-153-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-152-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-151-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-142-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-143-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-144-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-145-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2116-147-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2700-45-0x0000000000400000-0x000000000040C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2700-39-0x0000000000400000-0x000000000040C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2700-63-0x0000000000400000-0x000000000040C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2844-64-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2844-51-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2844-50-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2844-48-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2844-62-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2844-65-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2844-114-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2844-46-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2844-52-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2844-53-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2844-54-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2844-55-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/2844-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2844-58-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

            Download