Analysis

  • max time kernel
    138s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 21:38

General

  • Target

    138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    138d1fd5cbb648b4251a36a9fe914418

  • SHA1

    5bb69997672961ecb1f2d3d9246dab4fe5da3335

  • SHA256

    02dc555089d53f749b087fd2c724c41aa7dc6482e104730825478436719e5c9f

  • SHA512

    aea0252bda29b0f17187b11e09abd84556bb432d43c9844e0f16a88e06005a9716b42b9af4be1a1f06c0317411f94511d2cbc2ac740d15b0a42e57e1139f6ed7

  • SSDEEP

    24576:Ayv3DbMr6mQs6BZudnJaCDviIEDBBJYDWcSO:5ErsIGa

Malware Config

Extracted

Family

darkcomet

Botnet

Zombie

C2

anonymous-hr.zapto.org:5150

127.0.0.1:5150

Mutex

DC_MUTEX-JQ36SHX

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    u6ESlyfFKfg6

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies security service 2 TTPs 2 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Users\Admin\AppData\Local\Temp\Travian Hack.exe
      "C:\Users\Admin\AppData\Local\Temp\Travian Hack.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Users\Admin\AppData\Local\Temp\server.exe
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
          4⤵
          • Modifies security service
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies security service
            • Windows security bypass
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Travian Hack.exe

    Filesize

    1.0MB

    MD5

    a2d562adc906b7c0351551af1317e402

    SHA1

    79b87f5e3b0312fc6f205c06f1385a633bd6ac79

    SHA256

    c80ee55191716d24bb89c0daf55a196b2b9f73421b03935510bd037e4432fc94

    SHA512

    f77f476663f0b24d3195cc23566a18cb2a59bc143ad6f631f1980f9101575562c75e09b4a4922864d03dc3fad845decf7aab712010ab4826d4dbc4b23dc9de1a

  • C:\Users\Admin\AppData\Local\Temp\server.exe

    Filesize

    681KB

    MD5

    135c52171999304022023d032e8f4064

    SHA1

    ec69532dec170bb90fa5f87bdfd0a4c57a6582df

    SHA256

    e51aeb463290ade3ee17c1c4203767d7154579187a163d5587a09277f8fd5dfe

    SHA512

    c0af921cc29ab60496d4356a7cb1205c2be43ae13ebf745de8520e4a863ca7d280d03b15793890449fe555960c9ca32c2b45a8740e02d709278f676a2e3ba457

  • memory/1656-0-0x000007FEF61DE000-0x000007FEF61DF000-memory.dmp

    Filesize

    4KB

  • memory/1656-1-0x000007FEF5F20000-0x000007FEF68BD000-memory.dmp

    Filesize

    9.6MB

  • memory/1656-9-0x000007FEF5F20000-0x000007FEF68BD000-memory.dmp

    Filesize

    9.6MB

  • memory/2572-33-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

  • memory/2696-34-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

  • memory/2792-31-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

  • memory/2892-10-0x000007FEF5F20000-0x000007FEF68BD000-memory.dmp

    Filesize

    9.6MB

  • memory/2892-11-0x000007FEF5F20000-0x000007FEF68BD000-memory.dmp

    Filesize

    9.6MB

  • memory/2892-19-0x000007FEF5F20000-0x000007FEF68BD000-memory.dmp

    Filesize

    9.6MB