Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 20:58

General

  • Target

    136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    136d9001b11fba77ae168bf0f09a7ee5

  • SHA1

    b628cc11be2ecb992163a3ab335c0a4e31d2d573

  • SHA256

    f997497b76f240159e28d44b943a40e0ea27b6c4d7b2cdb6dc769d65bbb92544

  • SHA512

    80ba416964e3402a280b4b9dbe9e4abbfab49f029451dd4f5c1ec80a8cad8cae1438d366436168b6912492fda0108cf28d1ca16fd80d46029aef0c97a47008e3

  • SSDEEP

    24576:GE0fHw0TS/Tlr+robnykC36QNOhh0/svqus32tt4Onwp8aJRdoUepoLJlPK5Hyep:GE0fQ0TSLV+LSaOI/4FwpRpyHYm+2ah

Malware Config

Extracted

Family

darkcomet

Botnet

Finally

C2

tast.no-ip.biz:82

Mutex

DC_MUTEX-98S0K24

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    j6R1c8a9GWJZ

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 7 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\Hacker reporter.exe
      "C:\Users\Admin\AppData\Local\Temp\Hacker reporter.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Users\Admin\AppData\Local\Temp\vbc.exe
        C:\Users\Admin\AppData\Local\Temp\vbc.exe
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Hacker reporter.exe" +s +h
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2536
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp\Hacker reporter.exe" +s +h
            5⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:1540
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
            PID:1984
          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1852
            • C:\Users\Admin\AppData\Local\Temp\vbc.exe
              C:\Users\Admin\AppData\Local\Temp\vbc.exe
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2360
              • C:\Windows\SysWOW64\notepad.exe
                notepad
                6⤵
                  PID:1428
        • C:\Users\Admin\AppData\Local\Temp\Banner.exe
          "C:\Users\Admin\AppData\Local\Temp\Banner.exe"
          2⤵
          • Executes dropped EXE
          PID:2576

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Users\Admin\AppData\Local\Temp\Banner.exe

        Filesize

        18KB

        MD5

        463efc38869e2e4e315906d22b5e6d78

        SHA1

        01535b4ccc407affb680ac66258658c4911fb8c2

        SHA256

        4958b9f95e341ad6dcae3024013b3fcf5c5daabd3ff76a2762d731aacec752ba

        SHA512

        0be72a9e9d9bdc794e60ffd0046483374f461b32651005b95a3f1df0a8072c7e49205c3abfd6227b85b23c9261235041f7d529f41636d674105e5ee6b1a9f03b

      • \Users\Admin\AppData\Local\Temp\Hacker reporter.exe

        Filesize

        1.4MB

        MD5

        f3e67997c30576c80336de144362bb05

        SHA1

        3170b8ad87dc730c40d6c425869afe0a13b0e610

        SHA256

        1b7fe710b229b4b11a7fce71d190454b4dc259e54ea38f23eb2f6f8dcbe3f618

        SHA512

        d8cb6e6836626c558f6fd5ff8f92926d348950a11bb9cb9e21bb563bbd962aa51312e9297052ae60a7a9b0e015a45597ec42f5de76354bba6f74480744b92666

      • \Users\Admin\AppData\Local\Temp\vbc.exe

        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

      • memory/1984-77-0x0000000000190000-0x0000000000191000-memory.dmp

        Filesize

        4KB

      • memory/2080-37-0x00000000740D0000-0x000000007467B000-memory.dmp

        Filesize

        5.7MB

      • memory/2080-14-0x00000000740D0000-0x000000007467B000-memory.dmp

        Filesize

        5.7MB

      • memory/2080-15-0x00000000740D0000-0x000000007467B000-memory.dmp

        Filesize

        5.7MB

      • memory/2576-48-0x0000000000200000-0x000000000020C000-memory.dmp

        Filesize

        48KB

      • memory/2744-30-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

      • memory/2744-22-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

      • memory/2744-32-0x0000000000010000-0x0000000000011000-memory.dmp

        Filesize

        4KB

      • memory/2744-27-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

      • memory/2744-90-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

      • memory/2744-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2744-25-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

      • memory/2744-24-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

      • memory/2744-23-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

      • memory/2744-36-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

      • memory/2744-21-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

      • memory/2744-38-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

      • memory/2744-26-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

      • memory/2744-39-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

      • memory/2744-20-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

      • memory/3020-2-0x00000000740D0000-0x000000007467B000-memory.dmp

        Filesize

        5.7MB

      • memory/3020-1-0x00000000740D0000-0x000000007467B000-memory.dmp

        Filesize

        5.7MB

      • memory/3020-0-0x00000000740D1000-0x00000000740D2000-memory.dmp

        Filesize

        4KB

      • memory/3020-161-0x00000000740D0000-0x000000007467B000-memory.dmp

        Filesize

        5.7MB