Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
26-06-2024 20:59
General
-
Target
136e24d2e40c6bb49efec2c643f2dbe4_JaffaCakes118.exe
-
Size
398KB
-
MD5
136e24d2e40c6bb49efec2c643f2dbe4
-
SHA1
0eb613aee9bd84a91045b01df6e80639b3072497
-
SHA256
d14dc0c863a908b364ddb07dce87c1936d7d6f50f341f1ba72c83342bcdc5a66
-
SHA512
9bcda7a8a883d2aad638ba6e27e315dea9ad3d69659473a8610169179c06635b04d71c3c950257c951e222280ecdd3e66548906f2aa22bf9f30d31187bf95c20
-
SSDEEP
12288:r0eFWYP1stdJTFoKTV45jEJnp2/FB02fHdf:r0evStdEKTV45ss/L9f
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-TDUES14
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
kLFnMeH6GMti
-
install
true
-
offline_keylogger
true
-
password
0123456789
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\136e24d2e40c6bb49efec2c643f2dbe4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\136e24d2e40c6bb49efec2c643f2dbe4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\136e24d2e40c6bb49efec2c643f2dbe4_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\136e24d2e40c6bb49efec2c643f2dbe4_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\MSDCSC\msdcsc.exe"C:\Windows\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\MSDCSC\msdcsc.exeC:\Windows\MSDCSC\msdcsc.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\MSDCSC\msdcsc.exeFilesize
398KB
MD5136e24d2e40c6bb49efec2c643f2dbe4
SHA10eb613aee9bd84a91045b01df6e80639b3072497
SHA256d14dc0c863a908b364ddb07dce87c1936d7d6f50f341f1ba72c83342bcdc5a66
SHA5129bcda7a8a883d2aad638ba6e27e315dea9ad3d69659473a8610169179c06635b04d71c3c950257c951e222280ecdd3e66548906f2aa22bf9f30d31187bf95c20
-
memory/1732-0-0x0000000000400000-0x00000000006DBC10-memory.dmpFilesize
2.9MB
-
memory/1732-5-0x0000000002D20000-0x0000000002FFC000-memory.dmpFilesize
2.9MB
-
memory/1732-6-0x0000000000400000-0x00000000006DBC10-memory.dmpFilesize
2.9MB
-
memory/2200-3-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2200-4-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2200-7-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2200-8-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2200-9-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2200-22-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2796-33-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2796-71-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2996-30-0x0000000000400000-0x00000000006DBC10-memory.dmpFilesize
2.9MB
-
memory/3004-75-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3004-76-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3004-32-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3004-73-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3004-72-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3004-74-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3004-31-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3004-29-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3004-77-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3004-78-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3004-80-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3004-81-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3004-82-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3004-83-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3004-85-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3004-86-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB