Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 10:49
Static task
static1
Behavioral task
behavioral1
Sample
15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
15b7e0abf99ca0d676029e8b22498209
-
SHA1
81ddddb411c2e52c38756d2844b9697655884bb4
-
SHA256
1b42202ece42ad388bfc7130f23945748a26ef286e8478e3f800d7f552fe340f
-
SHA512
025330e1576eb9010f77df11404f984bebcfa7dbef3ec543bc6cfdcbb4c623495b4963c4c7e088dda418eb8b6c734e4b297f69d5668b38598310498b5ad346c4
-
SSDEEP
24576:K9b43KRo7xvu2Ui+mBvqvtEWvRk8Ml6uOdbI:e4ay7xui/wRk9suQE
Malware Config
Extracted
darkcomet
Victim
hackingrats.no-ip.biz:1604
DCMIN_MUTEX-KXAVH1D
-
InstallPath
System32.exe
-
gencode
DERuPJ12yzN9
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\System32.exe" vbc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vbc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation vbc.exe -
Executes dropped EXE 2 IoCs
Processes:
vbc.exeSystem32.exepid process 3984 vbc.exe 1508 System32.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exevbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdtr = "C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdtr\\15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe" 15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Windows\\system32\\System32.exe" vbc.exe -
Drops file in System32 directory 2 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\System32.exe vbc.exe File created C:\Windows\SysWOW64\System32.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exedescription pid process target process PID 2736 set thread context of 3984 2736 15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3984 vbc.exe Token: SeSecurityPrivilege 3984 vbc.exe Token: SeTakeOwnershipPrivilege 3984 vbc.exe Token: SeLoadDriverPrivilege 3984 vbc.exe Token: SeSystemProfilePrivilege 3984 vbc.exe Token: SeSystemtimePrivilege 3984 vbc.exe Token: SeProfSingleProcessPrivilege 3984 vbc.exe Token: SeIncBasePriorityPrivilege 3984 vbc.exe Token: SeCreatePagefilePrivilege 3984 vbc.exe Token: SeBackupPrivilege 3984 vbc.exe Token: SeRestorePrivilege 3984 vbc.exe Token: SeShutdownPrivilege 3984 vbc.exe Token: SeDebugPrivilege 3984 vbc.exe Token: SeSystemEnvironmentPrivilege 3984 vbc.exe Token: SeChangeNotifyPrivilege 3984 vbc.exe Token: SeRemoteShutdownPrivilege 3984 vbc.exe Token: SeUndockPrivilege 3984 vbc.exe Token: SeManageVolumePrivilege 3984 vbc.exe Token: SeImpersonatePrivilege 3984 vbc.exe Token: SeCreateGlobalPrivilege 3984 vbc.exe Token: 33 3984 vbc.exe Token: 34 3984 vbc.exe Token: 35 3984 vbc.exe Token: 36 3984 vbc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exevbc.exedescription pid process target process PID 2736 wrote to memory of 3984 2736 15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe vbc.exe PID 2736 wrote to memory of 3984 2736 15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe vbc.exe PID 2736 wrote to memory of 3984 2736 15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe vbc.exe PID 2736 wrote to memory of 3984 2736 15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe vbc.exe PID 2736 wrote to memory of 3984 2736 15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe vbc.exe PID 2736 wrote to memory of 3984 2736 15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe vbc.exe PID 2736 wrote to memory of 3984 2736 15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe vbc.exe PID 2736 wrote to memory of 3984 2736 15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe vbc.exe PID 2736 wrote to memory of 3984 2736 15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe vbc.exe PID 2736 wrote to memory of 3984 2736 15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe vbc.exe PID 2736 wrote to memory of 3984 2736 15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe vbc.exe PID 2736 wrote to memory of 3984 2736 15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe vbc.exe PID 2736 wrote to memory of 3984 2736 15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe vbc.exe PID 2736 wrote to memory of 3984 2736 15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe vbc.exe PID 3984 wrote to memory of 1508 3984 vbc.exe System32.exe PID 3984 wrote to memory of 1508 3984 vbc.exe System32.exe PID 3984 wrote to memory of 1508 3984 vbc.exe System32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\System32.exe"C:\Windows\system32\System32.exe"3⤵
- Executes dropped EXE
PID:1508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34