Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
01-07-2024 08:21
General
-
Target
1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
1a949339827c3534c314fc5cef076cfa
-
SHA1
8d171e83dcba6d417e1729061a35a3a94dd8a648
-
SHA256
fa6ca82b40ad7f1cad6350c10b9b1aca038ed678ba4705465f5eca4a9604a844
-
SHA512
97b87eb9a7b787923e7284a83a461bd24c2dac08fdc968364f8c3dfa937967af5b2ee4c524dc47a162942d16010e5cd67439222ac875aa9301769936400bfb64
-
SSDEEP
49152://CBhJF7gxl916Fy1xjK1egEVCa0cbKV:
Malware Config
Extracted
darkcomet
Guest16
192.168.178.27:1604
77.13.126.78:1604
DC_MUTEX-H9FGMQM
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
S0syElonRqL0
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Modifies security service 2 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 4 IoCs
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables RegEdit via registry modification 2 IoCs
-
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 18 IoCs
-
UPX packed file 13 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SubSeven.exe"C:\Users\Admin\AppData\Local\Temp\SubSeven.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe"C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Bifrost.exe"C:\Users\Admin\AppData\Local\Temp\Bifrost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DarkComet.exe"C:\Users\Admin\AppData\Local\Temp\DarkComet.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\DarkComet.exe" +s +h4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\DarkComet.exe" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ProRat.exe"C:\Users\Admin\AppData\Local\Temp\ProRat.exe"3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fservice.exeC:\Windows\system32\fservice.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\services.exeC:\Windows\services.exe -XP5⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\NET.exeNET STOP srservice6⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP srservice7⤵
-
C:\Windows\SysWOW64\NET.exeNET STOP navapsvc6⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP navapsvc7⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ProRat.exe.bat4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Active Setup
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Active Setup
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Bifrost.exeFilesize
48KB
MD500eb83e1bbfa6aec6d1e781a78bc0454
SHA1a8ccad37a9f10f1d8020cdbc98029795e316d869
SHA256a8e6e03de4677be7e8f8cf48b42abb3661f206ef26c5986df90813fca101d899
SHA51220e07ad6c3aab6320311cf30a5b766ecbaafc49b2f76a63d497ec5c5e30da9df440ca37841f6e4242581aece640afd500e70e04649a110451ef4c3e27b689daf
-
C:\Users\Admin\AppData\Local\Temp\DarkComet.exeFilesize
660KB
MD584df488c078e35518db1fd6c9aa9ba87
SHA17119a12be57f669ed9d936294eaa703a89398f48
SHA25658bee144b8930d90edac006468e5aefa0ecc44319d39cb3a6c9cf7cf13f68ca8
SHA512e09c90223d4215a44818c9a21aa897e0372dbd63119bd602d38818240bc040c1d93cebd794bb96fed01ff9055ca3a2b2e08c15a23490fc6c263d778f06003a04
-
C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exeFilesize
9KB
MD52621bf0c4086f801874857ca07eeae8e
SHA132ee702ce14d148f58f9344e22a4b8e301e562c5
SHA25667f4623acc3ff4c84c4456e6f97a66d9ee2a148ce6a1aa1157b0aa362a379765
SHA51233aa74e279f628711347b6910a343f8aa3a8ed31ef4c3d2e9226f43a8b237e9162e37605d67d89c359c6448e657bb10b9d8defbccf0322a728043708a49fd544
-
C:\Users\Admin\AppData\Local\Temp\ProRat.exeFilesize
342KB
MD55ac46ad5d65132a31357942360786b2f
SHA1d8ba1b566f6bd314211feec4c1e2b3c3a2b9cb0a
SHA25617c96882c2196c97937a7d594c6a43bad447263fe1efb5933c9575361ff98ecb
SHA512c16957796155dcf64e467f413bfa6b3015a162e6454dfb6628523c0c6bb97deff5703d8616c0c8208123a95739ee9128c96ddf2a7e237a1e05e3a8f6036b5d35
-
C:\Users\Admin\AppData\Local\Temp\ProRat.exe.batFilesize
129B
MD50781898738882613a4fc080c5fd2e0fa
SHA1189dd18c413f16e9bb91a7fea1418b1e38cf14cf
SHA25682e7b490e2cac6acded0eb708f6f70d14d7aba0153482f7939b3e1c93fb9ad42
SHA51231ec42a845ea8065c96d9b3aef81c65d4c5476fd8ecedcfadc18503ad0d2daadc461e9b9f160c4855e1969a2b182dbc12b1ca3190d2f2ee8b47e92fb409d2f35
-
\Users\Admin\AppData\Local\Temp\SubSeven.exeFilesize
373KB
MD5a1f91ceb13bd21061479d9716f63d42d
SHA1e61ea5d2f230da5750235b1c7ea409393b8486e8
SHA256cb834303994b8cbc637af4088e3329691581b635dbe78c4f2d4f3ed4cffd3b5e
SHA512ad52194def19b51a4fd630fe50294b6d73aa0b523cf73f223d117c46af4d8e585eb703d335c826678a5ff87eea4b339469fec30f0f07f492837e98a69424d9b0
-
\Windows\SysWOW64\reginv.dllFilesize
36KB
MD5562e0d01d6571fa2251a1e9f54c6cc69
SHA183677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea
-
\Windows\SysWOW64\winkey.dllFilesize
13KB
MD5b4c72da9fd1a0dcb0698b7da97daa0cd
SHA1b25a79e8ea4c723c58caab83aed6ea48de7ed759
SHA25645d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f
SHA512f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066
-
memory/572-107-0x0000000002FE0000-0x00000000031DC000-memory.dmpFilesize
2.0MB
-
memory/572-171-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/572-102-0x0000000002FE0000-0x00000000031DC000-memory.dmpFilesize
2.0MB
-
memory/748-144-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/1200-155-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1360-156-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1400-43-0x000000007FFF0000-0x000000007FFF1000-memory.dmpFilesize
4KB
-
memory/1400-58-0x000000007EFC0000-0x000000007EFC6000-memory.dmpFilesize
24KB
-
memory/2012-80-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB
-
memory/2012-37-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2012-34-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB
-
memory/2012-38-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB
-
memory/2360-178-0x0000000000400000-0x000000000050C000-memory.dmpFilesize
1.0MB
-
memory/2360-16-0x0000000000400000-0x000000000050C000-memory.dmpFilesize
1.0MB
-
memory/2448-36-0x0000000000BC0000-0x0000000000BC8000-memory.dmpFilesize
32KB
-
memory/2448-82-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/2448-35-0x0000000000BC0000-0x0000000000BC8000-memory.dmpFilesize
32KB
-
memory/2448-72-0x0000000005100000-0x00000000052FC000-memory.dmpFilesize
2.0MB
-
memory/2448-14-0x0000000005000000-0x000000000510C000-memory.dmpFilesize
1.0MB
-
memory/2448-0-0x00000000748C1000-0x00000000748C2000-memory.dmpFilesize
4KB
-
memory/2448-68-0x0000000005100000-0x00000000052FC000-memory.dmpFilesize
2.0MB
-
memory/2448-7-0x0000000005000000-0x000000000510C000-memory.dmpFilesize
1.0MB
-
memory/2448-2-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/2448-1-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/2496-90-0x00000000030D0000-0x00000000032CC000-memory.dmpFilesize
2.0MB
-
memory/2496-174-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/2496-96-0x00000000030D0000-0x00000000032CC000-memory.dmpFilesize
2.0MB
-
memory/2496-73-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/2744-153-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3004-111-0x0000000010000000-0x000000001000B000-memory.dmpFilesize
44KB
-
memory/3004-180-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/3004-181-0x0000000010000000-0x000000001000B000-memory.dmpFilesize
44KB
-
memory/3004-183-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/3004-185-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/3004-186-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB