Analysis
-
max time kernel
13s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
05-07-2024 22:24
General
-
Target
272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe
-
Size
402KB
-
MD5
272b27c346bc90197560e4d20005e64d
-
SHA1
cf3477547e2db74b9f44f97290027a4c2b64418d
-
SHA256
a54a2e38e9474952b6a3663963178cc62b16b94d8f1fab0f4b1435cd1684c021
-
SHA512
9494016d3e5877b7763aa26aced3889c4f54541abd3a994204ada3b97e6e594b6b9cb84271b55b9a7ff5e99ce6e760280aab89957437566c20cc69061318fe31
-
SSDEEP
12288:0Zxks+GyLWj6oBNxzkGzpkQaiJXVedK1ZDEwjahP:0/+cBNxzkYkPiJleM9ba
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Extracted
darkcomet
Guest16_min
para23.no-ip.biz:1604
DCMIN_MUTEX-QQSAEK6
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
TzBAaQZC6rwl
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeFilesize
402KB
MD5272b27c346bc90197560e4d20005e64d
SHA1cf3477547e2db74b9f44f97290027a4c2b64418d
SHA256a54a2e38e9474952b6a3663963178cc62b16b94d8f1fab0f4b1435cd1684c021
SHA5129494016d3e5877b7763aa26aced3889c4f54541abd3a994204ada3b97e6e594b6b9cb84271b55b9a7ff5e99ce6e760280aab89957437566c20cc69061318fe31
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5eb16cc3010bdbabeee4d6517e72f6416
SHA1598d6ef3966a163c64cd0f061c3115a5d3a673e3
SHA2564ff89e3861f195b0afb777e488c5a57715f60ea34f6000195b07fb0b7fe7d876
SHA512886f6c8227ad25aeaf891e87319dce09bdc12692b3e452c4db0c68d01c5987cf937baff7fd4d6730eeb4ca19ceaf744ea24ea28c15996d6e9afaae0ce67980b2
-
memory/1068-11-0x0000000000390000-0x0000000000392000-memory.dmpFilesize
8KB
-
memory/2384-59-0x0000000002080000-0x000000000310E000-memory.dmpFilesize
16.6MB
-
memory/2384-57-0x0000000002080000-0x000000000310E000-memory.dmpFilesize
16.6MB
-
memory/2384-147-0x00000000040D0000-0x00000000040D2000-memory.dmpFilesize
8KB
-
memory/2384-80-0x00000000040D0000-0x00000000040D2000-memory.dmpFilesize
8KB
-
memory/2384-79-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/2384-52-0x0000000002080000-0x000000000310E000-memory.dmpFilesize
16.6MB
-
memory/2384-55-0x0000000002080000-0x000000000310E000-memory.dmpFilesize
16.6MB
-
memory/2384-61-0x0000000002080000-0x000000000310E000-memory.dmpFilesize
16.6MB
-
memory/2384-62-0x0000000002080000-0x000000000310E000-memory.dmpFilesize
16.6MB
-
memory/2384-63-0x00000000002E0000-0x00000000002E1000-memory.dmpFilesize
4KB
-
memory/2384-64-0x0000000002080000-0x000000000310E000-memory.dmpFilesize
16.6MB
-
memory/2384-56-0x0000000002080000-0x000000000310E000-memory.dmpFilesize
16.6MB
-
memory/2384-66-0x0000000002080000-0x000000000310E000-memory.dmpFilesize
16.6MB
-
memory/2384-58-0x0000000002080000-0x000000000310E000-memory.dmpFilesize
16.6MB
-
memory/2384-141-0x0000000002080000-0x000000000310E000-memory.dmpFilesize
16.6MB
-
memory/2384-54-0x0000000002080000-0x000000000310E000-memory.dmpFilesize
16.6MB
-
memory/2384-81-0x00000000040D0000-0x00000000040D2000-memory.dmpFilesize
8KB
-
memory/2384-65-0x0000000002080000-0x000000000310E000-memory.dmpFilesize
16.6MB
-
memory/3036-46-0x0000000001F40000-0x0000000001F42000-memory.dmpFilesize
8KB
-
memory/3036-20-0x0000000001F40000-0x0000000001F42000-memory.dmpFilesize
8KB
-
memory/3036-9-0x0000000002090000-0x000000000311E000-memory.dmpFilesize
16.6MB
-
memory/3036-4-0x0000000002090000-0x000000000311E000-memory.dmpFilesize
16.6MB
-
memory/3036-2-0x0000000002090000-0x000000000311E000-memory.dmpFilesize
16.6MB
-
memory/3036-10-0x0000000002090000-0x000000000311E000-memory.dmpFilesize
16.6MB
-
memory/3036-0-0x0000000002090000-0x000000000311E000-memory.dmpFilesize
16.6MB
-
memory/3036-7-0x0000000002090000-0x000000000311E000-memory.dmpFilesize
16.6MB
-
memory/3036-30-0x0000000001F40000-0x0000000001F42000-memory.dmpFilesize
8KB
-
memory/3036-26-0x0000000002090000-0x000000000311E000-memory.dmpFilesize
16.6MB
-
memory/3036-23-0x00000000039C0000-0x00000000039C1000-memory.dmpFilesize
4KB
-
memory/3036-5-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/3036-3-0x0000000002090000-0x000000000311E000-memory.dmpFilesize
16.6MB
-
memory/3036-50-0x0000000002090000-0x000000000311E000-memory.dmpFilesize
16.6MB
-
memory/3036-27-0x0000000002090000-0x000000000311E000-memory.dmpFilesize
16.6MB
-
memory/3036-49-0x0000000000400000-0x0000000000527000-memory.dmpFilesize
1.2MB
-
memory/3036-21-0x00000000039C0000-0x00000000039C1000-memory.dmpFilesize
4KB
-
memory/3036-6-0x0000000002090000-0x000000000311E000-memory.dmpFilesize
16.6MB
-
memory/3036-8-0x0000000002090000-0x000000000311E000-memory.dmpFilesize
16.6MB