Analysis
-
max time kernel
28s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
05-07-2024 22:24
General
-
Target
272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe
-
Size
402KB
-
MD5
272b27c346bc90197560e4d20005e64d
-
SHA1
cf3477547e2db74b9f44f97290027a4c2b64418d
-
SHA256
a54a2e38e9474952b6a3663963178cc62b16b94d8f1fab0f4b1435cd1684c021
-
SHA512
9494016d3e5877b7763aa26aced3889c4f54541abd3a994204ada3b97e6e594b6b9cb84271b55b9a7ff5e99ce6e760280aab89957437566c20cc69061318fe31
-
SSDEEP
12288:0Zxks+GyLWj6oBNxzkGzpkQaiJXVedK1ZDEwjahP:0/+cBNxzkYkPiJleM9ba
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Extracted
darkcomet
Guest16_min
para23.no-ip.biz:1604
DCMIN_MUTEX-QQSAEK6
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
TzBAaQZC6rwl
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeFilesize
402KB
MD5272b27c346bc90197560e4d20005e64d
SHA1cf3477547e2db74b9f44f97290027a4c2b64418d
SHA256a54a2e38e9474952b6a3663963178cc62b16b94d8f1fab0f4b1435cd1684c021
SHA5129494016d3e5877b7763aa26aced3889c4f54541abd3a994204ada3b97e6e594b6b9cb84271b55b9a7ff5e99ce6e760280aab89957437566c20cc69061318fe31
-
C:\Windows\SYSTEM.INIFilesize
256B
MD5e4d109abd67e3edb10675f7c3a498519
SHA1624b3e106af51bc3a02e8bb27036015f872ded65
SHA256ba655322e9b9ef1478acfed3e635926a0aade2035847322e742e06975e77b515
SHA5128201acf9605db6e47dc1366649cba4c622710fd6c9d82a611b34366d4cfa73aa8c3c7df20555c3a32546320c11c7f9beecc1f4f45e86dad531c1bcedd02c746d
-
memory/2424-59-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-41-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-116-0x0000000002BA0000-0x0000000002BA2000-memory.dmpFilesize
8KB
-
memory/2424-114-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-80-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-79-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-76-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-52-0x0000000002BA0000-0x0000000002BA2000-memory.dmpFilesize
8KB
-
memory/2424-72-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-70-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-67-0x0000000000400000-0x0000000000527000-memory.dmpFilesize
1.2MB
-
memory/2424-66-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-65-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-64-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-51-0x0000000002BB0000-0x0000000002BB1000-memory.dmpFilesize
4KB
-
memory/2424-42-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-47-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-58-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-38-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-61-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-45-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-48-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-37-0x00000000009A0000-0x00000000009A1000-memory.dmpFilesize
4KB
-
memory/2424-75-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-57-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-46-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-43-0x0000000000400000-0x0000000000527000-memory.dmpFilesize
1.2MB
-
memory/2424-40-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-53-0x0000000002BA0000-0x0000000002BA2000-memory.dmpFilesize
8KB
-
memory/2424-54-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-55-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-56-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2424-49-0x0000000003010000-0x000000000409E000-memory.dmpFilesize
16.6MB
-
memory/2516-7-0x00000000008E0000-0x00000000008E2000-memory.dmpFilesize
8KB
-
memory/2516-0-0x0000000002380000-0x000000000340E000-memory.dmpFilesize
16.6MB
-
memory/2516-4-0x0000000002380000-0x000000000340E000-memory.dmpFilesize
16.6MB
-
memory/2516-3-0x0000000002380000-0x000000000340E000-memory.dmpFilesize
16.6MB
-
memory/2516-10-0x00000000008E0000-0x00000000008E2000-memory.dmpFilesize
8KB
-
memory/2516-9-0x0000000002380000-0x000000000340E000-memory.dmpFilesize
16.6MB
-
memory/2516-36-0x0000000000400000-0x0000000000527000-memory.dmpFilesize
1.2MB
-
memory/2516-30-0x0000000002380000-0x000000000340E000-memory.dmpFilesize
16.6MB
-
memory/2516-5-0x0000000002380000-0x000000000340E000-memory.dmpFilesize
16.6MB
-
memory/2516-27-0x00000000008E0000-0x00000000008E2000-memory.dmpFilesize
8KB
-
memory/2516-8-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/2516-6-0x0000000002380000-0x000000000340E000-memory.dmpFilesize
16.6MB
-
memory/2516-13-0x00000000045C0000-0x00000000045C1000-memory.dmpFilesize
4KB
-
memory/2516-11-0x0000000002380000-0x000000000340E000-memory.dmpFilesize
16.6MB
-
memory/2516-12-0x00000000008E0000-0x00000000008E2000-memory.dmpFilesize
8KB