Overview

overview

10

Static

static

3

42b88a5156...18.exe

windows7-x64

10

42b88a5156...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    13-07-2024 17:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42b88a5156dd010772f83d06a6d693a5_JaffaCakes118.exe

  • Size

    967KB

  • MD5

    42b88a5156dd010772f83d06a6d693a5

  • SHA1

    93e547a8b458dcb1b21c9ec0f81724b55fb9819e

  • SHA256

    6a0afda24907d20335516787f7ac098a43a23692c6b38e3eef869e865f32e27a

  • SHA512

    a6cab1d7b6e76227353bec86c6af1301a21e4a21c29a71d8d5b248a109ce263cffb3d196708eaa2e457a79039ac4009aa379e756648375d05e4ddc81cfac59c6

  • SSDEEP

    24576:UcAZIu92+1j8BcFRyRIrq13y804Zf3QJmj+utGWEpwDEF0R:UlCCUIJF23QcrtGY

Score
10/10
darkcometguest16persistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

pevjackrox.no-ip.biz :1604

Mutex

DC_MUTEX-Z2E3D3A

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    PAlGXZ6wkuf3

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Microupdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42b88a5156dd010772f83d06a6d693a5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\42b88a5156dd010772f83d06a6d693a5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Users\Admin\AppData\Local\Temp\stub.exe
      "C:\Users\Admin\AppData\Local\Temp\stub.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\MSDCSC\msdcsc.exe
        "C:\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\stub.exe
    Filesize

    660KB

    MD5

    021db2874a864a5e58c528ebbdd01043

    SHA1

    87a4af89655b221ded037f64725d1650518f3d3a

    SHA256

    2e6a8499714988264f2210b856ced3af4655b66ec52a79a09a333eb5940af59f

    SHA512

    0050bfe82a6d4dfd42db041aeff1865b720d6f246b8e34cd4343dac50929f33066e10e9c030634ca234a369d1c7f62e0ba282c6fcb1306b93664421f58da2760

    Download Submit

  • memory/1068-28-0x0000000074A80000-0x000000007502B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1068-1-0x0000000074A80000-0x000000007502B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1068-2-0x0000000074A80000-0x000000007502B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1068-0-0x0000000074A81000-0x0000000074A82000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-12-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-25-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2912-30-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2912-34-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2912-29-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2912-26-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2912-31-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2912-32-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2912-33-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2912-27-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2912-35-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2912-36-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2912-37-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2912-38-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2912-39-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2912-40-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download