Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
15-07-2024 03:52
General
-
Target
4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
-
Size
692KB
-
MD5
4819ac7420498073e2f939de3bdcf120
-
SHA1
bd1a83e2b4987bee30a0f14cbaf685b26821d4e7
-
SHA256
718208741ba5d91b828e357adeb9622f9710c0d422f14846fce044c43adbfbf3
-
SHA512
ce1c2d4693a62bf8e832479c355caa4c79b38c6682a966390938bde724e5980ac87b7c081dc76809bd8f2d63ef3fa995f889b039c12c653ca9e0286cf27f8148
-
SSDEEP
12288:cXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452US:KnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JC
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
12
C2
tomcol.no-ip.info:1604
Mutex
DC_MUTEX-FWUB5XJ
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
u84K4144AzcZ
-
install
true
-
offline_keylogger
true
-
password
tomcol
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 24 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Modifies registry class 11 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
-
C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe"C:\Windows\system32\MSDCSC\u84K4144AzcZ\msdcsc.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
-
C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"C:\Windows\system32\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 3487⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe"C:\Windows\system32\MSDCSC\u84K4144AzcZ\msdcsc.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵
-
-
C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"C:\Windows\system32\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h9⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h9⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad8⤵
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad9⤵
-
-
C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe"C:\Windows\system32\MSDCSC\u84K4144AzcZ\msdcsc.exe"9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h11⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h11⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 18411⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"C:\Windows\system32\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad11⤵
-
-
C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"C:\Windows\system32\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"11⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad12⤵
-
-
C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe"C:\Windows\system32\MSDCSC\u84K4144AzcZ\msdcsc.exe"12⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 8414⤵
- Program crash
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1408 -ip 14081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4060 -ip 40601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3528 -ip 35281⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
692KB
MD54819ac7420498073e2f939de3bdcf120
SHA1bd1a83e2b4987bee30a0f14cbaf685b26821d4e7
SHA256718208741ba5d91b828e357adeb9622f9710c0d422f14846fce044c43adbfbf3
SHA512ce1c2d4693a62bf8e832479c355caa4c79b38c6682a966390938bde724e5980ac87b7c081dc76809bd8f2d63ef3fa995f889b039c12c653ca9e0286cf27f8148
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
4KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
4KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
4KB
-
Filesize
756KB