Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22/07/2024, 13:13

General

  • Target

    634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe

  • Size

    520KB

  • MD5

    634f31be903d4e65ad8b3a0267a3d6c0

  • SHA1

    ba059c4291ed67ce276bf9632ff81755fb70caa6

  • SHA256

    816b8d84c864ab7ff7b322971b3aa3f9528889316b47d5ebefbc01bd9afe5fc7

  • SHA512

    3778542923cd0b5acc7b65492472ce4564fe54319bbbd96c095527b811b9a42c77407fff61fe02a5db54e64b5ad7a1b5de1d163d3cbaa094ce63ef39b5fdf74b

  • SSDEEP

    12288:G1kfgjd1A6jNaylJqJL0VLlmHd/cN+brXrWtTyFSCS:lgjk6jNaylU0Vg9/cN+XraaS

Malware Config

Extracted

Family

darkcomet

Botnet

retard

C2

parafron.no-ip.biz:100

Mutex

DC_MUTEX-NCUYYDW

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    H30PstbcYkSt

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 15 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Users\Admin\AppData\Roaming\Stage2.exe
        "C:\Users\Admin\AppData\Roaming\Stage2.exe" x -y -oC:\Users\Admin\AppData\Roaming -pxnq8rPMxVI87ciGwWJHxRTy3iauHcIirteOOELv3B5vkS9kJoHBUAahY1dWxj8yA
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2952
      • C:\Users\Admin\AppData\Roaming\Stage1.exe
        "C:\Users\Admin\AppData\Roaming\Stage1.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Users\Admin\Desktop\MSDCSC\msdcsc.exe
          "C:\Users\Admin\Desktop\MSDCSC\msdcsc.exe"
          4⤵
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            5⤵
              PID:2276

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Crypted.exe

      Filesize

      451KB

      MD5

      2b2da5103459934a48d05b147766718d

      SHA1

      fe4379b6bee31e3aff9c263cc0020699ac9d0852

      SHA256

      79282f9b6269118fb2c14ab32287a922f836514256fdadaf205ba3efe310722b

      SHA512

      ddeeba5a582719f0df38f33fc5d9fa3f5e4daed972565cfba191f65d9bc6acbb7ba211bed65b5b60ecf3cf8b0abc2759072571d037cb317194ab91a1689093c9

    • C:\Users\Admin\AppData\Roaming\Stage1.exe

      Filesize

      660KB

      MD5

      09bf018f3216c295f4ec053e1a26fd3c

      SHA1

      e4f6dd527077196369343712afacf05a22bbe318

      SHA256

      3990d8a59a7b3df913936b8243d470e1fde8ff214c130e737a7d045633f5680f

      SHA512

      f1e4a3b02308b251e5794b225f5ed395466eef7a14f0c41f69a4cf68df95fe89ab146d4fa3a8e922828c897aa86601c510535126f175de44369f7e8ec9879f60

    • \Users\Admin\AppData\Roaming\Stage2.exe

      Filesize

      357KB

      MD5

      2799863078b50af5d28e527841961500

      SHA1

      b74220f377299e42fcdd2c75ca84343958542720

      SHA256

      41aea843d59ffe60ff22328b740519aad8927fdf39f439ec0424ebb615679c33

      SHA512

      bf0685103977c27881cef4abaff777f490349db9ec5bd6f7167f98f390e0baf895af629442c15e0c2578b7b156c772e8ecf8d17917871b06b80828433eb38f14

    • memory/1952-16-0x0000000002680000-0x00000000026C3000-memory.dmp

      Filesize

      268KB

    • memory/1952-19-0x0000000002680000-0x00000000026C3000-memory.dmp

      Filesize

      268KB

    • memory/2276-86-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

    • memory/2276-48-0x00000000000D0000-0x00000000000D1000-memory.dmp

      Filesize

      4KB

    • memory/2724-44-0x0000000000400000-0x00000000004B4000-memory.dmp

      Filesize

      720KB

    • memory/2924-87-0x0000000000400000-0x00000000004B4000-memory.dmp

      Filesize

      720KB

    • memory/2924-88-0x0000000000400000-0x00000000004B4000-memory.dmp

      Filesize

      720KB

    • memory/2924-89-0x0000000000400000-0x00000000004B4000-memory.dmp

      Filesize

      720KB

    • memory/2952-24-0x0000000000230000-0x0000000000273000-memory.dmp

      Filesize

      268KB

    • memory/2952-27-0x0000000000400000-0x0000000000443000-memory.dmp

      Filesize

      268KB