Overview

overview

10

Static

static

3

6b26b953fc...18.exe

windows7-x64

10

6b26b953fc...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2024 09:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b26b953fc279e0883d5ee11354b8661_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    6b26b953fc279e0883d5ee11354b8661

  • SHA1

    04bc5e768bf5ccfd82fa9f833b167d4a45ce7420

  • SHA256

    8215ca9e02357b4a0019f8813a658a26adbbce59ae3bafb963bfbe0cec81db57

  • SHA512

    7e76dce8705d2efd2d263938c955c612e865479e876c0406542cd2bfe73096a1dcecac0d740522abd0fb605a3299157a4959ce8425e93734f9dc4dd3bec61d03

  • SSDEEP

    24576:LsUgX+vFcZsyFmHraK8HXhSQcQzH4cGFq0mp7EAOit5OQmF5Rgcj7TK:opgc2yYHW73c+4cGQ0mzZy5fT

Score
10/10
darkcometlatentbotyoutubediscoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

YOUTUBE

C2

superduperfly75.zapto.org:1604

Mutex

DCMIN_MUTEX-N89DPZW

Attributes
  • gencode

    pMfPxC3iW6vG

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

latentbot

C2

superduperfly75.zapto.org

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b26b953fc279e0883d5ee11354b8661_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6b26b953fc279e0883d5ee11354b8661_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3528
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Utube.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Utube.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Users\Admin\AppData\Roaming\RES.exe
        C:\Users\Admin\AppData\Roaming\RES.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1260
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gawq5rty.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4012
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9441.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcACE96C2A9E974A0D9BE24630962F12B4.TMP"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2016
      • C:\Users\Admin\AppData\Roaming\824898.exe
        "C:\Users\Admin\AppData\Roaming\824898.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1908
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\REFRAC~4.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\REFRAC~4.EXE
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\REFRAC~4.EXE
    Filesize

    38KB

    MD5

    1ee0feeaa8b4ec6d979089e77df7969f

    SHA1

    eb6d30151989b14b9072b9013cbb1f87561f85b5

    SHA256

    f44542297b74f9ff431da92f3757b86fe272ed88d70df4946f78cf4a062c95dd

    SHA512

    412f337e3fe16cfba7cb281c45b730c31a6749bcefeade449c780ca7971b8a9676636864e11723ef849c56802127380d85a84e69a4b0253c7860be786f96401f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Utube.exe
    Filesize

    1.5MB

    MD5

    ed46d29f422bd2fd6fac4ed2c51d8eaf

    SHA1

    655a109f5094adc7b4bde01cf28d204b42de7578

    SHA256

    d8ae8f0ca1db9160b3880adeaaae7dcfe532048d00286da703bb300ca9bd7c0c

    SHA512

    ac9e165b20030374d73b3a2a627ea4e8135e6da88d6fc080f4433d1e8fedafa0bcb30321b00b768d215e9771e3e984321fc862a3d11c0a7582528691ed845449

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RES9441.tmp
    Filesize

    1KB

    MD5

    560cdc24b2188f2d805c4d0b656eb026

    SHA1

    ceacb9a0ac7b7c669202dd19576913af7bdda369

    SHA256

    b5b5d7f45afaae35410dea0f51546c2bbce1f58f688981e9b60509bec1663184

    SHA512

    b64ac19e843462ecfc9a193b361215bd5f3ada5407f2b3bd3a0ff951e34c93d3aa0e8f52415edc4f138813fd64aafa31c3cd511c9b055e7f33b20fa7fefa7c0d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gawq5rty.0.vb
    Filesize

    1KB

    MD5

    14a42f558f43589730af980523639c8d

    SHA1

    0cfdbaf72b2f28f1eea23b9a49649b0520e91756

    SHA256

    e57e06e9861b73edfdbd3e78f28ee05716b2fd4361ad3085eba86ba9705227ab

    SHA512

    41b8fa42b4fddd2f3df640a4f6b2966ead14df737b8201f3212b015464928746372448217b8e059ea8bc46acd630f449f30c2bc3e88b8b3d819c7c88601a14fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gawq5rty.cmdline
    Filesize

    234B

    MD5

    cd1a18f9d0ee160baa3f67518efe9851

    SHA1

    04b6a3388c339cddd4c697ac13ec275e739b2ece

    SHA256

    670aede8136616628437d7202486aea2ffaf2a73e4fbc95c297bd49b0b633ffd

    SHA512

    df49148de7225f3a43fc39f8ab42d824cf1c2bfe492afc6b904a0667cd9be25c064a8f02905f9911328638227ebc664f00e599c08bd88f34e1691090e43612dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbcACE96C2A9E974A0D9BE24630962F12B4.TMP
    Filesize

    880B

    MD5

    bd963f624f1dbee550dd48f72c97ad76

    SHA1

    4cc2cf901f372266acb45933c18d0637c6dc5ee1

    SHA256

    e29c3ef5adc6818c4090b4312e363eb32f96387d2f0b196045d9bc8f74255ba0

    SHA512

    97ebc5e940bfe6e49232e9bd7d819dc8775d1be622bf0f4961b3641baa110ad1167eb5facc96e3da84a08e9a5b223fb0c690e366c6cb8bb1104726e838205648

    Download Submit

  • C:\Users\Admin\AppData\Roaming\824898.exe
    Filesize

    7KB

    MD5

    80453b5eec319c12d32a4b9f076d8917

    SHA1

    e6a532e88af24eeb2cbf5e5d554bfde3ac946270

    SHA256

    5b2c23eb3a67b0a5a8e0bf446ef1c0bc3052fdffe679fdd75e032434c839a972

    SHA512

    d3188e2cdde56600d0333eb98498665e9bb279081457c7561d7d7b892f3810baa49ded978a2eab2849ef78cf4d220fe3787db0e6ef10f6c5515dddd58f706276

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RES.exe
    Filesize

    1KB

    MD5

    f54b30f21b7b118bfeda2b1ed3482f84

    SHA1

    bde084ea60646dadabfed4eafe5bafceb4c11b99

    SHA256

    62bf121e7c7d3a221718d90de673ab23b9759765bb4aaed747883c7c7d08c2c5

    SHA512

    8431f8c37b0fbc1077eb0aef78ad2e10c11bb10e16ddbde833f568cbd69551e23c85aadcce4ddc71994a9fede59eca52bc99d595131c2264e4e9917abe87e44d

    Download Submit

  • memory/1260-54-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-57-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-25-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-24-0x0000000002500000-0x0000000002501000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1260-18-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-20-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-66-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-17-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-14-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-65-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-64-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-63-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-62-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-61-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-60-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-59-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-26-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-56-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-53-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1260-55-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4012-29-0x0000000002370000-0x0000000002380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4768-7-0x00000000747E2000-0x00000000747E3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4768-8-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4768-41-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4768-9-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4848-52-0x0000000005310000-0x0000000005366000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4848-51-0x0000000005170000-0x000000000517A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4848-50-0x0000000005270000-0x0000000005302000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4848-49-0x0000000005780000-0x0000000005D24000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4848-48-0x00000000050A0000-0x000000000513C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4848-47-0x00000000006D0000-0x00000000006E2000-memory.dmp

    Filesize

    72KB

    Download