Overview

overview

10

Static

static

3

701e418837...18.exe

windows7-x64

10

701e418837...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 15:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe

  • Size

    836KB

  • MD5

    701e418837c6325340b5b4e3cdc30803

  • SHA1

    ef21e96c4643f0c0736c6e33b25360d4e9f6674f

  • SHA256

    a6d49f10562fc3a4e5110847859ec9e69a1bf8ec0e6829dbca5c95c2ef68dc1f

  • SHA512

    69c5a99c0e44cd74ad4be7cc301ad348f0c99fe0cca3008daeb42c336250e4f0a2d9054ff6a1762d74276cce1c574307e035d66edc1405006b586ddd710ef3e5

  • SSDEEP

    24576:lKUxEfCEWTh5YfB9ElFmKfydKMzX5CHwhb8mjZ:lKEEqE8hG0mKKdjMQ/

Score
10/10
darkcometguest16discoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

darkcomet2013.no-ip.biz:1500

192.168.1.71:1500
Mutex

DC_MUTEX-YKTADE4

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    JjcA0G04gMqw

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Sets file to hidden 1 TTPs 8 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 7 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 22 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 8 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Users\Admin\AppData\Local\Temp\hstj.exe
      "C:\Users\Admin\AppData\Local\Temp\hstj.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Users\Admin\AppData\Local\Temp\hstj.exe
        C:\Users\Admin\AppData\Local\Temp\hstj.exe
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2196
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\hstj.exe" +s +h
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2932
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp\hstj.exe" +s +h
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2960
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2876
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1944
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1660
        • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
          "C:\Windows\system32\MSDCSC\msdcsc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
            C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
            5⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2648
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2272
              • C:\Windows\SysWOW64\attrib.exe
                attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
                7⤵
                • Sets file to hidden
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Views/modifies file attributes
                PID:824
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1360
              • C:\Windows\SysWOW64\attrib.exe
                attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
                7⤵
                • Sets file to hidden
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Views/modifies file attributes
                PID:2944
            • C:\Windows\SysWOW64\notepad.exe
              notepad
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2092
            • C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
              "C:\Windows\system32\MSDCSC\JjcA0G04gMqw\msdcsc.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:336
              • C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
                C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
                7⤵
                • Modifies WinLogon for persistence
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2180
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2144
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h
                    9⤵
                    • Sets file to hidden
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Views/modifies file attributes
                    PID:1752
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2156
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h
                    9⤵
                    • Sets file to hidden
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Views/modifies file attributes
                    PID:304
                • C:\Windows\SysWOW64\notepad.exe
                  notepad
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2148
                • C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
                  "C:\Windows\system32\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:2476
                  • C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
                    C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
                    9⤵
                    • Modifies WinLogon for persistence
                    • Modifies security service
                    • Windows security bypass
                    • Disables RegEdit via registry modification
                    • Executes dropped EXE
                    • Windows security modification
                    • Adds Run key to start application
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    • System policy modification
                    PID:2116
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2732
                      • C:\Windows\SysWOW64\attrib.exe
                        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h
                        11⤵
                        • Sets file to hidden
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Views/modifies file attributes
                        PID:1552
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2736
                      • C:\Windows\SysWOW64\attrib.exe
                        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h
                        11⤵
                        • Sets file to hidden
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Views/modifies file attributes
                        PID:1268
                    • C:\Windows\SysWOW64\notepad.exe
                      notepad
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1708
    • C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe
      "C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

6
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe
    Filesize

    78KB

    MD5

    c8083b3690812fd277fb980f46d68b16

    SHA1

    7fa7426988fe56396e089b2b0d9b50f8e3159436

    SHA256

    57e1e5f734ea8d0d1aebf39a6aeb8a26ccba872dd47bb282fe439987efe10aed

    SHA512

    f402bd9aee318c32d2f8e74fc937e88116d96bb1619910020bac28ac1b05f00a1825f34d544ad4debb23e7c0cce1a214c1ba72d56808eb51a5d1933a6a8b3ef6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hstj.exe
    Filesize

    725KB

    MD5

    7bbe2da9d59af22de8ef4ae7a9c4d94d

    SHA1

    d699be178976118eb2ebb193144ce173031cdf2b

    SHA256

    db940a7ef59596660c87b4bc91e0cbd4cd46e7853dca836348bf046b68fde50a

    SHA512

    4415847ac260501d9d0ef447a6e4e74489c8ae53e9fd8ae4d01cf97adb733ec6dccb02bdd344d6713b7d7ac367e4045ba97121c02c92d582d172c9d0417e620a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-940600906-3464502421-4240639183-1000\699c4b9cdebca7aaea5193cae8a50098_c13b6b87-25b1-4e34-a420-7feacfe0b8db
    Filesize

    50B

    MD5

    5b63d4dd8c04c88c0e30e494ec6a609a

    SHA1

    884d5a8bdc25fe794dc22ef9518009dcf0069d09

    SHA256

    4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

    SHA512

    15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

    Download Submit

  • memory/336-185-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/336-161-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1660-76-0x0000000000150000-0x0000000000151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1660-48-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-38-0x00000000003D0000-0x00000000003EC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1736-23-0x0000000000370000-0x0000000000392000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1736-43-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1736-12-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1736-13-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1956-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1956-41-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1956-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1956-1-0x0000000000940000-0x0000000000950000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2180-223-0x0000000003E40000-0x0000000003E62000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2196-32-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2196-89-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2196-31-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2196-30-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2196-28-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2196-26-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2196-29-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2196-46-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2196-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2196-35-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2196-84-0x0000000005400000-0x0000000005422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2196-33-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2196-24-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2196-85-0x0000000005400000-0x0000000005422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2196-39-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2196-37-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2196-40-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2476-231-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2476-256-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2648-153-0x0000000003E40000-0x0000000003E62000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2924-115-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2924-90-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download