Malware Analysis Report

2024-10-19 07:33

Sample ID 240726-p2agpaydmp
Target 741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118
SHA256 53ecb9edade4262d5837c9fa4e1bc3dfa4fee2a2d4b3469caefe1345cfdd89dc
Tags
darkcomet guest16 discovery persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

53ecb9edade4262d5837c9fa4e1bc3dfa4fee2a2d4b3469caefe1345cfdd89dc

Threat Level: Known bad

The file 741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet guest16 discovery persistence rat trojan

Darkcomet

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-26 12:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 12:48

Reported

2024-07-26 13:29

Platform

win7-20240708-en

Max time kernel

121s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3032 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3032 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3032 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3032 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3032 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3032 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3032 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3032 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3032 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3032 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3032 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3032 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe

Network

N/A

Files

memory/3032-0-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

memory/3032-1-0x00000000003A0000-0x000000000048A000-memory.dmp

memory/3032-2-0x00000000002F0000-0x00000000002FA000-memory.dmp

\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe

MD5 741f2201d2eed8facfa78ef34bb86ee4
SHA1 260759e0b822eaf96473eafc97b33653407c97a2
SHA256 53ecb9edade4262d5837c9fa4e1bc3dfa4fee2a2d4b3469caefe1345cfdd89dc
SHA512 b88503ed4716e5c6418f787784b3c9a3975e4f6600169732d7e527c9274216056c3fe17cdb7a4b91cd8db1eb6c2c14b78b1f01b495b7ac4b6768c7e6f7cf28af

memory/2020-4-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2020-6-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2020-9-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2020-17-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2020-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2020-14-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2020-13-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2020-12-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2020-11-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2020-8-0x0000000000400000-0x00000000004B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 12:48

Reported

2024-07-26 13:33

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3660 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3660 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3660 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3660 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3660 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3660 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3660 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3660 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3660 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3660 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3660 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3660 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3660 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe
PID 3660 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3048 -ip 3048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 12

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

memory/3660-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

memory/3660-1-0x00000000009A0000-0x0000000000A8A000-memory.dmp

memory/3660-2-0x0000000005370000-0x000000000540C000-memory.dmp

memory/3660-3-0x0000000001400000-0x000000000140A000-memory.dmp

memory/3048-4-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\741f2201d2eed8facfa78ef34bb86ee4_JaffaCakes118.exe

MD5 741f2201d2eed8facfa78ef34bb86ee4
SHA1 260759e0b822eaf96473eafc97b33653407c97a2
SHA256 53ecb9edade4262d5837c9fa4e1bc3dfa4fee2a2d4b3469caefe1345cfdd89dc
SHA512 b88503ed4716e5c6418f787784b3c9a3975e4f6600169732d7e527c9274216056c3fe17cdb7a4b91cd8db1eb6c2c14b78b1f01b495b7ac4b6768c7e6f7cf28af