Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 15:02

General

  • Target

    7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe

  • Size

    501KB

  • MD5

    7489d6d9182cfb315a028a9670a1eaa7

  • SHA1

    6248b643e2700e60960d7ea7911926310d6bdb41

  • SHA256

    539cb4699daed68cce319ba88bb97ed2211321ab7d8342370bcd958f3de6af38

  • SHA512

    8e795753a7818a5818f29586b57750f6e397475299924624d4a27fb9a8c81194bf16b7c6af108dbc4961b222dfe7a3cfedcf8c7be040bde27b3cf6ec485dc4ea

  • SSDEEP

    6144:+pnVaARrQbqPwZQU+gr+h8Ug1Dgpfd+5R8Kyt9oXtzYYjsUE+ksQIPSkh7h/SL:Wnka8AHeb405Rt9Je4/Skh9/S

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

speeed.zapto.org:15963

speeed.hopto.org:15963

Mutex

DC_MUTEX-WLBBHZN

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    3Vr9Alq967cJ

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
        • Adds Run key to start application
        • Writes to the Master Boot Record (MBR)
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\Documents\MSDCSC\msdcsc.exe

    Filesize

    501KB

    MD5

    7489d6d9182cfb315a028a9670a1eaa7

    SHA1

    6248b643e2700e60960d7ea7911926310d6bdb41

    SHA256

    539cb4699daed68cce319ba88bb97ed2211321ab7d8342370bcd958f3de6af38

    SHA512

    8e795753a7818a5818f29586b57750f6e397475299924624d4a27fb9a8c81194bf16b7c6af108dbc4961b222dfe7a3cfedcf8c7be040bde27b3cf6ec485dc4ea

  • memory/2604-20-0x0000000000400000-0x0000000000568000-memory.dmp

    Filesize

    1.4MB

  • memory/2624-21-0x0000000000400000-0x0000000000567591-memory.dmp

    Filesize

    1.4MB

  • memory/2732-9-0x0000000000400000-0x0000000000567591-memory.dmp

    Filesize

    1.4MB

  • memory/2732-5-0x0000000000400000-0x0000000000567591-memory.dmp

    Filesize

    1.4MB

  • memory/2732-4-0x0000000000400000-0x0000000000567591-memory.dmp

    Filesize

    1.4MB

  • memory/2732-1-0x0000000000400000-0x0000000000567591-memory.dmp

    Filesize

    1.4MB

  • memory/2732-10-0x0000000000400000-0x0000000000567591-memory.dmp

    Filesize

    1.4MB

  • memory/2732-6-0x0000000000400000-0x0000000000567591-memory.dmp

    Filesize

    1.4MB

  • memory/2732-22-0x0000000004A00000-0x0000000004B68000-memory.dmp

    Filesize

    1.4MB

  • memory/2732-3-0x0000000000400000-0x0000000000567591-memory.dmp

    Filesize

    1.4MB

  • memory/2732-23-0x0000000004A00000-0x0000000004B68000-memory.dmp

    Filesize

    1.4MB

  • memory/2732-2-0x0000000000401000-0x00000000004EA000-memory.dmp

    Filesize

    932KB

  • memory/2732-24-0x0000000000401000-0x00000000004EA000-memory.dmp

    Filesize

    932KB