Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2024 03:00

General

  • Target

    7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe

  • Size

    384KB

  • MD5

    7eeef1990b0a4af6b465c10a86880b66

  • SHA1

    b4f69cb08bcd395a2c7bce52a61e13d78ee6fd8c

  • SHA256

    50468539cb23b07d310e2a1de807662e57715bd844d6d2aa3be7d7fac7b87f01

  • SHA512

    3f4035d9f663d7812ead85960028bd25402e8667335353ae8f49cda35db6785c9e907f0efdd6286c2d38522569f9f982c7c43f3c170cfebac747e6e3cb242af3

  • SSDEEP

    6144:gT+zyLfDv+c5yhqNM/s6OL06yVn61oTdWfOgXGebZM/EWhx+DHGnxZ:gT+zeDVAhqIzWwuoTLgXhVM/EK4Dmj

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-F54S21D

Attributes
  • gencode

    pYHN7iXDsAb9

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7eeef1990b0a4af6b465c10a86880b66_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2208-0-0x0000000000400000-0x00000000004CB000-memory.dmp

    Filesize

    812KB

  • memory/2208-1-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

  • memory/2208-4-0x0000000000400000-0x00000000004CB000-memory.dmp

    Filesize

    812KB

  • memory/2864-2-0x0000000000400000-0x00000000004CB000-memory.dmp

    Filesize

    812KB