Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2024 07:22

General

  • Target

    7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe

  • Size

    592KB

  • MD5

    7fa2962d464a1e6aaff03c09cf7e538b

  • SHA1

    53ed1256ee387bd8fd015bba0bdc79d754d22c7c

  • SHA256

    f876c0b4cde4cf27754c95b605b62e1952f7c0416ac38a08db6178a895acb4c1

  • SHA512

    99f3f98690da192a7f495236501a40454fcf59bf62c5694f0208b5114886de50ccd23c2d8ad8911a41a670c39369585aa99140269a1534dbea0db4d6eaf6d2b9

  • SSDEEP

    6144:KdtifXN7XegqunP25EmcmiSZPoCE0H3tovCL6DJreQQf17E4oMkZ98gWNlPTGQQX:KOl7OgHP/kiSZBhtovE6SdOvINtTird

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

saw-88.no-ip.biz:1604

Mutex

DC_MUTEX-FAAE1T4

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    4chxqdwMXJlw

  • install

    true

  • offline_keylogger

    false

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3760
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1860
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 424
        3⤵
        • Program crash
        PID:3940
    • C:\MSDCSC\msdcsc.exe
      "C:\MSDCSC\msdcsc.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3540
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1860 -ip 1860
    1⤵
      PID:3544

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSDCSC\msdcsc.exe

      Filesize

      592KB

      MD5

      7fa2962d464a1e6aaff03c09cf7e538b

      SHA1

      53ed1256ee387bd8fd015bba0bdc79d754d22c7c

      SHA256

      f876c0b4cde4cf27754c95b605b62e1952f7c0416ac38a08db6178a895acb4c1

      SHA512

      99f3f98690da192a7f495236501a40454fcf59bf62c5694f0208b5114886de50ccd23c2d8ad8911a41a670c39369585aa99140269a1534dbea0db4d6eaf6d2b9

    • memory/1468-80-0x0000000000400000-0x0000000000520000-memory.dmp

      Filesize

      1.1MB

    • memory/1468-79-0x00000000007B0000-0x00000000007F3000-memory.dmp

      Filesize

      268KB

    • memory/1468-76-0x0000000002B40000-0x0000000002B41000-memory.dmp

      Filesize

      4KB

    • memory/1468-72-0x00000000007B0000-0x00000000007F3000-memory.dmp

      Filesize

      268KB

    • memory/1468-70-0x0000000000400000-0x0000000000520000-memory.dmp

      Filesize

      1.1MB

    • memory/1860-11-0x0000000001250000-0x0000000001251000-memory.dmp

      Filesize

      4KB

    • memory/3540-77-0x0000000000400000-0x0000000000520000-memory.dmp

      Filesize

      1.1MB

    • memory/3760-6-0x00000000024D0000-0x00000000024D1000-memory.dmp

      Filesize

      4KB

    • memory/3760-8-0x00000000026C0000-0x00000000026C1000-memory.dmp

      Filesize

      4KB

    • memory/3760-3-0x0000000002280000-0x0000000002281000-memory.dmp

      Filesize

      4KB

    • memory/3760-4-0x0000000002260000-0x0000000002261000-memory.dmp

      Filesize

      4KB

    • memory/3760-5-0x0000000002450000-0x0000000002451000-memory.dmp

      Filesize

      4KB

    • memory/3760-74-0x00000000022B0000-0x00000000022F3000-memory.dmp

      Filesize

      268KB

    • memory/3760-71-0x0000000000400000-0x0000000000520000-memory.dmp

      Filesize

      1.1MB

    • memory/3760-0-0x0000000000400000-0x0000000000520000-memory.dmp

      Filesize

      1.1MB

    • memory/3760-7-0x00000000024A0000-0x00000000024A1000-memory.dmp

      Filesize

      4KB

    • memory/3760-2-0x0000000002480000-0x0000000002481000-memory.dmp

      Filesize

      4KB

    • memory/3760-1-0x00000000022B0000-0x00000000022F3000-memory.dmp

      Filesize

      268KB