Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-08-2024 00:47

General

  • Target

    8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    8857b84e74bd78ad49f04f6f8d0ce65a

  • SHA1

    b9516b7c3e012535e0d75d01bf66cd661fbaeda0

  • SHA256

    3f48a0ac6fd7487e22566c17ca1eda2bc9bede54adb53cc12bcd6a6afd23cc71

  • SHA512

    4818fb05aa0f43ae4ebd1fe39331a4eaacd9213ba5a8921407a221eceec7b5f2ce9fd5299a24837d0e84e4adb4b1a328190631678b32da19ab6695308ab2ae61

  • SSDEEP

    49152:zPOhSRsMd24IAMVS5fBizT8JIJwzm1P/zqawHC44sv:7Oad24IBVpoqum1P/zqE44sv

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

black-ghost.no-ip.info:1604

192.168.1.2:1604

Mutex

DC_MUTEX-3M3BF1V

Attributes
  • gencode

    fXTP1ELrNGMR

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Drops file in Drivers directory 1 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\Cheat Counter Strike.exe
      "C:\Windows\Cheat Counter Strike.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1340
    • C:\Windows\sara_sexy.exe
      C:\Windows/sara_sexy.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1856
      • C:\Windows\A new game and fun.exe
        "C:\Windows/A new game and fun.exe"
        3⤵
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2852
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\9.ico

    Filesize

    12KB

    MD5

    91c7c2ed9890658e1dbc71a8e616769d

    SHA1

    ecdfa450d9e5bcbb13ad8d3052a75ec87f035180

    SHA256

    66ae7fb55a45294ccfd55d91cacf3d9cfc9a73d8f5dc657de29c4e6570bb3262

    SHA512

    91a59510622ab6f0f3f7a047546de6515301497540dc4af2d70b9b520811a62becc25212e35c7bcbd242985d3053244eca39d5b9273fc971501c8c3fc91deb0b

  • C:\Windows\A new game and fun.exe

    Filesize

    472KB

    MD5

    c454ff16ee361aa3437cbd3652bb4c89

    SHA1

    aa18bc928ccca208f089d0527bc5fa05040e2cbe

    SHA256

    b8e204574f58ece85b3546e30a20610eab2a3ab8d2f8102099bab2e6e19acbc7

    SHA512

    e14b021ee5dfe7707f69ed6892482cd4e70414d531f8c725a6004073d9d05114ecebe6725cf5092e09a4a9b32faf50a47a83378aeed464bf42c2ca95292f2604

  • C:\Windows\Cheat Counter Strike.exe

    Filesize

    663KB

    MD5

    c0d1481589ba69abe6edde2c297ee5a2

    SHA1

    55c0da236cd39bcf9935d25a15c0c35ab257cfc6

    SHA256

    cb1e144bca11f74425a9b52afaa443f07fca623e2a3834c142cf66c507386254

    SHA512

    52b6ab4a235bbcc5477654e63066bf13b26e1209bf4c20a170179cf275fe42a7a5d79bb373f74151c465ad7b091d4c9ca2c86b67147ab2e8910867c1974b6349

  • C:\Windows\sara_sexy.exe

    Filesize

    768KB

    MD5

    62cfa21a792fa76bcd8ce108afdf4517

    SHA1

    f04702cd7c91085c840b95b2de4a6726cf13a838

    SHA256

    6febf4f5937805e186cbddd3e257719546f40c7b4b08052640c9c6927b66c490

    SHA512

    2a755a1ad3fe122b97c1c77b4f87ba1164ea752f3a2fda997566cdde9ed185c23668f937113013eeba8818fb015f145d951f793ab15b027ede6b72ff3769d1cc

  • memory/1340-59-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1340-57-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1340-29-0x00000000002F0000-0x00000000002F1000-memory.dmp

    Filesize

    4KB

  • memory/1340-55-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1856-48-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

  • memory/1856-42-0x00000000043F0000-0x00000000043F2000-memory.dmp

    Filesize

    8KB

  • memory/2512-28-0x0000000000400000-0x0000000000516000-memory.dmp

    Filesize

    1.1MB

  • memory/2512-0-0x0000000000400000-0x0000000000516000-memory.dmp

    Filesize

    1.1MB

  • memory/2512-26-0x0000000003360000-0x0000000003418000-memory.dmp

    Filesize

    736KB

  • memory/2672-43-0x00000000001C0000-0x00000000001C2000-memory.dmp

    Filesize

    8KB

  • memory/2852-53-0x0000000000400000-0x0000000000519000-memory.dmp

    Filesize

    1.1MB

  • memory/2852-49-0x0000000000400000-0x0000000000519000-memory.dmp

    Filesize

    1.1MB