Analysis

  • max time kernel
    141s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-08-2024 00:47

General

  • Target

    8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    8857b84e74bd78ad49f04f6f8d0ce65a

  • SHA1

    b9516b7c3e012535e0d75d01bf66cd661fbaeda0

  • SHA256

    3f48a0ac6fd7487e22566c17ca1eda2bc9bede54adb53cc12bcd6a6afd23cc71

  • SHA512

    4818fb05aa0f43ae4ebd1fe39331a4eaacd9213ba5a8921407a221eceec7b5f2ce9fd5299a24837d0e84e4adb4b1a328190631678b32da19ab6695308ab2ae61

  • SSDEEP

    49152:zPOhSRsMd24IAMVS5fBizT8JIJwzm1P/zqawHC44sv:7Oad24IBVpoqum1P/zqE44sv

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

black-ghost.no-ip.info:1604

192.168.1.2:1604

Mutex

DC_MUTEX-3M3BF1V

Attributes
  • gencode

    fXTP1ELrNGMR

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Drops file in Drivers directory 1 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1428
    • C:\Windows\Cheat Counter Strike.exe
      "C:\Windows\Cheat Counter Strike.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1128
    • C:\Windows\sara_sexy.exe
      C:\Windows/sara_sexy.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1328
      • C:\Windows\A new game and fun.exe
        "C:\Windows/A new game and fun.exe"
        3⤵
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\aut978E.tmp

    Filesize

    768KB

    MD5

    62cfa21a792fa76bcd8ce108afdf4517

    SHA1

    f04702cd7c91085c840b95b2de4a6726cf13a838

    SHA256

    6febf4f5937805e186cbddd3e257719546f40c7b4b08052640c9c6927b66c490

    SHA512

    2a755a1ad3fe122b97c1c77b4f87ba1164ea752f3a2fda997566cdde9ed185c23668f937113013eeba8818fb015f145d951f793ab15b027ede6b72ff3769d1cc

  • C:\Users\Admin\AppData\Local\Temp\aut9A8B.tmp

    Filesize

    472KB

    MD5

    c454ff16ee361aa3437cbd3652bb4c89

    SHA1

    aa18bc928ccca208f089d0527bc5fa05040e2cbe

    SHA256

    b8e204574f58ece85b3546e30a20610eab2a3ab8d2f8102099bab2e6e19acbc7

    SHA512

    e14b021ee5dfe7707f69ed6892482cd4e70414d531f8c725a6004073d9d05114ecebe6725cf5092e09a4a9b32faf50a47a83378aeed464bf42c2ca95292f2604

  • C:\Windows\Cheat Counter Strike.exe

    Filesize

    663KB

    MD5

    c0d1481589ba69abe6edde2c297ee5a2

    SHA1

    55c0da236cd39bcf9935d25a15c0c35ab257cfc6

    SHA256

    cb1e144bca11f74425a9b52afaa443f07fca623e2a3834c142cf66c507386254

    SHA512

    52b6ab4a235bbcc5477654e63066bf13b26e1209bf4c20a170179cf275fe42a7a5d79bb373f74151c465ad7b091d4c9ca2c86b67147ab2e8910867c1974b6349

  • memory/1128-51-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1128-55-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1128-29-0x00000000006A0000-0x00000000006A1000-memory.dmp

    Filesize

    4KB

  • memory/1128-53-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1328-27-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

  • memory/1328-47-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

  • memory/1428-28-0x0000000000400000-0x0000000000516000-memory.dmp

    Filesize

    1.1MB

  • memory/1428-0-0x0000000000400000-0x0000000000516000-memory.dmp

    Filesize

    1.1MB

  • memory/1932-50-0x0000000000400000-0x0000000000519000-memory.dmp

    Filesize

    1.1MB

  • memory/1932-46-0x0000000000400000-0x0000000000519000-memory.dmp

    Filesize

    1.1MB