Overview

overview

10

Static

static

7

ad80fab1b6...18.exe

windows7-x64

10

ad80fab1b6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20-08-2024 02:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118.exe

  • Size

    3.0MB

  • MD5

    ad80fab1b61eedd00adda7872a1b81f8

  • SHA1

    ab5ce17152b8363686e95f30bdc3adebe6976abe

  • SHA256

    a7e8eccf72d7f433cbe460d7b986b9044cbe4152a37717464c22cc5627997a43

  • SHA512

    6fb3ff62aaf54cb11a5ba8a4eea3255aecbca4c08169892a640182e0aad428b1a1f90361123f9d4b39d0640bc3497a94b00575bbad62b4dfd2221548b596b7c6

  • SSDEEP

    98304:bE3AkV49N65xEfyoc0GS+pkowEbUw6k8ZDz5:nkV49AxUyopGS+plwkUwSZz5

Score
10/10
darkcometlatentbotguest16discoverypersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

medoseleman.zapto.org:1604

Mutex

DC_MUTEX-YJYEBPK

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    tQiKsS04Yhz9

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Extracted

Family

latentbot

C2

medoseleman.zapto.org

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 28 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 47 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Local\Temp\D.exe
      C:\Users\Admin\AppData\Local\Temp/D.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Users\Admin\AppData\Local\Temp\ss.exe
        "C:\Users\Admin\AppData\Local\Temp\ss.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2800
    • C:\Users\Admin\AppData\Local\Temp\nLite-v1.3b-_Requires-.NET-Framework-v2.0_.exe
      C:\Users\Admin\AppData\Local\Temp/nLite-v1.3b-_Requires-.NET-Framework-v2.0_.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe" /nLite-v1.3b-_Requires-.NET-Framework-v2.0_.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2932
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt8044.bat /nLite-v1.3b-_Requires-.NET-Framework-v2.0_.exe
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2216
          • C:\Windows\SysWOW64\xcopy.exe
            XCOPY "pskill.exe" "C:\Windows\system32" /y /i /s /e /r /v /k /f /c /h
            5⤵
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Enumerates system info in registry
            PID:2716
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\incase.exe
            incase.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1740
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\nLite-1.3.beta.installer.exe
            nLite-1.3.beta.installer.exe /sp- /verysilent
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2812
            • C:\Users\Admin\AppData\Local\Temp\is-1T27T.tmp\is-G1NF0.tmp
              "C:\Users\Admin\AppData\Local\Temp\is-1T27T.tmp\is-G1NF0.tmp" /SL4 $60144 "C:\Users\Admin\AppData\Local\Temp\RarSFX0\nLite-1.3.beta.installer.exe" 1701773 52224 /sp- /verysilent
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              PID:2616
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pskill.exe
            pskill incase.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\incase.exe
    Filesize

    41KB

    MD5

    38d6c13045b5c999b1be7ccef4ac6af9

    SHA1

    d539c3c6a2b6b9d90651d13fae7fe4d084d2d778

    SHA256

    9e9dc28ec773f20483a98ad33743bbc526a73d1a1feaaa5c67a3fc0329d213a8

    SHA512

    c43144c025e5f2f3d50a9607b3078ce118307a45861beff80674ce3b6d6331986fe2a2e17edc88c8b55c8421b71cbbf4637bfdb509d5c21a5ab2e939caef344b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pskill.exe
    Filesize

    92KB

    MD5

    2e8a63a935822684bc3538a61749d9d2

    SHA1

    f76afcfba1f52fb8eb3e9c217d4a073117ee110a

    SHA256

    7ac2375c6569ad1f8e25ee7fc4a4ebcb0425bbd5ab19c2844f1580a8e0fcab76

    SHA512

    dcf63037bd7389900bddb1ec87168183d6ea6ff569ecb88e7fd52fe5a4d6c535931ea86b83d5e8300476e8b10677f3545b2e2eefe6df5ce877cfaade4e7444b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\as.jpg
    Filesize

    82KB

    MD5

    1db7b97e3b5959d0a73b9a6d15c4631d

    SHA1

    2ccadb24698034f1fb436de84361f607b54f6bab

    SHA256

    d9a44df55f7be30fe3f06333e5bcba6aec4461eab3712e6b152f787b77949822

    SHA512

    a702bc2ddfcfbffc6b52be6b386e8fa84f2e25693fccd1685c97ef34bbc15cadff39ae063929c4271d770a969504a307a7eea9fb32a98b52b5a9991018e39fae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bt8044.bat
    Filesize

    172B

    MD5

    d1aa79c4a4ee74dc36088bc2cdcefb03

    SHA1

    3a87a86750074a101648d21c5b7d6e3cccd96237

    SHA256

    bcef3b40ce623a6de3a565156a47fbd43c4e650c4397b1c50cf02fc2622a49e6

    SHA512

    5432459588a042f235a59e7cc2fee2a95628e0563576c27d57d13219fd6895903a6929d2a15f3730d711aa816abc81cffe7dbc8f4a701d08a26d6771202d2610

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-1T27T.tmp\is-G1NF0.tmp
    Filesize

    652KB

    MD5

    581bb44526a65c02b388e1b8a83fe86c

    SHA1

    dc387f115977b5fb94d9c9084f33a1c231b50acb

    SHA256

    385a9bb48f5180984867f3bff1d327250d22ab4399137b343be291c370ee3699

    SHA512

    aab4cb6dd5ad4ebfded18748c5cd1a4361c154459f36a4cb49e32855b6866f92d3f065cd9cafa16e621a4216bb176f1554a8bbea7fd458b317eb1ff4c3c2bea1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ss.exe
    Filesize

    236KB

    MD5

    e6fe8286d44317d33787347c5640a858

    SHA1

    f661c5dd1817cb5d90406e24cff58f7221b1b412

    SHA256

    38feffcabedffd4f81341730f0a6df18e44955ae145915fc2bb9c58b5f345fe5

    SHA512

    501ba1f84b1d73c4c8d701282efef770406811cd8bdc13082856c41e3d28fc8d4b3d77d7f6c67e22f003ed55911346993166ce62fb9a3fd6dcba38c09405416c

    Download Submit

  • \Program Files (x86)\nLite\nLite.exe
    Filesize

    812KB

    MD5

    669b1691c822439faa70249d9258d854

    SHA1

    0343166b14d0f7f20d3a3053bed5e636604e906e

    SHA256

    1e01bf64a0f75c6ab498e4737e8c5ac28242871753bfe43a78dcea0e865c468a

    SHA512

    406fa1136184944a5a48791931f0368e7ffa734fc703dfdcc27055934f80934ca6fdc30a20b1df5dcaf03026d079a9bab71c190e860c4e53dd76f6583dea711a

    Download Submit

  • \Program Files (x86)\nLite\unins000.exe
    Filesize

    662KB

    MD5

    97361664bd4b117d5d75b63c4108f148

    SHA1

    58f329d55ae9803356a53228488210d2efeae659

    SHA256

    5f758d4d79ff2a62c192a5a3a1ea91b373a27f72d36fdb7f41ca7b4e98df8c89

    SHA512

    fe9d2945f5e754cd4079e207125798429f55593235d818f0e8a8501faa23be07002283453935ed58009b10e4441287a51c433a5e23e8891d8a5c34c12c989a5d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\D.exe
    Filesize

    384KB

    MD5

    99d24ede3c3d5de90411be63606a3c9c

    SHA1

    e09322ee5106338d3f157dfe79dc54378ee7acc1

    SHA256

    0886acb74275903edf6453e70bcb3cf145cf071457f62496ea5729ebc045e466

    SHA512

    a95d22f08e43e98e4faa031599326a2e41619b782777fd9d7d1c8f5e6e09c7d179ba68d0fee9d626d560b10badf6d38b2370db9b1b4d624b3344c82b8d787741

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
    Filesize

    146KB

    MD5

    1b288be8a2d937e60e328891276de40b

    SHA1

    5178897c4461614aced6f873f5f34e206a208e85

    SHA256

    2cf6874dda9e838bcfe0188788147186fe8ec6dcf18b53888d005e99d5dcdd11

    SHA512

    a8eb5d957603452f49fbc14286c61b6cb738df3e41e6886b68e20e87aa21ded61d64dcc723b0e6f10f8af7e81eeda52ba8b49b5e049983d7473c0ffc108f361f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\nLite-1.3.beta.installer.exe
    Filesize

    1.8MB

    MD5

    8f16ee829248120fe8f667c02665b6aa

    SHA1

    916eed949e33d5f2b8612e4b09abf4cc9e7bf6eb

    SHA256

    9f4b52f1ef1a752a208d935624bfde700a716cd3ac80729122aee576c45e919c

    SHA512

    4017826b07a717356a7b5479d0304f694b0604dfba14920351aa62009f6096c1fb80efae76eb1fe33b5cdd18a315d3c2d0c60f7e4e5882201f7508efb9511af7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-EJUJ4.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nLite-v1.3b-_Requires-.NET-Framework-v2.0_.exe
    Filesize

    2.4MB

    MD5

    9ea9dd70099931d318352e9cbdef1910

    SHA1

    cee84845fdf648aec207554eab51bd34da4661db

    SHA256

    c5c338125a680b78ba49cb3a58e3d6ab3b53b5ffaaaa2f0192b529a9c950b3eb

    SHA512

    52c5f18f048e01713377bc855bbe9efbd4b3b3bf551e6d809342c6c909298adfcf2e4ddb7acd5d20ef17304e7b559a63a6086e6e466477ec39c3cccf19407976

    Download Submit

  • memory/1104-225-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1104-114-0x0000000003640000-0x00000000036F8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1104-91-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1740-68-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1740-69-0x0000000000320000-0x000000000036B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1740-222-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2216-63-0x0000000000140000-0x000000000018B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2216-62-0x0000000000140000-0x000000000018B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2364-224-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2420-31-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2420-0-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2616-215-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2800-235-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2800-231-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2800-240-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2800-239-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2800-226-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2800-227-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2800-228-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2800-229-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2800-230-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2800-238-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2800-232-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2800-233-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2800-234-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2800-117-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2800-236-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2800-237-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2812-73-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2812-216-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2932-223-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download