Overview

overview

10

Static

static

7

ea3d9a744b...18.exe

windows7-x64

10

ea3d9a744b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 00:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea3d9a744be6d0f17244447058ef5e00_JaffaCakes118.exe

  • Size

    684KB

  • MD5

    ea3d9a744be6d0f17244447058ef5e00

  • SHA1

    a13b28b784070ae943adfa51285073bdb5d005dc

  • SHA256

    dc561c8b1084253ebe75538353ad115963a6c26bf4b02bce516d70ef9ef09bf6

  • SHA512

    28bf0771f2d423d31769f382d81c4058730e38cbd209eaad34342a6598b0f961da2dcdb59d9e0db3999354c471a7669abee2117d111fd600d0a146d0db1290ae

  • SSDEEP

    12288:eeS04QhRKKkoTAWuRRxUqbQPlCEXNuBu3Fxfa8XTMfWK8FpPxkk2f15ARISPu+gP:dl4hToTAWuRRBbQdpBzfaCOYukWviISw

Score
10/10
darkcometmodiloaderkaspersky anti-virusdiscoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Kaspersky Anti-Virus

C2

mkidech.zapto.org:1604

Mutex

DC_MUTEX-QX72V3T

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    mCaGuBRkitKS

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • ModiLoader Second Stage 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea3d9a744be6d0f17244447058ef5e00_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea3d9a744be6d0f17244447058ef5e00_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Local\Temp\Kaspersky Anti-Virus.exe
      "C:\Users\Admin\AppData\Local\Temp\Kaspersky Anti-Virus.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3528
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:512
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
    1⤵
      PID:1336

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Kaspersky Anti-Virus.exe
      Filesize

      333KB

      MD5

      eca6f73f0bad1fc2b1bc66b97b198b30

      SHA1

      2a510aa61c64b7ce3bb4de4feb2674b173e73dff

      SHA256

      d62523db3e9420e99856deba7cddf411ede9467c225a90945b284e8e5baeb724

      SHA512

      710a9948a2f1cfe31683fd283b1e87430262c7f38801bb7f69c6cc2469ccaf665da206b811be22bb5f749d46da2e332573fa535ea66caf4016f5dc8d5cfc5af2

      Download Submit

    • memory/512-59-0x0000000000400000-0x00000000004E9000-memory.dmp

      Filesize

      932KB

      Download

    • memory/512-51-0x0000000000400000-0x00000000004E9000-memory.dmp

      Filesize

      932KB

      Download

    • memory/512-49-0x0000000000400000-0x00000000004E9000-memory.dmp

      Filesize

      932KB

      Download

    • memory/512-47-0x00000000779A0000-0x0000000077A90000-memory.dmp

      Filesize

      960KB

      Download

    • memory/512-46-0x0000000000400000-0x00000000004E9000-memory.dmp

      Filesize

      932KB

      Download

    • memory/512-45-0x0000000000400000-0x00000000004E9000-memory.dmp

      Filesize

      932KB

      Download

    • memory/512-44-0x00000000779A0000-0x0000000077A90000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2020-3-0x0000000000B50000-0x0000000000B60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2020-1-0x0000000000AE0000-0x0000000000B2E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/2020-12-0x00000000779A0000-0x0000000077A90000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2020-11-0x00000000779A0000-0x0000000077A90000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2020-10-0x00000000779A0000-0x0000000077A90000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2020-23-0x0000000000400000-0x00000000004F2000-memory.dmp

      Filesize

      968KB

      Download

    • memory/2020-25-0x0000000000AE0000-0x0000000000B2E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/2020-0-0x00000000007B0000-0x00000000007B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2020-27-0x00000000779A0000-0x0000000077A90000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2020-7-0x00000000779C0000-0x00000000779C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2020-6-0x0000000002490000-0x00000000024A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2020-2-0x0000000000400000-0x00000000004F2000-memory.dmp

      Filesize

      968KB

      Download

    • memory/2020-5-0x0000000002400000-0x0000000002410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2020-9-0x00000000779A0000-0x0000000077A90000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2020-4-0x0000000077C82000-0x0000000077C83000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3528-42-0x00000000779A0000-0x0000000077A90000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3528-43-0x0000000000400000-0x00000000004E9000-memory.dmp

      Filesize

      932KB

      Download

    • memory/3528-28-0x00000000779A0000-0x0000000077A90000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3528-24-0x0000000000400000-0x00000000004E9000-memory.dmp

      Filesize

      932KB

      Download