Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 13:31
Static task
static1
Behavioral task
behavioral1
Sample
eb6f77a1338144f6c63a55ed5e8a79c0_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eb6f77a1338144f6c63a55ed5e8a79c0_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eb6f77a1338144f6c63a55ed5e8a79c0_JaffaCakes118.exe
-
Size
810KB
-
MD5
eb6f77a1338144f6c63a55ed5e8a79c0
-
SHA1
eb3fd0679186ee458f24af93e95ccd5f504c559b
-
SHA256
3390ed4ef3a99e04b9eff52e787a72fa1e9afb59eb93895344b577461d373e25
-
SHA512
032dcd5ee33f9e67c9963b2a374116a0ad8191cce0fb750e9f9e73ff98dd34fa71351e7a0e99ab57e45a57ea15aa130e3bd0f2f696593ceed0d5931d466401f3
-
SSDEEP
24576:xWwHivRnJlg5ngEn2kHj+Z0BW2/7nRn1Bk:xWwmRnJl+gEnVjwiZk
Malware Config
Extracted
darkcomet
Guest16_min
127.0.0.1:1604
DCMIN_MUTEX-H44XS6F
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
fZMsDSKWmpXJ
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Crypted.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" Crypted.exe -
Executes dropped EXE 2 IoCs
Processes:
Crypted.exeIMDCSC.exepid process 2200 Crypted.exe 2384 IMDCSC.exe -
Loads dropped DLL 4 IoCs
Processes:
eb6f77a1338144f6c63a55ed5e8a79c0_JaffaCakes118.exeCrypted.exepid process 2792 eb6f77a1338144f6c63a55ed5e8a79c0_JaffaCakes118.exe 2792 eb6f77a1338144f6c63a55ed5e8a79c0_JaffaCakes118.exe 2200 Crypted.exe 2200 Crypted.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Crypted.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" Crypted.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
eb6f77a1338144f6c63a55ed5e8a79c0_JaffaCakes118.exeCrypted.exeIMDCSC.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb6f77a1338144f6c63a55ed5e8a79c0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Crypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMDCSC.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
Crypted.exeIMDCSC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2200 Crypted.exe Token: SeSecurityPrivilege 2200 Crypted.exe Token: SeTakeOwnershipPrivilege 2200 Crypted.exe Token: SeLoadDriverPrivilege 2200 Crypted.exe Token: SeSystemProfilePrivilege 2200 Crypted.exe Token: SeSystemtimePrivilege 2200 Crypted.exe Token: SeProfSingleProcessPrivilege 2200 Crypted.exe Token: SeIncBasePriorityPrivilege 2200 Crypted.exe Token: SeCreatePagefilePrivilege 2200 Crypted.exe Token: SeBackupPrivilege 2200 Crypted.exe Token: SeRestorePrivilege 2200 Crypted.exe Token: SeShutdownPrivilege 2200 Crypted.exe Token: SeDebugPrivilege 2200 Crypted.exe Token: SeSystemEnvironmentPrivilege 2200 Crypted.exe Token: SeChangeNotifyPrivilege 2200 Crypted.exe Token: SeRemoteShutdownPrivilege 2200 Crypted.exe Token: SeUndockPrivilege 2200 Crypted.exe Token: SeManageVolumePrivilege 2200 Crypted.exe Token: SeImpersonatePrivilege 2200 Crypted.exe Token: SeCreateGlobalPrivilege 2200 Crypted.exe Token: 33 2200 Crypted.exe Token: 34 2200 Crypted.exe Token: 35 2200 Crypted.exe Token: SeIncreaseQuotaPrivilege 2384 IMDCSC.exe Token: SeSecurityPrivilege 2384 IMDCSC.exe Token: SeTakeOwnershipPrivilege 2384 IMDCSC.exe Token: SeLoadDriverPrivilege 2384 IMDCSC.exe Token: SeSystemProfilePrivilege 2384 IMDCSC.exe Token: SeSystemtimePrivilege 2384 IMDCSC.exe Token: SeProfSingleProcessPrivilege 2384 IMDCSC.exe Token: SeIncBasePriorityPrivilege 2384 IMDCSC.exe Token: SeCreatePagefilePrivilege 2384 IMDCSC.exe Token: SeBackupPrivilege 2384 IMDCSC.exe Token: SeRestorePrivilege 2384 IMDCSC.exe Token: SeShutdownPrivilege 2384 IMDCSC.exe Token: SeDebugPrivilege 2384 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 2384 IMDCSC.exe Token: SeChangeNotifyPrivilege 2384 IMDCSC.exe Token: SeRemoteShutdownPrivilege 2384 IMDCSC.exe Token: SeUndockPrivilege 2384 IMDCSC.exe Token: SeManageVolumePrivilege 2384 IMDCSC.exe Token: SeImpersonatePrivilege 2384 IMDCSC.exe Token: SeCreateGlobalPrivilege 2384 IMDCSC.exe Token: 33 2384 IMDCSC.exe Token: 34 2384 IMDCSC.exe Token: 35 2384 IMDCSC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
IMDCSC.exepid process 2384 IMDCSC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
eb6f77a1338144f6c63a55ed5e8a79c0_JaffaCakes118.exeCrypted.exedescription pid process target process PID 2792 wrote to memory of 2200 2792 eb6f77a1338144f6c63a55ed5e8a79c0_JaffaCakes118.exe Crypted.exe PID 2792 wrote to memory of 2200 2792 eb6f77a1338144f6c63a55ed5e8a79c0_JaffaCakes118.exe Crypted.exe PID 2792 wrote to memory of 2200 2792 eb6f77a1338144f6c63a55ed5e8a79c0_JaffaCakes118.exe Crypted.exe PID 2792 wrote to memory of 2200 2792 eb6f77a1338144f6c63a55ed5e8a79c0_JaffaCakes118.exe Crypted.exe PID 2200 wrote to memory of 2384 2200 Crypted.exe IMDCSC.exe PID 2200 wrote to memory of 2384 2200 Crypted.exe IMDCSC.exe PID 2200 wrote to memory of 2384 2200 Crypted.exe IMDCSC.exe PID 2200 wrote to memory of 2384 2200 Crypted.exe IMDCSC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb6f77a1338144f6c63a55ed5e8a79c0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eb6f77a1338144f6c63a55ed5e8a79c0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2384
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660KB
MD51513b3dead4e9eb7a80a518b60eee0f1
SHA1a6d08a86c32fabdc4d4ddd3c58d714aed6a71e80
SHA2564cb7202759c7c58f632320ccc862d4a8e158c6c1b05de7a2ba6e322ee2a9645f
SHA512b7a0606e41d9476c734cd2492bea3810a5fcdd14bce6fc3951dd86e10dc58c5c052049924087d87a12abcc23f8e5c4fa4bbff05697a24234ecd36635f64490e9