Analysis

  • max time kernel
    141s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2024 12:39

General

  • Target

    05d9f7a1325dbec8552ac29083abba7d_JaffaCakes118.exe

  • Size

    728KB

  • MD5

    05d9f7a1325dbec8552ac29083abba7d

  • SHA1

    3cae39bbc9b45a44c3a6b6065a17214cee4cdfb6

  • SHA256

    7de4c40e00da26fffce0d8443b3c7052f79133aead3b1d0114c47c3340a82131

  • SHA512

    8f1cdeed5668ee85a4ac0d0c602d75e1a8e06be40be861623cec589e3a8f057cafa2df824f8ca51e96fd83585ea15e65087d7fd3ad5195a08a9ca06480d24a1f

  • SSDEEP

    12288:47UetrD931Zsa4Nx/8Js5oT2D/5RiQhUUQUtLue4v5teBn6rlvh2aPEnNBt/oTiD:eDp1ZiNxUJaoT2D/XxUUQUtauUZ2aMpJ

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

95.37.231.94:60561

Mutex

DCMIN_MUTEX-YWC1YGK

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    qpkAqz9YSLLL

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05d9f7a1325dbec8552ac29083abba7d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\05d9f7a1325dbec8552ac29083abba7d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Users\Admin\AppData\Local\Temp\123.exe
      "C:\Users\Admin\AppData\Local\Temp\123.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4584
      • C:\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exe
        "C:\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\123.exe

    Filesize

    658KB

    MD5

    1b14f7ae01bd2c55da49b474c66fd239

    SHA1

    4623c53d0e4acf2ebd5836440a68b87acabcfee6

    SHA256

    5c881bbe2b24ff0f177c0c3c4743de959b3633cb097be8ab4a6ca8f20ea085a0

    SHA512

    028ad9a28cba3f4bf8f62747cc2ad9b80cb3668b3f59791fd428a2549ef7f720d8c15e69ca8e47a348d13e5d3b3d594cf998d766928842a08bd480f8622c0822

  • memory/4480-24-0x0000000002020000-0x0000000002021000-memory.dmp

    Filesize

    4KB

  • memory/4480-26-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4480-28-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4584-12-0x00000000006D0000-0x00000000006D1000-memory.dmp

    Filesize

    4KB

  • memory/4584-25-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB