Overview

overview

10

Static

static

3

24ce711ea3...18.exe

windows7-x64

10

24ce711ea3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-10-2024 20:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe

  • Size

    2.5MB

  • MD5

    24ce711ea3798396150d70df3184fdbb

  • SHA1

    d339a73736b7dd931419b56898aeb8cb373cc1e8

  • SHA256

    ab7f8227177f84c781322b23009f32e372a53ba826a9a96b36a1ee0145b4e0ae

  • SHA512

    8a5ccacc7465f7a38f149d2ee3968ecd04b8927711a4aee134803748669fba4afef6fa21615bc48c02031394b89460932ba2a642b9a7fc2d3372b2386868fdbd

  • SSDEEP

    49152:ZeOYNw8+Cu9ifT5KzyrOTFfoPebTxc4w6SkNB9SEruYtUs72/eS:ZjtoVKzyrONoPMqkNBUErBtUs72eS

Score
10/10
darkcometlatentbothydra antivirüsdiscoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Hydra Antivirüs

C2

127.0.0.1:1604

hydrahydra1907.zapto.org:1604
Mutex

DC_MUTEX-F1THYT4

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    fDsHmDftmeEj

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Extracted

Family

latentbot

C2

hydrahydra1907.zapto.org

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • NTFS ADS 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 56 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe"
      2⤵
      • Checks BIOS information in registry
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
        3⤵
        • Modifies WinLogon for persistence
        • Checks computer location settings
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1372
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe" +s +h
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1940
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe" +s +h
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1612
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • System Location Discovery: System Language Discovery
          PID:692
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:4860
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2420
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 416
            5⤵
            • Program crash
            PID:3836
        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4516
          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
            5⤵
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • NTFS ADS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4168
            • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
              C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:4960
              • C:\Windows\SysWOW64\notepad.exe
                notepad
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3448
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 352
                  8⤵
                  • Program crash
                  PID:1212
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2420 -ip 2420
    1⤵
      PID:2208
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3448 -ip 3448
      1⤵
        PID:3092

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\TEMP:E0EC633E
        Filesize

        128B

        MD5

        be8c82636789027835db2ce6816797db

        SHA1

        99accf6c947528e297e95f97a4bc94ee4d65761e

        SHA256

        36b1afe9ffcb9675badc01757b968573b6da5d0fdfb7653f798b57e226f7f4d3

        SHA512

        a1bf2d0bbe374a68ade5072eb8c2dfe560c65dba0c67ca305f7dc5021a9e2c367a2ebcac03787011804efe95790dce1cc0a537ed1edcaf7224ac2a78f179a252

        Download Submit

      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        2.5MB

        MD5

        24ce711ea3798396150d70df3184fdbb

        SHA1

        d339a73736b7dd931419b56898aeb8cb373cc1e8

        SHA256

        ab7f8227177f84c781322b23009f32e372a53ba826a9a96b36a1ee0145b4e0ae

        SHA512

        8a5ccacc7465f7a38f149d2ee3968ecd04b8927711a4aee134803748669fba4afef6fa21615bc48c02031394b89460932ba2a642b9a7fc2d3372b2386868fdbd

        Download Submit

      • memory/1372-27-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/1372-23-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/1372-57-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/1372-22-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/1372-20-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/1568-0-0x0000000000400000-0x00000000007F7000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1568-28-0x0000000000400000-0x00000000007F7000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2300-25-0x0000000002690000-0x00000000027D2000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2300-17-0x0000000002690000-0x00000000027D2000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2300-10-0x0000000002690000-0x00000000027D2000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2300-15-0x0000000000400000-0x00000000007F7000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2300-16-0x0000000000400000-0x00000000007F7000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2300-4-0x0000000002690000-0x00000000027D2000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2300-14-0x0000000000400000-0x00000000007F7000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2300-3-0x0000000000400000-0x00000000007F7000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2420-33-0x0000000000C40000-0x0000000000C41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3448-80-0x0000000000F60000-0x0000000000F61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4168-63-0x0000000000400000-0x00000000007F7000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4168-61-0x0000000000400000-0x00000000007F7000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4168-48-0x0000000002810000-0x0000000002952000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4168-64-0x0000000000400000-0x00000000007F7000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4168-65-0x0000000002810000-0x0000000002952000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4168-54-0x0000000002810000-0x0000000002952000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4168-75-0x0000000002810000-0x0000000002952000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4516-76-0x0000000000400000-0x00000000007F7000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4516-45-0x0000000000400000-0x00000000007F7000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4960-73-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-87-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-82-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-81-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-71-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-79-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-84-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-85-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-86-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-78-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-88-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-89-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-90-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-91-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-92-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-93-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-94-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-95-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/4960-96-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

        Download