Overview

overview

10

Static

static

3

27edad5f65...18.exe

windows7-x64

10

27edad5f65...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 00:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27edad5f65699a4902be0c87d9689b7a_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    27edad5f65699a4902be0c87d9689b7a

  • SHA1

    555ae912f29ed80c8eb5982870b4402399958e17

  • SHA256

    17034b1b9625e8e930663cabfa157c7d97832af640ffaa930314f771c9717800

  • SHA512

    99ad5b5d076f545cfbd19da4a13b50f3be1c88dbffbdbddb19fd3bad6114c22d4ae4762d5c6dc37c016cf53a92000196df8ac969e51f331c0afa0daaf8965cf1

  • SSDEEP

    24576:qVfyKxj79glUacpyK/2jHFF3D9glUacpyK/2jHFF3:By9k1jlFz9k1jlF

Score
10/10
darkcometcamfrogtrojandiscoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

trojan

C2

glauco69.no-ip.org:1604

Mutex

DC_MUTEX-STJ5WZY

Attributes
  • InstallPath

    APP#\servizi.exe

  • gencode

    u1U8EM1x7LCM

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Extracted

Family

darkcomet

Botnet

camfrog

C2

zerbino85.no-ip.org:1604

Mutex

DC_MUTEX-0E72WNG

Attributes
  • InstallPath

    APP#\explorer.exe

  • gencode

    dRT83mxwn6wq

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    processo di sistema

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 9 IoCs
    evasion
  • Modifies security service 2 TTPs 3 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Drivers directory 3 IoCs
  • Sets file to hidden 1 TTPs 4 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\27edad5f65699a4902be0c87d9689b7a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\27edad5f65699a4902be0c87d9689b7a_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Users\Admin\AppData\Local\Temp\base camfrog.exe
      "C:\Users\Admin\AppData\Local\Temp\base camfrog.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\base camfrog.exe" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\base camfrog.exe" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2644
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2608
      • C:\Users\Admin\AppData\Local\Temp\ESSENZIALE.EXE.SCR
        "C:\Users\Admin\AppData\Local\Temp\ESSENZIALE.EXE.SCR" /S
        3⤵
        • Modifies WinLogon for persistence
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ESSENZIALE.EXE.SCR" +s +h
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1876
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp\ESSENZIALE.EXE.SCR" +s +h
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1252
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1980
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1272
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\ESSENZIALE.EXE.SCR"
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1504
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 4
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1496
        • C:\Users\Admin\AppData\Roaming\APP#\explorer.exe
          "C:\Users\Admin\AppData\Roaming\APP#\explorer.exe"
          4⤵
          • Modifies firewall policy service
          • Modifies security service
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3068
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies firewall policy service
            • Modifies security service
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            PID:1532
      • C:\Users\Admin\AppData\Roaming\APP#\servizi.exe
        "C:\Users\Admin\AppData\Roaming\APP#\servizi.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:376
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
            PID:2892
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            4⤵
              PID:2916

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Defense Evasion

      Hide Artifacts

      2
      T1564

      Hidden Files and Directories

      2
      T1564.001

      Impair Defenses

      3
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Disable or Modify Tools

      2
      T1562.001

      Modify Registry

      7
      T1112

      Credential Access

      Discovery

      Remote System Discovery

      1
      T1018

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\base camfrog.exe
        Filesize

        1.3MB

        MD5

        f4e2ebbf66df5a453ec8fb6518df0afa

        SHA1

        26ffe9fd7baf0d90bf28200edb5eef3dfd9f57e5

        SHA256

        3b14bd29d3256fe9156dcf8d656c05ecfca0ffe89695f61d478969e21b2c2fc7

        SHA512

        d42ca6ea70ffdbefad9c97172d70e775ab8bea5118c675ba7faf03a78e242f9e1c72a3e3a4e748e01ba42362eb8e004a315d194471b1b75b4dc66adb22526048

        Download Submit

      • C:\Windows\system32\drivers\etc\hosts
        Filesize

        30B

        MD5

        dbea2222c7f5ce4d4a24dadb5fdeda82

        SHA1

        fe2b8d59b373fd84e607f2758b7c91ca130ea728

        SHA256

        5f27e58fea1640fe89561534385f4ecab6862222498befa85ed04823bbb67945

        SHA512

        5f4823866c1620602e9b37e24c9d0d0017dcc1b61b80dc20b5cd98b0a691f2ce326e5f46dda3b48deda608d6f55e1ad1fc1c3a0e13542adaa66772636315ef5b

        Download Submit

      • C:\Windows\system32\drivers\etc\hosts
        Filesize

        31B

        MD5

        216e7e8403372ec2855d7a0527bf32cb

        SHA1

        2d798d52f116948493b6524b1784ae6da799b8de

        SHA256

        7ec0c11c5ea6214847bf5b3bd8898e5f42855250207efebe1ec1547350b50633

        SHA512

        1ce682869972a7d476f555ccc4e998e3e22da96df958d67075c684948cea3a609d9cf2c8b6093b28c2b339942462c38d6035cdb19debdf90ff5e3ad733e02413

        Download Submit

      • \Users\Admin\AppData\Local\Temp\ESSENZIALE.EXE.SCR
        Filesize

        650KB

        MD5

        6910fcebe9eb59beaa67d09856b19c54

        SHA1

        9d4aafb6bcb66a4e4a8200763e0e16d4c535f396

        SHA256

        141089703954f799db1280ff687144385f74786c5ee8dc3a8639d9c961affcd5

        SHA512

        f29ce1dfcb21c379bc2d1edb77aa44e667b34b53470006915381b84ab7593adc2737d425fe4cf44d1b641a8f9081f29f75ec7638a3dfa6d456b5371fc6470c21

        Download Submit

      • memory/376-63-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/376-65-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/376-71-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/376-70-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/376-69-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/376-68-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/376-67-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/376-66-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/376-64-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/376-58-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/376-59-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/376-60-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/376-61-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/376-62-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1532-46-0x0000000000400000-0x00000000004B0000-memory.dmp

        Filesize

        704KB

        Download

      • memory/1804-0-0x0000000074D61000-0x0000000074D62000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1804-1-0x0000000074D60000-0x000000007530B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1804-2-0x0000000074D60000-0x000000007530B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1804-14-0x0000000074D60000-0x000000007530B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2652-44-0x0000000000400000-0x00000000004B0000-memory.dmp

        Filesize

        704KB

        Download

      • memory/2732-57-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2732-15-0x0000000000350000-0x0000000000351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3068-47-0x0000000000400000-0x00000000004B0000-memory.dmp

        Filesize

        704KB

        Download