Overview

overview

10

Static

static

3

27edad5f65...18.exe

windows7-x64

10

27edad5f65...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 00:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27edad5f65699a4902be0c87d9689b7a_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    27edad5f65699a4902be0c87d9689b7a

  • SHA1

    555ae912f29ed80c8eb5982870b4402399958e17

  • SHA256

    17034b1b9625e8e930663cabfa157c7d97832af640ffaa930314f771c9717800

  • SHA512

    99ad5b5d076f545cfbd19da4a13b50f3be1c88dbffbdbddb19fd3bad6114c22d4ae4762d5c6dc37c016cf53a92000196df8ac969e51f331c0afa0daaf8965cf1

  • SSDEEP

    24576:qVfyKxj79glUacpyK/2jHFF3D9glUacpyK/2jHFF3:By9k1jlFz9k1jlF

Score
10/10
darkcometcamfrogtrojandiscoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

camfrog

C2

zerbino85.no-ip.org:1604

Mutex

DC_MUTEX-0E72WNG

Attributes
  • InstallPath

    APP#\explorer.exe

  • gencode

    dRT83mxwn6wq

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    processo di sistema

Extracted

Family

darkcomet

Botnet

trojan

C2

glauco69.no-ip.org:1604

Mutex

DC_MUTEX-STJ5WZY

Attributes
  • InstallPath

    APP#\servizi.exe

  • gencode

    u1U8EM1x7LCM

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 12 IoCs
    evasion
  • Modifies security service 2 TTPs 4 IoCs
    evasion
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Drivers directory 3 IoCs
  • Sets file to hidden 1 TTPs 4 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\27edad5f65699a4902be0c87d9689b7a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\27edad5f65699a4902be0c87d9689b7a_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Users\Admin\AppData\Local\Temp\base camfrog.exe
      "C:\Users\Admin\AppData\Local\Temp\base camfrog.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Drops file in Drivers directory
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\base camfrog.exe" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5040
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\base camfrog.exe" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4648
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4656
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3832
      • C:\Users\Admin\AppData\Local\Temp\ESSENZIALE.EXE.SCR
        "C:\Users\Admin\AppData\Local\Temp\ESSENZIALE.EXE.SCR" /S
        3⤵
        • Modifies WinLogon for persistence
        • Drops file in Drivers directory
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5108
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ESSENZIALE.EXE.SCR" +s +h
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4720
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp\ESSENZIALE.EXE.SCR" +s +h
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2204
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4416
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1540
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\ESSENZIALE.EXE.SCR"
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:4856
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 4
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3244
        • C:\Users\Admin\AppData\Roaming\APP#\explorer.exe
          "C:\Users\Admin\AppData\Roaming\APP#\explorer.exe"
          4⤵
          • Modifies firewall policy service
          • Modifies security service
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2980
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies firewall policy service
            • Modifies security service
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            PID:3488
      • C:\Users\Admin\AppData\Roaming\APP#\servizi.exe
        "C:\Users\Admin\AppData\Roaming\APP#\servizi.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:940
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies firewall policy service
          • Modifies security service
          • Windows security bypass
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Modify Registry

7
T1112

Credential Access

Discovery

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ESSENZIALE.EXE.SCR
    Filesize

    650KB

    MD5

    6910fcebe9eb59beaa67d09856b19c54

    SHA1

    9d4aafb6bcb66a4e4a8200763e0e16d4c535f396

    SHA256

    141089703954f799db1280ff687144385f74786c5ee8dc3a8639d9c961affcd5

    SHA512

    f29ce1dfcb21c379bc2d1edb77aa44e667b34b53470006915381b84ab7593adc2737d425fe4cf44d1b641a8f9081f29f75ec7638a3dfa6d456b5371fc6470c21

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\base camfrog.exe
    Filesize

    1.3MB

    MD5

    f4e2ebbf66df5a453ec8fb6518df0afa

    SHA1

    26ffe9fd7baf0d90bf28200edb5eef3dfd9f57e5

    SHA256

    3b14bd29d3256fe9156dcf8d656c05ecfca0ffe89695f61d478969e21b2c2fc7

    SHA512

    d42ca6ea70ffdbefad9c97172d70e775ab8bea5118c675ba7faf03a78e242f9e1c72a3e3a4e748e01ba42362eb8e004a315d194471b1b75b4dc66adb22526048

    Download Submit

  • C:\Windows\system32\drivers\etc\hosts
    Filesize

    30B

    MD5

    dbea2222c7f5ce4d4a24dadb5fdeda82

    SHA1

    fe2b8d59b373fd84e607f2758b7c91ca130ea728

    SHA256

    5f27e58fea1640fe89561534385f4ecab6862222498befa85ed04823bbb67945

    SHA512

    5f4823866c1620602e9b37e24c9d0d0017dcc1b61b80dc20b5cd98b0a691f2ce326e5f46dda3b48deda608d6f55e1ad1fc1c3a0e13542adaa66772636315ef5b

    Download Submit

  • C:\Windows\system32\drivers\etc\hosts
    Filesize

    31B

    MD5

    216e7e8403372ec2855d7a0527bf32cb

    SHA1

    2d798d52f116948493b6524b1784ae6da799b8de

    SHA256

    7ec0c11c5ea6214847bf5b3bd8898e5f42855250207efebe1ec1547350b50633

    SHA512

    1ce682869972a7d476f555ccc4e998e3e22da96df958d67075c684948cea3a609d9cf2c8b6093b28c2b339942462c38d6035cdb19debdf90ff5e3ad733e02413

    Download Submit

  • memory/64-105-0x0000000000400000-0x0000000000552000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/940-106-0x0000000000400000-0x0000000000552000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2864-18-0x00000000008B0000-0x00000000008B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2864-104-0x0000000000400000-0x0000000000552000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2980-45-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/3488-44-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/4900-2-0x0000000074850000-0x0000000074E01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4900-17-0x0000000074850000-0x0000000074E01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4900-0-0x0000000074852000-0x0000000074853000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4900-1-0x0000000074850000-0x0000000074E01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5108-43-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download