Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-10-2024 18:14
General
-
Target
58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe
-
Size
676KB
-
MD5
58d950929edcfc0a3f1def7620d62fd0
-
SHA1
d062ad6abfc4bf4e5491b70b1200ca2ff7922904
-
SHA256
f695eb089d4a33afab87887b5779fe39c48e13594c6b3d76e01393eb36da886c
-
SHA512
cf23ac522ef46f3f42be5e79d36e4c189bee8a1d282fdccec12ffb97e7200fcce4f161b17030c8ea5c90d99be7926732b25f4ab25886f8a3e6466021cfec5fb4
-
SSDEEP
12288:2QMuiMQn3i8BpVCFeKq9Ipo90lbKSpuQO2tW05l6qK8sWg4gPp73:wrBpMMKGIpu/jJ2EYl6qdgjd
Malware Config
Extracted
darkcomet
Guest16
79.172.26.136:1604
DC_MUTEX-HN17VDB
-
InstallPath
System32\Drivers.exe
-
gencode
T3NMNGnXGHkl
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 5 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdlingV4.6.exe"C:\Users\Admin\AppData\Local\Temp\AdlingV4.6.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\AdlingV4.6.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\AdlingV4.6.exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\ProgramData\Microsoft\Windows\Start Menu\System32\Drivers.exe"C:\ProgramData\Microsoft\Windows\Start Menu\System32\Drivers.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\result.exe"C:\Users\Admin\AppData\Local\Temp\result.exe"2⤵
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\result.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\result.exe"3⤵
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
7Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
783KB
MD5b8a17bdc154014be41d991204ada6d1d
SHA19853a2addc170008fccaa6ab7f38583058be3d84
SHA25619477ea50733372be7440943b99e0e70c6235e0d8febffd68c37a167d6febf22
SHA5129831a3b0b7afc44b131bd35c0e0162e07f706f0f0e8c0a6b1355f82817a3d5c829cf6fa313c2fccbedbc7c5ee0a16fd1c112814c4c0b51470cd003d124ca4c60
-
Filesize
35KB
MD577172f5ce035f0f19f20153fc87fc763
SHA1fc33e0896c8837208b82f0671a2ec20442db17b1
SHA2566e37286d49bd98a5b77a2c52940bb4df50de4debc9dc40fadc1d55a92cb476f8
SHA5125f5f76267047978259458ab323d5bfc124738437e2b3bee224f5d5689d4685305f31015ea2a5f25f779db90bd9ff394d7c11f611b86779de5260c977e0ad172f
-
Filesize
1KB
MD5187063cf91317fb7f49efc7e6e5861f4
SHA17e4c560b4a7bb8f9d59e6245c718ff3609f369b8
SHA2564fe83e94be8f7acb8788618be34233283a566dc75a00dafd64fdae8fb615eb4a
SHA512a8048d8dbb3145d070a7a493c6c2a39b612043b0399c5adaae6d4be9cf84f8627a3953ea754f19566c2b824bb4b53b67ba30fd0c04b369b5eff18c7bf02022e9
-
Filesize
836KB
-
Filesize
4KB
-
Filesize
836KB
-
Filesize
836KB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
4KB