Overview

overview

10

Static

static

10

7a3078d2b2...18.exe

windows7-x64

10

7a3078d2b2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-10-2024 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a3078d2b2dbbca4258107bf1f1d9b21_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    7a3078d2b2dbbca4258107bf1f1d9b21

  • SHA1

    fcbf809ff0a4e4e0ce6feca34d99db7b60b5dd77

  • SHA256

    c41d7f11ce201a902754dcb8107da217d3f54e3bcd9fe3feb644c6e3aed7dc10

  • SHA512

    7c4622e39f8d602b01c379d08e9303c3a8ffe4745db83c90a1d80ba3b1c7a8b6ff0c9b60f0e9ea52e3c375e0cbb9ff4bc4b0c315e023429bf950c1ca766ba198

  • SSDEEP

    24576:GfXOr2Z1xuVVjfFoynPaVBUR8f+kN10EBjiI8Y:GftQDgok30KiI7

Score
10/10
darkcometguest16discoveryevasionrattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

tomhack.no-ip.org:1604

Mutex

DC_MUTEX-HKTU7US

Attributes
  • gencode

    3cu7rNKCPLaR

  • install

    false

  • offline_keylogger

    true

  • password

    letmein

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a3078d2b2dbbca4258107bf1f1d9b21_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7a3078d2b2dbbca4258107bf1f1d9b21_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Users\Admin\AppData\Local\Temp\VIR.EXE
      "C:\Users\Admin\AppData\Local\Temp\VIR.EXE"
      2⤵
      • Modifies firewall policy service
      • Modifies security service
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1376
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\VIR.EXE" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\VIR.EXE" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2508
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2528
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
          PID:2720
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          3⤵
            PID:2724
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2772
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
        1⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:1868

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\MOTHERBOARD.JPG
        Filesize

        57KB

        MD5

        9384f790ea90a704d1198080e411a807

        SHA1

        84b1d3db447ed46afd5fde34b706e7699b4c0751

        SHA256

        f6d7439cc3febfbee62350191bf2c40bf0dba06004d887fa94fe86deadaf926c

        SHA512

        feb461d66bcf1f03174f1f4163e77c0b4686e90d189b0d6f7fbdaf60c84c22c454ca65554759024d4ef57919e5d2b7c14b5b00722f30d2900a704b7c13785a15

        Download Submit

      • \Users\Admin\AppData\Local\Temp\VIR.EXE
        Filesize

        658KB

        MD5

        eac458d33cbfceb1eab67f8a1b7443c8

        SHA1

        cee408e330283f2c2c8039da252516632cc50e67

        SHA256

        d54d3152e946fb4392eb9d6e483709af7e218e08c1f7b385e2791676109c657b

        SHA512

        957e794e9ae313354dee273504acd646245eeacf31b41e556933e4116cfb10315a14efbd75a44a835f3e1b76834364caec74c4501996df1021fe2c626c7190ee

        Download Submit

      • memory/1376-62-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1376-56-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1376-68-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1376-67-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1376-66-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1376-65-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1376-54-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1376-63-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1376-57-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1376-58-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1376-59-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1376-60-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1376-61-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1376-64-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1864-1-0x0000000000250000-0x0000000000252000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1868-5-0x0000000000370000-0x0000000000371000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1868-55-0x0000000000370000-0x0000000000371000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1868-2-0x00000000001F0000-0x00000000001F2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2772-14-0x00000000000C0000-0x00000000000C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2772-52-0x0000000000250000-0x0000000000251000-memory.dmp

        Filesize

        4KB

        Download