Overview

overview

10

Static

static

3

8ecb605306...18.exe

windows7-x64

10

8ecb605306...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 02:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe

  • Size

    864KB

  • MD5

    8ecb60530662248b182dcf49bd700911

  • SHA1

    eb02fea24cbacd512f386cfb88c0539bfd1531ef

  • SHA256

    796f9fce957141ba80aadad317bccbf5d7da642b27dd42987acb7494bf440cea

  • SHA512

    779fd482f31e9d7e644e3996d06863193018c84db8eea7c508ecad792da99c6fb3af051a36472b90328f7d488b23a3700380c4bc97bde5a131bd0446964e7ba1

  • SSDEEP

    12288:ZEfboEly+DFuxs11IGz7n7LfY8Q2QieSdVcsqrFal9SjWO5PZUJBIZN63sEjaxs:ZEf0ElyUIGz7n7DQ2T1k3yc2bqrbG

Score
10/10
darkcometdiscoveryevasionpersistencerattrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\AppData\Local\Temp\svrdarkcry.exe
      "C:\Users\Admin\AppData\Local\Temp\svrdarkcry.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Users\Admin\AppData\Local\Temp\svrdarkcry.exe
        "C:\Users\Admin\AppData\Local\Temp\svrdarkcry.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1220
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:4860
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\SysWOW64\explorer.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4608
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\SysWOW64\explorer.exe"
            5⤵
            • Modifies firewall policy service
            • Modifies security service
            • Windows security bypass
            • Disables RegEdit via registry modification
            • Checks BIOS information in registry
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1996
            • C:\Windows\SysWOW64\notepad.exe
              C:\Windows\SysWOW64\notepad.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:100
    • C:\Users\Admin\AppData\Local\Temp\ESET Antivirus License Finder (MiNODLogin) 3.7.0.2.exe
      "C:\Users\Admin\AppData\Local\Temp\ESET Antivirus License Finder (MiNODLogin) 3.7.0.2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ESET Antivirus License Finder (MiNODLogin) 3.7.0.2.exe
    Filesize

    367KB

    MD5

    0e482bb1dfe28586f703702218632f3b

    SHA1

    e1b48c6f997d8d99bdbf7ce7594699d193591b01

    SHA256

    48f0de4307055588aa258e8734c1fa7bb4d88c55cd45fa8f51fa683b2b1d9d70

    SHA512

    822f35eae716660cfb0c7b70f795a8ad6f00775327b6bf533f0b6b87babb4c588505604a5a5929d0cc0bcb1e19f70dfd215324da11e8b4573901e4541ab30ad5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    1775e8fe7832f0351d4024ba3478c58d

    SHA1

    3a2aafd8275f384332f6d08224d927040ce37cb4

    SHA256

    a2a159540c738c7bc4d6ce8dd203bf859078409c0021a2a60f4b0faa5352d375

    SHA512

    362cda0e1f50a8fecde1611863b1c6218962e3ec198ce3641ce50910d400ac647cdc3742888140fd6817ce6b30d83865aa0c72292bb80b1ae86cab419e0fb2b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\System.dll
    Filesize

    11KB

    MD5

    c6f5b9596db45ce43f14b64e0fbcf552

    SHA1

    665a2207a643726602dc3e845e39435868dddabc

    SHA256

    4b6da3f2bdb6c452fb493b98f6b7aa1171787dbd3fa2df2b3b22ccaeac88ffa0

    SHA512

    8faa0204f9ed2721acede285be843b5a2d7f9986841bcf3816ebc8900910afb590816c64aebd2dd845686daf825bbf9970cb4a08b20a785c7e54542eddc5b09a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    f2c993a0c726386d72e4640967cef83e

    SHA1

    efe88db252b5e9edff2d859e783fcf1a349e553f

    SHA256

    6739a2c8075cc383620a867e983957de0b4ae9ef0453baadd1469132893d7301

    SHA512

    3873a87ba360702c72a6d3e853a0b6f2df219593cf5436d12a9d4d169029e939993c45330212008b628184da64ae98d6a7ab42b30d5f82c896acfc89d558169f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\svrdarkcry.exe
    Filesize

    265KB

    MD5

    0e7a768676c5c1859ed10fdf4bf49f9d

    SHA1

    3bb1c7c5ac6669de6758394600c0e74d51a19309

    SHA256

    b57c41012033403c405958d9b7d838b3e74c12ddf5768196f827830522889a0f

    SHA512

    0aa60441731a0405022c5c9c5de2f14f6254a8eb76f10ab7ae8e57d8e64df62470624f178e03dd672cbf7eb27ad7b0a5207676787e0d3fc477197bf844f71b5d

    Download Submit

  • memory/100-46-0x0000000001040000-0x0000000001041000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1168-0-0x00007FF986685000-0x00007FF986686000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1168-1-0x000000001B3E0000-0x000000001B486000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1168-2-0x00007FF9863D0000-0x00007FF986D71000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1168-4-0x00007FF9863D0000-0x00007FF986D71000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1168-27-0x00007FF9863D0000-0x00007FF986D71000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1220-35-0x0000000013140000-0x00000000131FD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/1220-36-0x0000000013140000-0x00000000131FD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/1220-24-0x0000000013140000-0x00000000131FD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/1220-28-0x0000000013140000-0x00000000131FD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/1220-26-0x0000000013140000-0x00000000131FD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/1220-42-0x0000000013140000-0x00000000131FD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/1560-29-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1996-48-0x0000000013140000-0x00000000131FD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/1996-45-0x0000000013140000-0x00000000131FD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/1996-49-0x0000000013140000-0x00000000131FD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/1996-44-0x0000000013140000-0x00000000131FD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/1996-47-0x0000000013140000-0x00000000131FD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/4608-41-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/4608-40-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/4860-38-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download