Overview

overview

10

Static

static

5

8f62b86a64...18.exe

windows7-x64

10

8f62b86a64...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    04-11-2024 05:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    8f62b86a64556d62d3192bf4a1ad6660

  • SHA1

    768b87bc641a42119f050c19a94493c908b310a7

  • SHA256

    408b365717114ce6b406c8b1dfc8dbb49679a2c37758da2a399f2628346a8943

  • SHA512

    131afb3f106e235649afec855e502212c255484b1b182493ae717300f65aec9f0c62ea5cc457cef6a616fac60ac8b0eb37403dc36aac95e8afc2b59796c11996

  • SSDEEP

    24576:nFE//Tct4bOsyczmyM8rn8Hry+dFG3K0bbQolC:FSVyczo

Score
10/10
darkcometguestdiscoveryevasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest

C2

larohabi.no-ip.org:1604

larohabi.no-ip.org:8080

larohabi.no-ip.org:100

127.0.0.1:

127.0.0.1:8080

larohabi.no-ip.org:1337
Mutex

DC_MUTEX-2LPNA5H

Attributes
  • InstallPath

    IE Explorer\ieexp.exe

  • gencode

    ikLmMzDk59K0

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Windows Updater

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Drops file in Drivers directory 4 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 8 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Adds Run key to start application
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C ipconfig /flushdns
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:2808
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C ipconfig /flushdns
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:2956
    • C:\Users\Admin\AppData\Roaming\svzhost.exe
      C:\Users\Admin\AppData\Roaming\svzhost.exe
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /flushdns
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:2736
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /flushdns
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:2388
      • C:\Users\Admin\AppData\Roaming\svzhost.exe
        "C:\Users\Admin\AppData\Roaming\svzhost.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:316
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\svzhost.exe" +s +h
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2900
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Roaming\svzhost.exe" +s +h
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2764
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2548
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Roaming" +s +h
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:3048
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1732
        • C:\Windows\SysWOW64\IE Explorer\ieexp.exe
          "C:\Windows\system32\IE Explorer\ieexp.exe"
          4⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          PID:3008
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /C ipconfig /flushdns
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2544
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /flushdns
              6⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:2556
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /C ipconfig /flushdns
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2508
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /flushdns
              6⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:1968
          • C:\Users\Admin\AppData\Roaming\svzhost.exe
            C:\Users\Admin\AppData\Roaming\svzhost.exe
            5⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3052
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /C ipconfig /flushdns
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1424
              • C:\Windows\SysWOW64\ipconfig.exe
                ipconfig /flushdns
                7⤵
                • System Location Discovery: System Language Discovery
                • Gathers network information
                PID:1576
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /C ipconfig /flushdns
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2056
              • C:\Windows\SysWOW64\ipconfig.exe
                ipconfig /flushdns
                7⤵
                • System Location Discovery: System Language Discovery
                • Gathers network information
                PID:2196
            • C:\Users\Admin\AppData\Roaming\svzhost.exe
              "C:\Users\Admin\AppData\Roaming\svzhost.exe"
              6⤵
              • Disables RegEdit via registry modification
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2648
              • C:\Windows\SysWOW64\notepad.exe
                notepad
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2136
            • C:\Users\Admin\AppData\Roaming\svzhost.exe
              "C:\Users\Admin\AppData\Roaming\svzhost.exe"
              6⤵
              • Executes dropped EXE
              PID:1764
      • C:\Users\Admin\AppData\Roaming\svzhost.exe
        "C:\Users\Admin\AppData\Roaming\svzhost.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svzhost.exe
    Filesize

    1.0MB

    MD5

    8f62b86a64556d62d3192bf4a1ad6660

    SHA1

    768b87bc641a42119f050c19a94493c908b310a7

    SHA256

    408b365717114ce6b406c8b1dfc8dbb49679a2c37758da2a399f2628346a8943

    SHA512

    131afb3f106e235649afec855e502212c255484b1b182493ae717300f65aec9f0c62ea5cc457cef6a616fac60ac8b0eb37403dc36aac95e8afc2b59796c11996

    Download Submit

  • C:\Windows\system32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    fb09c2b8ebdf4c1d59f0416a3f390eb8

    SHA1

    1506cf5fe983b5648ff08f4151e8a97e1e1904ef

    SHA256

    7d018f8bcd2903fac71a2290576670471e0a842ed672292365d873af18fefd9d

    SHA512

    66ea785b5ce4a2ba74df5f4059a1fd2678a75292f150922697bdc9a5e116911b3e45a2803408524ceda2d5231181e292cc1b6c83dbe2d8fb6c59bcbf89668f66

    Download Submit

  • C:\Windows\system32\drivers\etc\hosts
    Filesize

    2KB

    MD5

    0691279ed7866d867d45f9b9e7415b8d

    SHA1

    fcc40f9c0de781b32ce9fbbe8c5c4ea26302c770

    SHA256

    4b8f3d2ceb8a4887d314c7675d8d6e14250feead67d59b1b1f1426858566941e

    SHA512

    cf8d2e0f1d1b5fb07f6f20ca72404df4d7ce322a873df342d90c76dc0ad10ba39074bcec294e99a7a8781ec8360d5872734664d86120638b77cf7757ff60d9f5

    Download Submit

  • C:\Windows\system32\drivers\etc\hosts
    Filesize

    2KB

    MD5

    13f3e6f44495c972a430163ba720498a

    SHA1

    1049b3d9ccbcebea525ea967753db649b3afc389

    SHA256

    c2533fd0e8e7ac11732c22907be05021c1596c6629bb463849953d49011126d5

    SHA512

    065107e8c935f065876f653988110110d1cde5768dc55f2c1b9936cf4ac50e6f240cb04d6c5a9ec4ff9b80fa79fdec13bdac57efb1e46cf6484807507fe9a59d

    Download Submit

  • memory/316-69-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/316-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/316-23-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/316-25-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/316-26-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/316-62-0x00000000044B0000-0x0000000004595000-memory.dmp

    Filesize

    916KB

    Download

  • memory/316-20-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/1732-57-0x0000000000150000-0x0000000000151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1732-29-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1764-149-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2620-157-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2620-135-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2648-84-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2648-82-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2648-83-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2648-154-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2648-85-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2648-86-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2852-140-0x0000000000400000-0x00000000004E5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/2868-11-0x0000000004200000-0x00000000042E5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/2868-129-0x0000000000400000-0x00000000004E5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/2868-0-0x0000000000400000-0x00000000004E5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/2868-81-0x0000000000400000-0x00000000004E5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/3008-151-0x0000000000400000-0x00000000004E5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/3008-64-0x0000000000400000-0x00000000004E5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/3052-153-0x0000000000400000-0x00000000004E5000-memory.dmp

    Filesize

    916KB

    Download