Overview

overview

10

Static

static

3

a42208c4a9...18.exe

windows7-x64

7

a42208c4a9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 21:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe

  • Size

    496KB

  • MD5

    a42208c4a96c249f3d6fe39f43144f36

  • SHA1

    ff90b696d74d75932e122c774a95fc4671a41d86

  • SHA256

    245500ee74fd9b8b021c38be617d72261d02a6d3fb8f9402fa0a10d5a1f41f93

  • SHA512

    ce1977713291c941b47a1435f55db11e18a882a2c452b1a57bc115db68206d13c7b67fd780ddd728fda20a8fa5b329218700ec6c09188f3e8b9d1e0471fa0869

  • SSDEEP

    12288:tFz2y90KU7E7B8aNHaqGQnZrCIn3dTTXV2hl:tt2yZU7E7SaXGQnZuInN/XVe

Score
10/10
darkcometserver-axdiscoverypersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Server-AX

C2

69.65.7.136:8808

Mutex

Fdgrh5uy5ynmnm

Attributes
  • gencode

    LE9RG3w4nFUG

  • install

    false

  • offline_keylogger

    true

  • password

    @closer1989

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Users\Admin\AppData\Local\Temp\a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PLLXU.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdate.exe" /t REG_SZ /d "C:\Program Files (x86)\Google\GoogleUpdate.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:4780
      • C:\Program Files (x86)\Google\GoogleUpdate.exe
        "C:\Program Files (x86)\Google\GoogleUpdate.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4104
        • C:\Program Files (x86)\Google\GoogleUpdate.exe
          "C:\Program Files (x86)\Google\GoogleUpdate.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1636
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\system32\svchost.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Google\GoogleUpdate.exe
    Filesize

    496KB

    MD5

    ef68597d48f2f17ce6eabcabba615015

    SHA1

    9790c4762de36c8afa3c5f7fbab72d60a2193697

    SHA256

    424655b6dc73925958a0fdef1d6369afc989a5ab1f6f7ae48f44de78d2d28619

    SHA512

    006926e14af4adce0a478e1175cdde231b4cef3c1199234c887c2e12f0840b621e92d7581a99235e4b130f9fbff64365e8b26a5720c8b5584673d3e15952ad8c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\PLLXU.txt
    Filesize

    149B

    MD5

    230d0de063ef5fac6ddf78a06a6b4a07

    SHA1

    8bcba04b39b99467b2d96be25f0bbafb7e84c37f

    SHA256

    fe8f149d184c56d038989c811077379d51f567d68fa7e709c32228b3e68fdd7d

    SHA512

    057010085b093d008294df1572c82accc4118f404d0fac0a945a0966df0ffd9af33ad162821472e2842a457006551add99185fe5cb772dce61349aa11552f1d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\a42208c4a96c249f3d6fe39f43144f36_JaffaCakes118.exe
    Filesize

    496KB

    MD5

    a42208c4a96c249f3d6fe39f43144f36

    SHA1

    ff90b696d74d75932e122c774a95fc4671a41d86

    SHA256

    245500ee74fd9b8b021c38be617d72261d02a6d3fb8f9402fa0a10d5a1f41f93

    SHA512

    ce1977713291c941b47a1435f55db11e18a882a2c452b1a57bc115db68206d13c7b67fd780ddd728fda20a8fa5b329218700ec6c09188f3e8b9d1e0471fa0869

    Download Submit

  • memory/1636-57-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3124-56-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/3124-55-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/3124-54-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/3124-51-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/3124-49-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/4196-13-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4196-52-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4196-18-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4196-16-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4564-2-0x0000000002160000-0x0000000002161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4564-8-0x0000000002170000-0x0000000002171000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4564-9-0x0000000002190000-0x0000000002191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4564-10-0x00000000021A0000-0x00000000021A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4564-11-0x00000000021B0000-0x00000000021B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4564-5-0x0000000002A40000-0x0000000002A41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4564-12-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4564-7-0x0000000002A70000-0x0000000002A71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4564-6-0x0000000002A60000-0x0000000002A61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4564-3-0x0000000002190000-0x0000000002191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4564-4-0x00000000021A0000-0x00000000021A1000-memory.dmp

    Filesize

    4KB

    Download