Overview

overview

10

Static

static

7

b92690dd60...18.exe

windows7-x64

10

b92690dd60...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 16:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b92690dd60c51269cad640b0a34b4388_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    b92690dd60c51269cad640b0a34b4388

  • SHA1

    7f7efb103facfac19e21de3c0e031a37ce24853e

  • SHA256

    efa1d8b3913bea3615e5b1a482789cca5649662d851868f703b7728fdb86cad2

  • SHA512

    1cb6b2d10631f1f1f8bd8003566dd379893d08b6476fa7cd14efc0a37ca208ecdc390e167532ad260be6adeb4f5358f787ccffdab96e9bd2e62962e5b6695889

  • SSDEEP

    49152:mBndddR42azwkxZVD9u6WD6dZs3rOi5TC:wZn0fKDMs3rde

Score
10/10
darkcometmodiloaderroutediscoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

route

C2

mkidech.zapto.org:1604

Mutex

DC_MUTEX-MFYHLY2

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    oys3ZZzt6sGy

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 3 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b92690dd60c51269cad640b0a34b4388_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b92690dd60c51269cad640b0a34b4388_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Users\Admin\AppData\Local\Temp\E917.tmp
      C:\Users\Admin\AppData\Local\Temp\E917.tmp
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Users\Admin\AppData\Local\Temp\GameLauncher.exe
        "C:\Users\Admin\AppData\Local\Temp\GameLauncher.exe"
        3⤵
        • Executes dropped EXE
        PID:2848
      • C:\Users\Admin\AppData\Local\Temp\route.exe
        "C:\Users\Admin\AppData\Local\Temp\route.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2332
    • C:\Users\Admin\AppData\Local\Temp\GameLauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\GameLauncher.exe"
      2⤵
      • Executes dropped EXE
      PID:2576
    • C:\Users\Admin\AppData\Local\Temp\route.exe
      "C:\Users\Admin\AppData\Local\Temp\route.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Users\Admin\Documents\MSDCSC\oys3ZZzt6sGy\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\oys3ZZzt6sGy\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\E917.tmp
    Filesize

    1.3MB

    MD5

    e30c9b8c07eb6bb88f16c6084879391d

    SHA1

    09cbc8d0fc7024bc1d413537b2e56265809a8f45

    SHA256

    547b5f8fa22536e6ef421540f6f2308e02e09f841e17676dd16db35f3a01853c

    SHA512

    47bdc5c82e5886d57bc8e67307c7e6a21ff47e111dd0f04bb85aafb5d672a5b243f19eae23658e70fc3279cffb89468114015e4b44d21b3001dfb1e2118718e4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\GameLauncher.exe
    Filesize

    696KB

    MD5

    7adfa5e4db889dafb6849a75bb4dc746

    SHA1

    87f6bcda764ff0c76527ef982af8d3d284fb7e51

    SHA256

    347a8fdb6f338405d08f24ed02be2b7deee891291f827aaaf52709fe738089c3

    SHA512

    b31f47edc94ca6b5468e0f3682fd822d0b81dcb087858fc7de100aecd2280e7c499666d8179b6a4050e2395ee766c79134385c2eff2b2db3cd329bd0fd06656e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\route.exe
    Filesize

    333KB

    MD5

    255030cfbfff58432ba7c7e15512047f

    SHA1

    2ec66866e791d094f202d669cc6025dd6434315f

    SHA256

    00d718bc93719b81b487474baf3cdf54ca474abbdc24a57b6f13faa6ea4a02f5

    SHA512

    de3435aef2f1fd1822e9c4ab21cc7f8e67e7fcf4b73359bfee9827a278ac0605dbd827f5e2f59915d8f2ece1a4d12e4266664e4798611c47c9283121a3c68238

    Download Submit

  • memory/892-85-0x0000000000400000-0x00000000004E9000-memory.dmp

    Filesize

    932KB

    Download

  • memory/892-87-0x0000000000400000-0x00000000004E9000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2044-83-0x0000000000400000-0x00000000004E9000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2044-69-0x0000000000400000-0x00000000004E9000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2332-89-0x0000000000400000-0x00000000004E9000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2332-90-0x0000000000400000-0x00000000004E9000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2332-92-0x0000000000400000-0x00000000004E9000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2332-58-0x0000000000400000-0x00000000004E9000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2584-88-0x0000000003750000-0x0000000003839000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2584-54-0x0000000003750000-0x0000000003839000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2584-53-0x0000000000400000-0x00000000004E9000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2584-36-0x0000000000400000-0x00000000004E9000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2704-68-0x0000000076C10000-0x0000000076D20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2704-66-0x0000000000320000-0x000000000036E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2704-1-0x0000000000320000-0x000000000036E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2704-71-0x0000000003370000-0x0000000003459000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2704-70-0x0000000003370000-0x0000000003459000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2704-6-0x0000000076C21000-0x0000000076C22000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2704-0-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2704-5-0x0000000077480000-0x0000000077481000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2704-65-0x0000000000400000-0x000000000063E000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2704-15-0x0000000076C10000-0x0000000076D20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2704-2-0x0000000000400000-0x000000000063E000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2704-3-0x0000000001FF0000-0x0000000002000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2704-4-0x0000000002110000-0x0000000002120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2712-32-0x00000000030B0000-0x0000000003199000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2712-30-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2712-31-0x00000000030B0000-0x0000000003199000-memory.dmp

    Filesize

    932KB

    Download