Overview

overview

10

Static

static

10

c35e0f090d...18.exe

windows7-x64

10

c35e0f090d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c35e0f090da7e3fe6a7a0d4884210b13_JaffaCakes118.exe

  • Size

    1024KB

  • MD5

    c35e0f090da7e3fe6a7a0d4884210b13

  • SHA1

    93d07c8517d9d36782ee82f3bdb5dd106d39388e

  • SHA256

    f759238bc33a19a0f4c5b27eb8628a57698c3b7b08a9cc07510c579a5fbffed3

  • SHA512

    8e3b538486636e99b2ba40d051ed1fa5977f2867657635bd6718b97b8a6bdc304ed16d1bbad0fef7a8e1555dd5d199161e64f78fe9961e7298abb80552586704

  • SSDEEP

    24576:1Z1xuVVjfFoynPaVBUR8f+kN10EBhSTyLE58JKtYA+u:PQDgok30ESTyLEGK9+u

Score
10/10
darkcometguest16discoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

sabahhassan.no-ip.biz:1604

Mutex

DC_MUTEX-MHPA3BK

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    MAYkZ7Pow4iS

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Downloads MZ/PE file
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 17 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c35e0f090da7e3fe6a7a0d4884210b13_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c35e0f090da7e3fe6a7a0d4884210b13_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\c35e0f090da7e3fe6a7a0d4884210b13_JaffaCakes118.exe" +s +h
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\c35e0f090da7e3fe6a7a0d4884210b13_JaffaCakes118.exe" +s +h
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2684
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2320
    • C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE
      "C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Users\Admin\AppData\Local\Temp\AIR976F.tmp\Install 8BallRuler.exe
        "C:\Users\Admin\AppData\Local\Temp\AIR976F.tmp\Install 8BallRuler.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2860
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2756
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      2⤵
      • Modifies firewall policy service
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE
        "C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Users\Admin\AppData\Local\Temp\AIR9BB3.tmp\Install 8BallRuler.exe
          "C:\Users\Admin\AppData\Local\Temp\AIR9BB3.tmp\Install 8BallRuler.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          PID:1664
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies firewall policy service
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:592
        • C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE
          "C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:276
          • C:\Users\Admin\AppData\Local\Temp\AIR9F2C.tmp\Install 8BallRuler.exe
            "C:\Users\Admin\AppData\Local\Temp\AIR9F2C.tmp\Install 8BallRuler.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3012
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Modify Registry

6
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
    Filesize

    471B

    MD5

    df9404c4426254f0917526e175d75fef

    SHA1

    0d1c0a536e6532188c732eae289907651074ef82

    SHA256

    11ec5b13d84a44ebb45b953e94364c3bfc01888a3c1ec114e1ba32373d9ee776

    SHA512

    02a15a63fa173ac922ce360ac1dab571b45ff1ac207e8f05c06f8d69e3c7f3d43180fd3ed07435b522974c98aa3240a59d55282d8ae3e0facd57a1a2e75b9da8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
    Filesize

    400B

    MD5

    50589d5b971a9058a44b424d695a461d

    SHA1

    0e9e2c05345bbae8a667a095cfc0b04548339318

    SHA256

    92ad8b5bc0c151abbd677f51b10123c3bff34a6b00aeba87deec1da9083e0d7a

    SHA512

    c63989527bad240f98d8e5193010b8d579013584f007f3630721357cfd03462c7e46b9aba24d7ec2045d36f525050603b7b3b50112179db7b26be9b33e9e8f16

    Download Submit

  • C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log
    Filesize

    308B

    MD5

    d0a9c676c162b8ecf80976e9e2f8fd82

    SHA1

    649c5b3780855800a58aede17e83ae2e86018560

    SHA256

    9f91fa61c6ae7caa79f94c00a59a58168ea7009181ec7f963d467544d8bdbca3

    SHA512

    7567c7ed80f8179aaf9af91b731edb9941e5107571bf6c3d583b5859ac22f60f66f2408291a6e3845cc664a6f23159a58d06f6476eca77d4958e7cb5ec5e1765

    Download Submit

  • C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log
    Filesize

    545B

    MD5

    10b79f363533644f1f82b17324e69c28

    SHA1

    c3146a52310e8f3d22429820d471e322d106fd3e

    SHA256

    3de45c0afce3c1fcfcf1fd98ecd10f00fa095ca2d2828336169a0856ed1b3126

    SHA512

    7507e45f8c391ce7a44a769c089e27cd5163fe1b160df58ac897e862c953396bc6a20843a6b605b65361bc40dbe4cb5db24aa27480c1d00afef9b17ab8d92fe5

    Download Submit

  • C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log
    Filesize

    866B

    MD5

    aef1e8cb4cd916e8b77145e517d92b2c

    SHA1

    4d5be30bfd2bd951f9abbd95ca411f492f9bf3f7

    SHA256

    bf19c87d3a2ee633d6e8800d47fe62c5a221b25971b6299ed020930a5e51893e

    SHA512

    e164c6475993fc5176e5216d6651443444d366e82bd09ea9529c667141f5f568d4b976415cc269a2ee5b2d008ffc8d632a187fc5f0ca3d850dfd3cbabf038715

    Download Submit

  • C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log
    Filesize

    1KB

    MD5

    5035a2e4b3e5dafff075ff8feb567598

    SHA1

    d20abc449677c5ad7bce09d7c4301306edf8debe

    SHA256

    35cd1c4932ab0c7484cb53e6087791d053771f6d644a6ff44eb96eb16d520a2e

    SHA512

    5706c5fe5b64809d7de1be098721517cd688244b587cdc19858ad252197763f983cee573575262b481869bda0059e8f6963f14560f55a694c89cba7aebaf4b95

    Download Submit

  • C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log
    Filesize

    1KB

    MD5

    2892eb7d16ced447b582c4df1faad63f

    SHA1

    c55f73b0643c231b184f71cdbfd2ad441d11e091

    SHA256

    aa99e3b861ec14eecbe5df3278170147762587a6864374b718cec0d13491bca7

    SHA512

    19c33edb4b452e8fbe2c8847a3aae693a3c1a4f5067372a7cdc8920e7d634669e7b5c3459be1224222acecdf8a608448669f9890ed2dfc65796127b534e1b562

    Download Submit

  • C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log
    Filesize

    1KB

    MD5

    ca1d188fcbc1f97c454435883d43549b

    SHA1

    0f4bfbe3f8018730fa70bf6221d60f1b27597d1d

    SHA256

    e3c19370495ab421153360caa445f9559b0462bf8cf24fb05115f7eb5a695abc

    SHA512

    57a8ccc71a09e8e8320667a9fcc568a7e633612198a891543159f420c00e93bc631293e4a5d4367194f4a91fe19b02c74a668cb821e3949a168292f5914360d5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE
    Filesize

    363KB

    MD5

    4b0fe4b36e5ed0f224bf6f2108ba9e9e

    SHA1

    948b52946060ad29c94b4e2d150e2a77bbee4c5e

    SHA256

    bc09b11b3963f2ea59fce5bc783e5d2592bb888d037adba030b54bf2165281b8

    SHA512

    1caf3f179c9de1c7de46cc3e9f8708b0549e1c57b1a63fce6fe11fb20037e58a4d51286b8cc72029a290f67152edb1886f6067c9c17da4af790d49eeae5e56e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AIR976F.tmp\.launch
    Filesize

    22B

    MD5

    030cf67122e16c6fb7a1d9712b2f3e25

    SHA1

    b2944a75dc99b0859dd19d8b9204de467e2e0d56

    SHA256

    68d6e0d1a7327895b8069ec31135744461a1586d0a5874d8e5eb882d3dcd0556

    SHA512

    3246b49861325768f454db2c5ddb76439be4fa16a0a3a5f197905a3bf596c28fca839d0b203c5d40a60f18e489fee3bf86e03323580f3ff4064d74cf67635e0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabAB4D.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarB462.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AIR976F.tmp\Install 8BallRuler.exe
    Filesize

    125KB

    MD5

    5b6bc0f14712a4ccbf59fba43b7be42a

    SHA1

    e953c7fcd227832294b7d7ca1a8fda53c5803597

    SHA256

    2c685d483172df43fcfb3a23ed0decedbe4087d37248a78d4b475033eebe5ccb

    SHA512

    22dbcd77b0756e6cd719fd50f3d8eee8394e858f154fe345c9339f9686d6af27316521437b6a74a82db965ad2ea6fadc6937b74d5c7a715f32a3009e5e7b0dac

    Download Submit

  • \Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    1024KB

    MD5

    c35e0f090da7e3fe6a7a0d4884210b13

    SHA1

    93d07c8517d9d36782ee82f3bdb5dd106d39388e

    SHA256

    f759238bc33a19a0f4c5b27eb8628a57698c3b7b08a9cc07510c579a5fbffed3

    SHA512

    8e3b538486636e99b2ba40d051ed1fa5977f2867657635bd6718b97b8a6bdc304ed16d1bbad0fef7a8e1555dd5d199161e64f78fe9961e7298abb80552586704

    Download Submit

  • memory/592-113-0x0000000000400000-0x000000000050D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/980-114-0x0000000000400000-0x000000000050D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2032-115-0x0000000000400000-0x000000000050D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2032-0-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2756-69-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2756-41-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download