Overview

overview

10

Static

static

10

c35e0f090d...18.exe

windows7-x64

10

c35e0f090d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2024 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c35e0f090da7e3fe6a7a0d4884210b13_JaffaCakes118.exe

  • Size

    1024KB

  • MD5

    c35e0f090da7e3fe6a7a0d4884210b13

  • SHA1

    93d07c8517d9d36782ee82f3bdb5dd106d39388e

  • SHA256

    f759238bc33a19a0f4c5b27eb8628a57698c3b7b08a9cc07510c579a5fbffed3

  • SHA512

    8e3b538486636e99b2ba40d051ed1fa5977f2867657635bd6718b97b8a6bdc304ed16d1bbad0fef7a8e1555dd5d199161e64f78fe9961e7298abb80552586704

  • SSDEEP

    24576:1Z1xuVVjfFoynPaVBUR8f+kN10EBhSTyLE58JKtYA+u:PQDgok30ESTyLEGK9+u

Score
10/10
darkcometguest16discoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

sabahhassan.no-ip.biz:1604

Mutex

DC_MUTEX-MHPA3BK

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    MAYkZ7Pow4iS

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c35e0f090da7e3fe6a7a0d4884210b13_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c35e0f090da7e3fe6a7a0d4884210b13_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\c35e0f090da7e3fe6a7a0d4884210b13_JaffaCakes118.exe" +s +h
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\c35e0f090da7e3fe6a7a0d4884210b13_JaffaCakes118.exe" +s +h
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:532
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1084
    • C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE
      "C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Users\Admin\AppData\Local\Temp\AIR9337.tmp\Install 8BallRuler.exe
        "C:\Users\Admin\AppData\Local\Temp\AIR9337.tmp\Install 8BallRuler.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2692
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1016
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      2⤵
      • Modifies firewall policy service
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Windows security modification
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3352
      • C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE
        "C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4568
        • C:\Users\Admin\AppData\Local\Temp\AIR97EA.tmp\Install 8BallRuler.exe
          "C:\Users\Admin\AppData\Local\Temp\AIR97EA.tmp\Install 8BallRuler.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2340
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
          PID:4916
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          3⤵
            PID:2600
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2100

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Defense Evasion

      Hide Artifacts

      2
      T1564

      Hidden Files and Directories

      2
      T1564.001

      Impair Defenses

      3
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Disable or Modify Tools

      2
      T1562.001

      Modify Registry

      5
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
        Filesize

        471B

        MD5

        df9404c4426254f0917526e175d75fef

        SHA1

        0d1c0a536e6532188c732eae289907651074ef82

        SHA256

        11ec5b13d84a44ebb45b953e94364c3bfc01888a3c1ec114e1ba32373d9ee776

        SHA512

        02a15a63fa173ac922ce360ac1dab571b45ff1ac207e8f05c06f8d69e3c7f3d43180fd3ed07435b522974c98aa3240a59d55282d8ae3e0facd57a1a2e75b9da8

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
        Filesize

        400B

        MD5

        c4c1ead952c2111410736dc7ad091fcc

        SHA1

        341d225551b24eb563894892ce0405236ea80a22

        SHA256

        923d0eac1762ded6da9478ec873bd8c2864ff2853f956263533fc27e05ee5575

        SHA512

        de9b8cbfeb3c299d9ad7c45fed1af0e9b4af01e6a024284ca8e09bf0cb6d13f7c2ae369ba61df5cdb0f089540e23c575f914385966c70d7b7da7036d6a4feb7e

        Download Submit

      • C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log
        Filesize

        246B

        MD5

        e827a123ea6e39c72bad52bb99ea466c

        SHA1

        acf8e337ffcf3de2e9a608c7564b21cf9c911e6a

        SHA256

        e2bc3f128afb5b6b5e51917d56a893ec3fc436d45faa281691ec475a21b376c5

        SHA512

        104c71b380a5ea02b6c905242353b80f5cf5cb8d2f12d6c9aa7b77698b647684cfc65c7d8cc31473b932e6356602614c1059c41da0ef887729b88e9430f94279

        Download Submit

      • C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log
        Filesize

        433B

        MD5

        c6976d6e2c11141c2e353de23bbaa3c0

        SHA1

        cd8ec058effb942462e6f18d3c5e8949446a0b11

        SHA256

        496dae1ce741155c1416e9612e309db86cd86875fe1651593a2164115730ff30

        SHA512

        4529515350e0d4afa7e2048ae8eb01079cee0fc7bdb2dddcd32166cf68826565928ed6bf8cef0db8403c4f8f4f912dabc0cddd835601904dda32c82e4339fd93

        Download Submit

      • C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log
        Filesize

        535B

        MD5

        6704cc8912da664de98331b178b4eab4

        SHA1

        8fe5783a45ff5b3dd9b4fa4e26bad36b75a973f0

        SHA256

        f58c7ad09573916e1066c9addec8a5acb8e27c84ac296aa8f38091573bd86e62

        SHA512

        bc95b60fb27f28eb3665484409867652c802bb69ac7f4f39c628612ba629ec19e3dd0ab1f73e8ea919a200949b78d1575283edb62648a0c871e29d32c26aef35

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE
        Filesize

        363KB

        MD5

        4b0fe4b36e5ed0f224bf6f2108ba9e9e

        SHA1

        948b52946060ad29c94b4e2d150e2a77bbee4c5e

        SHA256

        bc09b11b3963f2ea59fce5bc783e5d2592bb888d037adba030b54bf2165281b8

        SHA512

        1caf3f179c9de1c7de46cc3e9f8708b0549e1c57b1a63fce6fe11fb20037e58a4d51286b8cc72029a290f67152edb1886f6067c9c17da4af790d49eeae5e56e3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\AIR9337.tmp\.launch
        Filesize

        22B

        MD5

        030cf67122e16c6fb7a1d9712b2f3e25

        SHA1

        b2944a75dc99b0859dd19d8b9204de467e2e0d56

        SHA256

        68d6e0d1a7327895b8069ec31135744461a1586d0a5874d8e5eb882d3dcd0556

        SHA512

        3246b49861325768f454db2c5ddb76439be4fa16a0a3a5f197905a3bf596c28fca839d0b203c5d40a60f18e489fee3bf86e03323580f3ff4064d74cf67635e0b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\AIR9337.tmp\Install 8BallRuler.exe
        Filesize

        125KB

        MD5

        5b6bc0f14712a4ccbf59fba43b7be42a

        SHA1

        e953c7fcd227832294b7d7ca1a8fda53c5803597

        SHA256

        2c685d483172df43fcfb3a23ed0decedbe4087d37248a78d4b475033eebe5ccb

        SHA512

        22dbcd77b0756e6cd719fd50f3d8eee8394e858f154fe345c9339f9686d6af27316521437b6a74a82db965ad2ea6fadc6937b74d5c7a715f32a3009e5e7b0dac

        Download Submit

      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        1024KB

        MD5

        c35e0f090da7e3fe6a7a0d4884210b13

        SHA1

        93d07c8517d9d36782ee82f3bdb5dd106d39388e

        SHA256

        f759238bc33a19a0f4c5b27eb8628a57698c3b7b08a9cc07510c579a5fbffed3

        SHA512

        8e3b538486636e99b2ba40d051ed1fa5977f2867657635bd6718b97b8a6bdc304ed16d1bbad0fef7a8e1555dd5d199161e64f78fe9961e7298abb80552586704

        Download Submit

      • memory/1016-33-0x0000000000B80000-0x0000000000B81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2100-129-0x0000000000C40000-0x0000000000C41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3352-169-0x0000000000400000-0x000000000050D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3352-167-0x0000000000400000-0x000000000050D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3352-162-0x0000000000400000-0x000000000050D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3352-163-0x0000000000400000-0x000000000050D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3352-164-0x0000000000400000-0x000000000050D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3352-165-0x0000000000400000-0x000000000050D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3352-166-0x0000000000400000-0x000000000050D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3352-175-0x0000000000400000-0x000000000050D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3352-168-0x0000000000400000-0x000000000050D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3352-174-0x0000000000400000-0x000000000050D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3352-170-0x0000000000400000-0x000000000050D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3352-171-0x0000000000400000-0x000000000050D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3352-172-0x0000000000400000-0x000000000050D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3352-173-0x0000000000400000-0x000000000050D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4756-132-0x0000000000400000-0x000000000050D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4756-0-0x0000000000720000-0x0000000000721000-memory.dmp

        Filesize

        4KB

        Download