Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06-12-2024 19:25
General
-
Target
cea0ff40beb91736ba2442b69237667b_JaffaCakes118.exe
-
Size
926KB
-
MD5
cea0ff40beb91736ba2442b69237667b
-
SHA1
a43ca7c487363b53158573b25cc29888763cc626
-
SHA256
96a973f6ec1b985ad4224870800fbbe369e5838dbc994c16d7ce8f8c3b30e8a1
-
SHA512
3a1298c556a36a27e8e48540abea44728ce2b06d7f41a0c8478161078d6a0773728013acce007a23ca433bbbef0e1160f857e1618a4b16fda9c8b5199d936397
-
SSDEEP
24576:0vVGhnqrpqUruyeG0ZN3DIeriQv0XwQjGp:PJ48UKfGw1DniQveg
Malware Config
Extracted
darkcomet
M@trix
matrixgx.no-ip.biz:1604
DC_MUTEX-LCLDLR3
-
InstallPath
RealPlayer\%TEMP%.exe
-
gencode
kzX7VMDXdUly
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
RealUpd
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cea0ff40beb91736ba2442b69237667b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cea0ff40beb91736ba2442b69237667b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RealPlayer\%TEMP%.exe"C:\Users\Admin\AppData\Roaming\RealPlayer\%TEMP%.exe"3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x244 0x2401⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
690KB
MD545eb357bd7e13451a15e96c151f85d71
SHA11c69258927c4e2dcc7b154fdf64468e2d62dde4e
SHA256c97da2ada1e7f2a498995d806542181bd0e42283f01a158e4abb917733cf151d
SHA512c439d6e9efdb74bb1405849a1356399a7a538b2dacec9a5f09953ff9ef12b257e325127ecbc0898734f1907648a6209a5151ba740a71bfd7f5fa3f8fa56291f3
-
Filesize
222KB
MD55bf28e61b1c3ec7f3ede92262a8e7231
SHA12c15790344fddfea7d76a31776b4c3be036c5bc9
SHA2569c0208af1eeb9f75c5fd3971a816ca30947c935fa4a29fec97a4574312b4522e
SHA512e52acc2dafc665753693d61f5cdc0548bcf6f27e6412751bd5f7dc1cfdd3cd79f3a2496242e955aa4d9e5a1be8855885d3b8949c0e6e1fd0367cad6794e1aaab
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
944KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
744KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
744KB
-
Filesize
744KB
-
Filesize
744KB
-
Filesize
744KB
-
Filesize
744KB
-
Filesize
744KB
-
Filesize
744KB
-
Filesize
744KB
-
Filesize
744KB
-
Filesize
744KB
-
Filesize
744KB
-
Filesize
744KB
-
Filesize
744KB
-
Filesize
744KB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB