Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 05:33

General

  • Target

    d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe

  • Size

    350KB

  • MD5

    d0e0f6380b41345ddd15c2eaa2e1d058

  • SHA1

    83c58927d06b1bb4b649797a369ed24ff422043a

  • SHA256

    d6bf9497d6ceec5a40a538c2470371343318a71aa490a48ea59abac338c92473

  • SHA512

    d945882062f607d3df1149a4f7d0d22115523ed9db06a057891dfa2a911c458e83ae9cade18f90227c7263596752ba1b2dd3635e300fa1cdc3e1a3475aa2376b

  • SSDEEP

    6144:kD7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZTlI2hgplSZJ:kl8E4w5huat7UovONzbXw3Nh/NVR

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

zarloc.weuns.fr:1604

zarloc.dyndns.org:1604

Mutex

DC_MUTEX-F54S21D

Attributes
  • gencode

    qzavXgkDi3Kh

  • install

    false

  • offline_keylogger

    true

  • password

    jet'aieuconnard

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe" +s +h
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118.exe" +s +h
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2572
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2580
    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      2⤵
        PID:2816
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        2⤵
          PID:2136
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2696

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2080-35-0x0000000000400000-0x00000000004EB000-memory.dmp

        Filesize

        940KB

      • memory/2080-45-0x0000000000400000-0x00000000004EB000-memory.dmp

        Filesize

        940KB

      • memory/2080-0-0x0000000000400000-0x00000000004EB000-memory.dmp

        Filesize

        940KB

      • memory/2080-36-0x0000000000400000-0x00000000004EB000-memory.dmp

        Filesize

        940KB

      • memory/2080-31-0x0000000000400000-0x00000000004EB000-memory.dmp

        Filesize

        940KB

      • memory/2080-32-0x0000000000400000-0x00000000004EB000-memory.dmp

        Filesize

        940KB

      • memory/2080-33-0x0000000000400000-0x00000000004EB000-memory.dmp

        Filesize

        940KB

      • memory/2080-34-0x0000000000400000-0x00000000004EB000-memory.dmp

        Filesize

        940KB

      • memory/2080-44-0x0000000000400000-0x00000000004EB000-memory.dmp

        Filesize

        940KB

      • memory/2080-1-0x00000000001F0000-0x00000000001F1000-memory.dmp

        Filesize

        4KB

      • memory/2080-38-0x0000000000400000-0x00000000004EB000-memory.dmp

        Filesize

        940KB

      • memory/2080-37-0x0000000000400000-0x00000000004EB000-memory.dmp

        Filesize

        940KB

      • memory/2080-39-0x0000000000400000-0x00000000004EB000-memory.dmp

        Filesize

        940KB

      • memory/2080-40-0x0000000000400000-0x00000000004EB000-memory.dmp

        Filesize

        940KB

      • memory/2080-41-0x0000000000400000-0x00000000004EB000-memory.dmp

        Filesize

        940KB

      • memory/2080-42-0x0000000000400000-0x00000000004EB000-memory.dmp

        Filesize

        940KB

      • memory/2080-43-0x0000000000400000-0x00000000004EB000-memory.dmp

        Filesize

        940KB

      • memory/2696-30-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

      • memory/2696-2-0x0000000000080000-0x0000000000081000-memory.dmp

        Filesize

        4KB