Analysis

  • max time kernel
    94s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 13:25

General

  • Target

    e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    e1aaadeea3b6a7eb266464759e3015e0

  • SHA1

    b8598cc86990f8037a337d37d815bf6bc2731a4f

  • SHA256

    a56b7626f51392efde61f7badbde40701275e457ee210b22aab17592b9c009a9

  • SHA512

    8b86674e6d410ea4d0dd5e76b584388dcc8aa12880f11e964c18019b289bd651dfe056464448be6d0a90090fdbf39cb32ff9a11f94fb9fd62e9637eb0409c1fb

  • SSDEEP

    12288:BPr07ZEcWwpOYrEAw5bq4RGLeEF7EDG2O2fra7RSRUL7uHDIbntFuisEi6v3DyNq:BjQcbUADuU8iWr9itzwZTEqjQ0EBbtG

Malware Config

Extracted

Family

darkcomet

Botnet

Victim

C2

loldude12345.zapto.org:1604

Mutex

DC_MUTEX-WYV5PKM

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    oiVpUYYaVk85

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        PID:1420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

    Filesize

    45KB

    MD5

    b7c999040d80e5bf87886d70d992c51e

    SHA1

    a8ed9a51cc14ccf99b670e60ebbc110756504929

    SHA256

    5c3257b277f160109071e7e716040e67657341d8c42aa68d9afafe1630fcc53e

    SHA512

    71ba2fbd705e51b488afe3bb33a67212cf297e97e8b1b20ada33e16956f7ec8f89a79e04a4b256fd61a442fada690aff0c807c2bdcc9165a9c7be3de725de309

  • memory/824-6-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/824-4-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/824-7-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/824-12-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/824-11-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

    Filesize

    4KB

  • memory/3304-0-0x0000000075582000-0x0000000075583000-memory.dmp

    Filesize

    4KB

  • memory/3304-1-0x0000000075580000-0x0000000075B31000-memory.dmp

    Filesize

    5.7MB

  • memory/3304-2-0x0000000075580000-0x0000000075B31000-memory.dmp

    Filesize

    5.7MB

  • memory/3304-3-0x0000000075580000-0x0000000075B31000-memory.dmp

    Filesize

    5.7MB

  • memory/3304-8-0x0000000075580000-0x0000000075B31000-memory.dmp

    Filesize

    5.7MB

  • memory/3304-22-0x0000000075580000-0x0000000075B31000-memory.dmp

    Filesize

    5.7MB