Analysis

  • max time kernel
    149s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-12-2024 20:12

General

  • Target

    e81433472610bfe2bc3e320fad7d8d8e_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    e81433472610bfe2bc3e320fad7d8d8e

  • SHA1

    0241912ba1137572d87d9f3a46ee82ab5774bed6

  • SHA256

    00675c83d0755b1a4d28954d4426e5155127956f364e26676795e7109c27fdb8

  • SHA512

    17a584b687be02c6cd35b9846b28bad01c5e8f0769aa1b51c76595d9cea90c03e182d597c8355d35b05980904cb1eb52202e12c8053defc56461f7b8041b0a15

  • SSDEEP

    24576:v2O/GlZSB1ytVKPLtsq9w6GGLiqGpY4MSZyN301n7g6zwm4m53Sb2T:lCnKh7zF7GpYdSZyl45kFm53SyT

Malware Config

Extracted

Family

darkcomet

Botnet

ALL-BROWSER

C2

root.socialmediaservices.co:1299

Mutex

DC_MUTEX-E0HY7V3

Attributes
  • gencode

    zSHmPMnVaR8K

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e81433472610bfe2bc3e320fad7d8d8e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e81433472610bfe2bc3e320fad7d8d8e_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\ULQLL\3562.vbs" 6265
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Users\Admin\ULQLL\OSVXU.exe
        "C:\Users\Admin\ULQLL\OSVXU.exe" 439536.BML
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Users\Admin\ULQLL\OSVXU.exe
          OSVXU.exe QIYEPTDB.dat
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1376
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\ULQLL\3562.vbs

    Filesize

    56B

    MD5

    97e33d391fbe0c466c2288cc5801865a

    SHA1

    2c6789ae06e1ff97b85c16adcf5111c4e593010c

    SHA256

    dec8338a7781e676346b4978f9da1566c0eac25a07bb7a050ebdef140f05b3af

    SHA512

    81fa9c02b63dde3f13d8b93d621a4356e8abb31668a448762e2d706d414caa4fe60c3214880dedb07ea71b6ffda705e10f77403984df38f11ccf5642225eb191

  • C:\Users\Admin\ULQLL\400999.dat

    Filesize

    27KB

    MD5

    b95e0aa565c8ec1767df78ee2dd3f58f

    SHA1

    958a94768cc7b6dd121cb09de321a268855f68c8

    SHA256

    46828d17f9805bed556f49138e33bedd82168fc5a2d979dfc9b3375cc7953e96

    SHA512

    f3e2db711b7742c968e5de1cce46a6441f14bcdbff92b4a78b93d8ffea66d210fccb09992a2e5f7a5d6c19efa6b20e8172256f553aa47825eb4d5afb3cf22dfd

  • C:\Users\Admin\ULQLL\439536.BML

    Filesize

    4.2MB

    MD5

    410dbd8aa871489eeae5eb6cbdd11069

    SHA1

    1bfafd8a6737302f84c160904934c63b89da9e67

    SHA256

    db277e431b120ece87093d56abe893ee197f1cbd30a256f1818b885aca6d288d

    SHA512

    d7b3791e361085e7e79d340420e84f625d0d8a16187384db84d945a174106d327a8acf0c1ce9e035a8d615162ebf1c9c5eea174492b65aee362a559ab1bad01b

  • C:\Users\Admin\ULQLL\536697.dat

    Filesize

    658KB

    MD5

    84252d2c621db160c79b476d07647a1a

    SHA1

    f40898afa9d41f82936d4b4f00065b6194d6c2ff

    SHA256

    5d04a189c0d0c2154ecda8d3979cb77a20b4a105eb564cd0a212d8a8d900cb90

    SHA512

    fd88eef63c932fadf5529d836a05cbe68aa238f2ec60c10568be790663812f8ff619484295dcd88f347b0ea6dbabf9e1cdc5850ab2a828099afa7f3e74ae810c

  • C:\Users\Admin\ULQLL\QIYEPTDB.dat

    Filesize

    27KB

    MD5

    bfb677cb7d545cee1bdf4a4c8d447791

    SHA1

    5733fee4ac03c60a1da99539b2b176c54d127b0b

    SHA256

    598eeeebeec23de2cd54cb36067e4f319e0637b31f8aaf0e7714175b4a7c08b7

    SHA512

    50ac5cd11427d62f7b18c894f5b3da1d28795915dc1d29ba709ce3311689df69d40265184ae3b1f202cd26dcbf29bbba121bb9c204b036837d072c01843e3c85

  • C:\Users\Admin\ULQLL\settings.ini

    Filesize

    259KB

    MD5

    aedf4ee1fb012e295ec0d0ee2b90e0e6

    SHA1

    65d2dd0de2aa4750dd8fa1e0578985bb33b94843

    SHA256

    eaf2fa194bb80fc44360fa7bcede0cba0393f8a45e9592ab0b395c01e0b157c8

    SHA512

    0e8a9d38370894d3b8afc1385642f5b12e8916e5b4795eac275ab8a53e3a3c3c4c2a65e679a220c382ac5375b9e7a4ff0eac674304fdd60401b9132c2f50220b

  • \Users\Admin\ULQLL\OSVXU.exe

    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

  • memory/1684-1046-0x0000000000090000-0x0000000000142000-memory.dmp

    Filesize

    712KB

  • memory/1684-1045-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1684-1043-0x0000000000090000-0x0000000000142000-memory.dmp

    Filesize

    712KB

  • memory/1684-1049-0x0000000000090000-0x0000000000142000-memory.dmp

    Filesize

    712KB

  • memory/1684-1047-0x0000000000090000-0x0000000000142000-memory.dmp

    Filesize

    712KB

  • memory/1684-1050-0x0000000000090000-0x0000000000142000-memory.dmp

    Filesize

    712KB

  • memory/1684-1051-0x0000000000090000-0x0000000000142000-memory.dmp

    Filesize

    712KB