Overview

overview

10

Static

static

3

faa6931111...18.exe

windows7-x64

10

faa6931111...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 07:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    faa69311111e5a69146a3fece991b866_JaffaCakes118.exe

  • Size

    399KB

  • MD5

    faa69311111e5a69146a3fece991b866

  • SHA1

    e3f68b8ca75ca8dd9fca728fb0d49666855c0ef5

  • SHA256

    0af4011a44190633ea33f4c71699b3489bb27881556fa24b763f862a4be31b82

  • SHA512

    01dd5fcac65bc194dd40757a30eaf9db314b633a23ba95d6a42aae9edef25651bd7a0afafeb3e0a9bdfb7bdde770580759141002fd3e73db61d6c0f31f75c710

  • SSDEEP

    6144:NSncRlxFRaI2EqBP/WsZL1PgLl4w0AidVym0EnarUBYVsuD:k4FR72EqluswR45JTnaEY2

Score
10/10
darkcometdiscoveryevasionpersistencerattrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\faa69311111e5a69146a3fece991b866_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\faa69311111e5a69146a3fece991b866_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\GROSS GORE GF NUDE.EXE
      "C:\Users\Admin\AppData\Local\Temp\GROSS GORE GF NUDE.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Modifies firewall policy service
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2152
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
            PID:2988
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            4⤵
              PID:2636

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Defense Evasion

      Impair Defenses

      3
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Disable or Modify Tools

      2
      T1562.001

      Modify Registry

      5
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Users\Admin\AppData\Local\Temp\GROSS GORE GF NUDE.EXE
        Filesize

        346KB

        MD5

        7d5ae7cd31a4921c81df696227a5187c

        SHA1

        70376692070db9b40323ed3c8340c14319482da3

        SHA256

        7ad1c6c3a1b474800799dbdb3240c7d9ec7c2a8ab174f1bd50a2bbfe161a4d70

        SHA512

        704a934a1dd226ecf70cbc69d3acb2170d95c343a262e897514af89882e6faa92dd56d1f410c55f937a6c86c533313c7d95e7abac0f5e84734aac3c5c07d9f33

        Download Submit

      • memory/2152-39-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2152-44-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2152-32-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2152-26-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2152-33-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2152-43-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2152-27-0x0000000000270000-0x0000000000271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2152-29-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2152-31-0x0000000000270000-0x0000000000271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2152-34-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2152-42-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2152-41-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2152-30-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2152-35-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2152-36-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2152-37-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2152-38-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2152-40-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2440-10-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2440-11-0x0000000000260000-0x0000000000261000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2440-25-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/3036-8-0x0000000002A40000-0x0000000002B25000-memory.dmp

        Filesize

        916KB

        Download

      • memory/3036-22-0x0000000002A40000-0x0000000002B25000-memory.dmp

        Filesize

        916KB

        Download