Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
28-06-2024 02:25
General
-
Target
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe
-
Size
380KB
-
MD5
18737b20ca2a0bcf0232b95229848466
-
SHA1
8af1dfa28307544dd3fbd7124702d2586ebf4b3a
-
SHA256
e3a4af22b0ede7f828047006daea93264dbe240d4d7f6c64152a33610142f988
-
SHA512
3e265b2a600ed420fee6e0d10981c476cfa95339668db4471fa92b98990d61103ddc2ea0f53a7455b7131352a34e6f0520476b064423446d111d4a8d26eabf88
-
SSDEEP
6144:0JzXTQXmPq7hxcxEApZniZDnvN+2ekPam0V69RjSBBpQyKdU/wz/OGP5lDfpo:qMXmPq7heESUw2mxxBpUW/wz/OGPP6
Malware Config
Extracted
latentbot
darkbluecomet.zapto.org
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4204,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windupdt\winupdate.exeFilesize
380KB
MD518737b20ca2a0bcf0232b95229848466
SHA18af1dfa28307544dd3fbd7124702d2586ebf4b3a
SHA256e3a4af22b0ede7f828047006daea93264dbe240d4d7f6c64152a33610142f988
SHA5123e265b2a600ed420fee6e0d10981c476cfa95339668db4471fa92b98990d61103ddc2ea0f53a7455b7131352a34e6f0520476b064423446d111d4a8d26eabf88
-
memory/4144-3-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/4144-2-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/4144-4-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/4144-5-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/4144-6-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/4144-10-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/4144-68-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-81-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-86-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-80-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-79-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-78-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-77-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-76-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-82-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-83-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-84-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-85-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-75-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-87-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-88-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-89-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-90-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-91-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-92-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-93-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-94-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-95-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-96-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB