Overview

overview

10

Static

static

3

1a43210f40...18.exe

windows7-x64

10

1a43210f40...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a43210f401834932b515731deb398f9_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    1a43210f401834932b515731deb398f9

  • SHA1

    22820a8fefa82a6a52004522027067c5a98457f7

  • SHA256

    f76c7db479887e9ed2185329fa5724f1dad254c88d3553f413dba0d2a920ad3c

  • SHA512

    9b6db7e0102d1aa526ab375edcdab0e4348f664e268b522f7d928ac70d1593e25784ea3dbfaeb08b893e7142657f29eaa6baa4980125cf08d20d0da4e8b4dbb1

  • SSDEEP

    24576:UgjUgmqZ5n6tkjR26s2ZKTWm9cwfThY5HW5F2vvRef1taxih1oQ:ljU1q6ta2IWWmuMTeHW74vRm6Q

Score
10/10
darkcometpersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a43210f401834932b515731deb398f9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1a43210f401834932b515731deb398f9_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4884
    • C:\Users\Admin\AppData\Local\Temp\675.exe
      C:\Users\Admin\AppData\Local\Temp\675.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4872
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4788
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
            PID:3408
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            4⤵
              PID:900

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\675.exe
        Filesize

        848KB

        MD5

        c3117f0ae622f67dc68c178ae1663a8c

        SHA1

        7160e08fca4f08d426437589bc9ce571a575606b

        SHA256

        3e47503c31311544f1a78a19bae880909138eea6459a40532674bde19130c448

        SHA512

        2c32cfd7b4a7b2a3c525501bac302eab3b449a46c38b4dd658fb8281efbc8222fc8691911860a0a54cabbedb20f0ea027e6452d26ea6c5dc5ad9c720f2b9183c

        Download Submit
      • memory/4788-35-0x0000000000400000-0x00000000004E2000-memory.dmp
        Filesize

        904KB

        Download
      • memory/4788-34-0x0000000000400000-0x00000000004E2000-memory.dmp
        Filesize

        904KB

        Download
      • memory/4788-28-0x0000000000400000-0x00000000004E2000-memory.dmp
        Filesize

        904KB

        Download
      • memory/4788-40-0x0000000000400000-0x00000000004E2000-memory.dmp
        Filesize

        904KB

        Download
      • memory/4788-29-0x0000000000400000-0x00000000004E2000-memory.dmp
        Filesize

        904KB

        Download
      • memory/4788-38-0x0000000000400000-0x00000000004E2000-memory.dmp
        Filesize

        904KB

        Download
      • memory/4788-37-0x0000000000400000-0x00000000004E2000-memory.dmp
        Filesize

        904KB

        Download
      • memory/4788-36-0x0000000000400000-0x00000000004E2000-memory.dmp
        Filesize

        904KB

        Download
      • memory/4788-33-0x0000000000400000-0x00000000004E2000-memory.dmp
        Filesize

        904KB

        Download
      • memory/4788-27-0x00000000021B0000-0x00000000021B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4788-41-0x0000000000400000-0x00000000004E2000-memory.dmp
        Filesize

        904KB

        Download
      • memory/4788-39-0x0000000000400000-0x00000000004E2000-memory.dmp
        Filesize

        904KB

        Download
      • memory/4788-32-0x0000000000400000-0x00000000004E2000-memory.dmp
        Filesize

        904KB

        Download
      • memory/4788-31-0x0000000000400000-0x00000000004E2000-memory.dmp
        Filesize

        904KB

        Download
      • memory/4788-30-0x0000000000400000-0x00000000004E2000-memory.dmp
        Filesize

        904KB

        Download
      • memory/4872-26-0x0000000000400000-0x00000000004E2000-memory.dmp
        Filesize

        904KB

        Download
      • memory/4872-14-0x00000000022E0000-0x00000000022E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4884-2-0x000000001B7C0000-0x000000001BC8E000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4884-0-0x00007FFAC12F5000-0x00007FFAC12F6000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4884-13-0x00007FFAC1040000-0x00007FFAC19E1000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/4884-15-0x00007FFAC1040000-0x00007FFAC19E1000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/4884-1-0x00007FFAC1040000-0x00007FFAC19E1000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/4884-4-0x000000001B1E0000-0x000000001B286000-memory.dmp
        Filesize

        664KB

        Download
      • memory/4884-3-0x000000001BC90000-0x000000001BECE000-memory.dmp
        Filesize

        2.2MB

        Download