Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
01-07-2024 13:24
General
-
Target
1b7680e1fc999d748b468ce218fe0473_JaffaCakes118.exe
-
Size
896KB
-
MD5
1b7680e1fc999d748b468ce218fe0473
-
SHA1
08f4dfa1068b2f546b8131d483b7c4553349e897
-
SHA256
da204cf93005c61a0fc0cc4ece8c9b9bf7b63198af29cdeeb3ac190f59d39195
-
SHA512
59b3fbfcc38d590b6c26b5c9b555c36b15d0573000fbdd8cc5ffd257a181e46505b262469fd42006b857d82701b0f4ced4a6d63069a4692065704938c665b9b3
-
SSDEEP
12288:OHZEOCafvtr2AIFKGg3s9CibaPKiCR8APGpYqckJPArSWPGX76ax+G+1km3CekJB:sZEOCadKdQTAjb276ugBOISm7D2orK
Malware Config
Extracted
darkcomet
ãäÊÏì
nnns.zapto.org:4433
DC_MUTEX-HTT3CAX
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
BkangWFkKcGv
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b7680e1fc999d748b468ce218fe0473_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b7680e1fc999d748b468ce218fe0473_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD53f8ff69725b60d0f4d376e9bc747d488
SHA1b9450e6b3b48971a809ef83b883ee2063bf75be3
SHA2561f9838094d5e0a10430266830c4b066a2ffaba9000b97d7ee87bfe4722866a22
SHA512015c9fec4b5669cbe77d9e0ad981b3885aaedaddffd2c39120e266f00cb97cb0f8a016def1e2831c35ea976a6e8b91cd924becf304f84627cb53b69bb6c53aac
-
memory/2304-33-0x0000000075100000-0x0000000075210000-memory.dmpFilesize
1.1MB
-
memory/2304-82-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2304-91-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2304-34-0x0000000075100000-0x0000000075210000-memory.dmpFilesize
1.1MB
-
memory/2304-90-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2304-89-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2304-88-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2304-87-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2304-86-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2304-21-0x00000000001B0000-0x00000000001B4000-memory.dmpFilesize
16KB
-
memory/2304-19-0x00000000001B0000-0x00000000001B4000-memory.dmpFilesize
16KB
-
memory/2304-27-0x0000000075100000-0x0000000075210000-memory.dmpFilesize
1.1MB
-
memory/2304-29-0x0000000075100000-0x0000000075210000-memory.dmpFilesize
1.1MB
-
memory/2304-28-0x0000000075100000-0x0000000075210000-memory.dmpFilesize
1.1MB
-
memory/2304-26-0x0000000075100000-0x0000000075210000-memory.dmpFilesize
1.1MB
-
memory/2304-25-0x0000000075100000-0x0000000075210000-memory.dmpFilesize
1.1MB
-
memory/2304-24-0x0000000075100000-0x0000000075210000-memory.dmpFilesize
1.1MB
-
memory/2304-30-0x0000000075100000-0x0000000075210000-memory.dmpFilesize
1.1MB
-
memory/2304-32-0x0000000075100000-0x0000000075210000-memory.dmpFilesize
1.1MB
-
memory/2304-85-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2304-84-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2304-83-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2304-81-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2304-80-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2304-78-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2304-79-0x0000000075100000-0x0000000075210000-memory.dmpFilesize
1.1MB
-
memory/2304-77-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2476-35-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2476-73-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2748-6-0x0000000075100000-0x0000000075210000-memory.dmpFilesize
1.1MB
-
memory/2748-3-0x00000000022C0000-0x00000000022D0000-memory.dmpFilesize
64KB
-
memory/2748-4-0x00000000775E0000-0x00000000775E1000-memory.dmpFilesize
4KB
-
memory/2748-76-0x0000000075100000-0x0000000075210000-memory.dmpFilesize
1.1MB
-
memory/2748-0-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/2748-8-0x0000000075100000-0x0000000075210000-memory.dmpFilesize
1.1MB
-
memory/2748-1-0x0000000000340000-0x0000000000392000-memory.dmpFilesize
328KB
-
memory/2748-74-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/2748-7-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/2748-75-0x0000000000340000-0x0000000000392000-memory.dmpFilesize
328KB
-
memory/2748-2-0x0000000002210000-0x0000000002220000-memory.dmpFilesize
64KB
-
memory/2748-5-0x0000000075111000-0x0000000075112000-memory.dmpFilesize
4KB