Overview

overview

10

Static

static

3

1eb4f63681...18.exe

windows7-x64

10

1eb4f63681...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 08:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1eb4f6368114de35712e3877a11244a1_JaffaCakes118.exe

  • Size

    297KB

  • MD5

    1eb4f6368114de35712e3877a11244a1

  • SHA1

    fd3b3d3c5b2e0f4a581d816779be8a39de77c41a

  • SHA256

    07369156178ba6f590d73e7bf4b65e905a982fc5e71cb4c58d2f3ca4f75e4748

  • SHA512

    be8b84d63f44201e36b9a61e660adb7cdede8a8be57c8e44896aa69707d16fbfe36b82f8730232fecce75b27fdf5ddcfe5723a4b7c57a49d3f096e0ba08fb7cd

  • SSDEEP

    6144:cympJy59MG872XFaVTvo09tRN6uLWidOEtO2Asc7o9zzKMDVQ1:FOPGYc2U0XRN6gWh8O2h/9zzKMDVQ1

Score
10/10
darkcometgagzeevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Gagze

C2

abdodo.no-ip.org:100

Mutex

DC_MUTEX-V6608W1

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    G31Xw9jA2Vip

  • install

    true

  • offline_keylogger

    true

  • password

    123456789

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1eb4f6368114de35712e3877a11244a1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1eb4f6368114de35712e3877a11244a1_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Users\Admin\AppData\Local\Temp\1eb4f6368114de35712e3877a11244a1_JaffaCakes118.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1604
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4008
      • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3700
        • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
          4⤵
          • Modifies security service
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3076
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            5⤵
              PID:1016

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Modify Registry

    5
    T1112

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
      Filesize

      297KB

      MD5

      1eb4f6368114de35712e3877a11244a1

      SHA1

      fd3b3d3c5b2e0f4a581d816779be8a39de77c41a

      SHA256

      07369156178ba6f590d73e7bf4b65e905a982fc5e71cb4c58d2f3ca4f75e4748

      SHA512

      be8b84d63f44201e36b9a61e660adb7cdede8a8be57c8e44896aa69707d16fbfe36b82f8730232fecce75b27fdf5ddcfe5723a4b7c57a49d3f096e0ba08fb7cd

      Download Submit
    • memory/1016-88-0x0000000000B10000-0x0000000000B11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3076-97-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-94-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-89-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-100-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-105-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-99-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-90-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-98-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-102-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-81-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-82-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-103-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-87-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-86-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-106-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-104-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-96-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-95-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-93-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3076-101-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3480-91-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3480-15-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3480-6-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3480-4-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3480-9-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3480-10-0x0000000000400000-0x00000000004B4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3700-74-0x0000000000400000-0x0000000000517000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3700-85-0x0000000000400000-0x0000000000517000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/4420-1-0x00000000001C0000-0x00000000001C3000-memory.dmp
      Filesize

      12KB

      Download
    • memory/4420-0-0x0000000000400000-0x0000000000517000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/4420-11-0x0000000000400000-0x0000000000517000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/4420-8-0x00000000001C0000-0x00000000001C3000-memory.dmp
      Filesize

      12KB

      Download