Overview

overview

10

Static

static

10

24a695bd98...18.exe

windows7-x64

10

24a695bd98...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 04:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe

  • Size

    651KB

  • MD5

    24a695bd98fe12ff40dfea58fa37a87e

  • SHA1

    a6f2d32c7e0dca5cf6f116e4805b093e3c672256

  • SHA256

    7044ddd8b6a0a4dd7edd7989da538ed017522e3665ce3d0eaef606123a922f50

  • SHA512

    0318fae3986389a91edfb4ae11509178993f4d3f0a588a9c369be1432a091c6c8d5abf697353dedf79d2c2dd4be08f20751c1fe5b6a56dcfa100e9e0d552ed23

  • SSDEEP

    12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+y:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+GX

Score
10/10
darkcometguest16persistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

mnanauk-dz.no-ip.biz:1604

Mutex

DC_MUTEX-EB46CLG

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    rpfQbN9b66NT

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\MSDCSC\msdcsc.exe
      "C:\Windows\MSDCSC\msdcsc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3428
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
          PID:2268
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          3⤵
            PID:1484
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2736,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3104 /prefetch:8
        1⤵
          PID:3424

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\MSDCSC\msdcsc.exe
          Filesize

          651KB

          MD5

          24a695bd98fe12ff40dfea58fa37a87e

          SHA1

          a6f2d32c7e0dca5cf6f116e4805b093e3c672256

          SHA256

          7044ddd8b6a0a4dd7edd7989da538ed017522e3665ce3d0eaef606123a922f50

          SHA512

          0318fae3986389a91edfb4ae11509178993f4d3f0a588a9c369be1432a091c6c8d5abf697353dedf79d2c2dd4be08f20751c1fe5b6a56dcfa100e9e0d552ed23

          Download Submit
        • memory/2180-0-0x0000000002260000-0x0000000002261000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2180-13-0x0000000000400000-0x00000000004B0000-memory.dmp
          Filesize

          704KB

          Download
        • memory/3428-19-0x0000000000400000-0x00000000004B0000-memory.dmp
          Filesize

          704KB

          Download
        • memory/3428-21-0x0000000000400000-0x00000000004B0000-memory.dmp
          Filesize

          704KB

          Download
        • memory/3428-16-0x0000000000400000-0x00000000004B0000-memory.dmp
          Filesize

          704KB

          Download
        • memory/3428-17-0x0000000000400000-0x00000000004B0000-memory.dmp
          Filesize

          704KB

          Download
        • memory/3428-18-0x0000000000400000-0x00000000004B0000-memory.dmp
          Filesize

          704KB

          Download
        • memory/3428-14-0x00000000022D0000-0x00000000022D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3428-20-0x0000000000400000-0x00000000004B0000-memory.dmp
          Filesize

          704KB

          Download
        • memory/3428-15-0x0000000000400000-0x00000000004B0000-memory.dmp
          Filesize

          704KB

          Download
        • memory/3428-22-0x0000000000400000-0x00000000004B0000-memory.dmp
          Filesize

          704KB

          Download
        • memory/3428-23-0x0000000000400000-0x00000000004B0000-memory.dmp
          Filesize

          704KB

          Download
        • memory/3428-24-0x0000000000400000-0x00000000004B0000-memory.dmp
          Filesize

          704KB

          Download
        • memory/3428-25-0x0000000000400000-0x00000000004B0000-memory.dmp
          Filesize

          704KB

          Download
        • memory/3428-26-0x0000000000400000-0x00000000004B0000-memory.dmp
          Filesize

          704KB

          Download
        • memory/3428-27-0x0000000000400000-0x00000000004B0000-memory.dmp
          Filesize

          704KB

          Download
        • memory/3428-28-0x0000000000400000-0x00000000004B0000-memory.dmp
          Filesize

          704KB

          Download