· 6 years ago · Oct 14, 2019, 03:30 AM
1
2* ID: 5008
3* MalFamily: "Darkcomet"
4
5* MalScore: 10.0
6
7* File Name: "Exes_5af20697de884de920959c39da07d4bb.exe"
8* File Size: 1571840
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "e23707d9b397a9387cff793cb8345f17a2ac132ed14b4c05debf44f09c02252e"
11* MD5: "5af20697de884de920959c39da07d4bb"
12* SHA1: "32ea6efed71548800068b1065631c544f46300fa"
13* SHA512: "969ac5c2e1acd05a02f6d06becc41b367dc01fcfc3c0aafdf02c88e659fbc33d4d9ea4ce378a272f4f425c11edf34a200107dbfd07713be15d539a9c789a8562"
14* CRC32: "ADFBE998"
15* SSDEEP: "24576:qtb20pkaCqT5TBWgNQ7ajv4oHbEOwyLz00GTTo2gMqVpIfMuMc8Sq0rAz6A:XVg5tQ7ajnHbEOL0JTTfNQ+0FSE5"
16
17* Process Execution:
18 "sMjel.exe",
19 "cmd.exe",
20 "w0Fg.exe",
21 "iexplore.exe",
22 "iexplore.exe",
23 "iexplore.exe",
24 "cmd.exe",
25 "6L01.exe",
26 "javaupdate.exe",
27 "svchost.exe",
28 "EXCEL.EXE",
29 "WmiPrvSE.exe",
30 "WMIADAP.exe"
31
32
33* Executed Commands:
34 "C:\\Windows\\system32\\cmd.exe /C C:\\Users\\user\\AppData\\Roaming\\w0Fg.exe",
35 "C:\\Windows\\system32\\cmd.exe /C C:\\Users\\user\\AppData\\Roaming\\6L01.exe",
36 "\"C:\\Program Files (x86)\\Microsoft Office\\Office15\\EXCEL.EXE\" /automation -Embedding",
37 "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
38 "C:\\Users\\user\\AppData\\Roaming\\w0Fg.exe",
39 "C:\\Users\\user\\AppData\\Roaming\\6L01.exe",
40 "\"C:\\Windows\\system32\\OracleJava\\javaupdate.exe\"",
41 "C:\\Windows\\System32\\OracleJava\\javaupdate.exe "
42
43
44* Signatures Detected:
45
46 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
47 "Details":
48
49
50 "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
51 "Details":
52
53 "IP_ioc": "193.84.64.159:1604 (Romania)"
54
55
56
57
58 "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
59 "Details":
60
61 "command": "C:\\Windows\\system32\\cmd.exe /C C:\\Users\\user\\AppData\\Roaming\\w0Fg.exe"
62
63
64 "command": "C:\\Windows\\system32\\cmd.exe /C C:\\Users\\user\\AppData\\Roaming\\6L01.exe"
65
66
67
68
69 "Description": "Possible date expiration check, exits too soon after checking local time",
70 "Details":
71
72 "process": "w0Fg.exe, PID 2032"
73
74
75
76
77 "Description": "Performs HTTP requests potentially not found in PCAP.",
78 "Details":
79
80 "url_ioc": "fyzee.top:80//exes/header.php"
81
82
83 "url_ioc": "fyzee.top:80//exes/header.php"
84
85
86 "url_ioc": "fyzee.top:80//exes/header.php"
87
88
89
90
91 "Description": "Expresses interest in specific running processes",
92 "Details":
93
94 "process": "javaupdate.exe"
95
96
97 "process": "armsvc.exe"
98
99
100 "process": "sppsvc.exe"
101
102
103
104
105 "Description": "The binary likely contains encrypted or compressed data.",
106 "Details":
107
108 "section": "name: .rsrc, entropy: 7.97, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x000b6c00, virtual_size: 0x000b6b74"
109
110
111
112
113 "Description": "Uses Windows utilities for basic functionality",
114 "Details":
115
116 "command": "C:\\Windows\\system32\\cmd.exe /C C:\\Users\\user\\AppData\\Roaming\\w0Fg.exe"
117
118
119 "command": "C:\\Windows\\system32\\cmd.exe /C C:\\Users\\user\\AppData\\Roaming\\6L01.exe"
120
121
122
123
124 "Description": "Sniffs keystrokes",
125 "Details":
126
127 "SetWindowsHookExA": "Process: javaupdate.exe(3036)"
128
129
130
131
132 "Description": "Behavioural detection: Injection (inter-process)",
133 "Details":
134
135
136 "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
137 "Details":
138
139
140 "Description": "A potential decoy document was displayed to the user",
141 "Details":
142
143 "Decoy Document": "\"c:\\program files (x86)\\microsoft office\\office15\\excel.exe\" /automation -embedding"
144
145
146
147
148 "Description": "Installs itself for autorun at Windows startup",
149 "Details":
150
151 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DarkComet RAT"
152
153
154 "data": "C:\\Windows\\system32\\OracleJava\\javaupdate.exe"
155
156
157 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5d2ce34a-15dd-4a44-a1b7-f1823107f48e"
158
159
160 "data": "C:\\Users\\user\\AppData\\Roaming\\qqipk\\qqipk.exe"
161
162
163 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\5d2ce34a-15dd-4a44-a1b7-f1823107f48e"
164
165
166 "data": "C:\\Users\\user\\AppData\\Roaming\\qqipk\\qqipk.exe"
167
168
169 "key": "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\5d2ce34a-15dd-4a44-a1b7-f1823107f48e"
170
171
172 "data": "C:\\Users\\user\\AppData\\Roaming\\qqipk\\qqipk.exe"
173
174
175 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserInit"
176
177
178 "data": "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\OracleJava\\javaupdate.exe"
179
180
181
182
183 "Description": "Stack pivoting was detected when using a critical API",
184 "Details":
185
186 "process": "iexplore.exe:2900"
187
188
189
190
191 "Description": "CAPE detected the DarkComet malware family",
192 "Details":
193
194
195 "Description": "File has been identified by 47 Antiviruses on VirusTotal as malicious",
196 "Details":
197
198 "MicroWorld-eScan": "Trojan.Generic.15301154"
199
200
201 "CAT-QuickHeal": "TrojanPWS.Dexter"
202
203
204 "McAfee": "Artemis!5AF20697DE88"
205
206
207 "Cylance": "Unsafe"
208
209
210 "K7GW": "Trojan ( 004c3d061 )"
211
212
213 "K7AntiVirus": "Trojan ( 004c3d061 )"
214
215
216 "Arcabit": "Trojan.Generic.DE97A22"
217
218
219 "Invincea": "heuristic"
220
221
222 "Baidu": "Win32.Trojan.WisdomEyes.16070401.9500.9840"
223
224
225 "NANO-Antivirus": "Trojan.Win32.Androm.engksd"
226
227
228 "Cyren": "W32/Trojan.AGYS-7606"
229
230
231 "Symantec": "ML.Attribute.HighConfidence"
232
233
234 "TrendMicro-HouseCall": "TROJ_GEN.R002H0CGN18"
235
236
237 "Avast": "Win32:Malware-gen"
238
239
240 "Kaspersky": "Backdoor.Win32.Androm.mvww"
241
242
243 "BitDefender": "Trojan.Generic.15301154"
244
245
246 "Paloalto": "generic.ml"
247
248
249 "AegisLab": "Trojan.Win32.Androm.m!c"
250
251
252 "Ad-Aware": "Trojan.Generic.15301154"
253
254
255 "Emsisoft": "Trojan.Generic.15301154 (B)"
256
257
258 "Comodo": ".UnclassifiedMalware"
259
260
261 "F-Secure": "Trojan.Generic.15301154"
262
263
264 "VIPRE": "Trojan.Win32.Generic!BT"
265
266
267 "McAfee-GW-Edition": "BehavesLike.Win32.Generic.tc"
268
269
270 "Sophos": "Mal/Generic-S"
271
272
273 "SentinelOne": "static engine - malicious"
274
275
276 "Webroot": "Trojan.Dropper.Gen"
277
278
279 "Avira": "DR/AutoIt.Gen"
280
281
282 "Antiy-AVL": "Trojan/Generic.ASVCS3S.1E5"
283
284
285 "Microsoft": "PWS:Win32/Dexter.A"
286
287
288 "Endgame": "malicious (moderate confidence)"
289
290
291 "ZoneAlarm": "Backdoor.Win32.Androm.mvww"
292
293
294 "GData": "Trojan.Generic.15301154"
295
296
297 "AhnLab-V3": "Malware/Win32.Generic.C1901186"
298
299
300 "ALYac": "Trojan.Generic.15301154"
301
302
303 "AVware": "Trojan.Win32.Generic!BT"
304
305
306 "MAX": "malware (ai score=99)"
307
308
309 "VBA32": "Trojan.Autoit.Injcrypt"
310
311
312 "ESET-NOD32": "Win32/TrojanDropper.Autoit.JO"
313
314
315 "Tencent": "Win32.Backdoor.Androm.Tafi"
316
317
318 "Ikarus": "Trojan-Dropper.Win32.Autoit"
319
320
321 "Fortinet": "W32/AutoIt.JO!tr"
322
323
324 "AVG": "Win32:Malware-gen"
325
326
327 "Cybereason": "malicious.7de884"
328
329
330 "Panda": "Trj/CI.A"
331
332
333 "CrowdStrike": "malicious_confidence_100% (D)"
334
335
336 "Qihoo-360": "HEUR/QVM10.1.Malware.Gen"
337
338
339
340
341 "Description": "Attempts to modify browser security settings",
342 "Details":
343
344
345 "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
346 "Details":
347
348 "dropped": "clamav:Win.Trojan.DarkKomet-1, sha256:0a927d02404630982f7b797dd08657034f80ea8619519726b2cb53c9172af2a3 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\6L01.cod*C:\\Users\\user\\AppData\\Roaming\\6L01.exe*C:\\Windows\\System32\\OracleJava\\javaupdate.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
349
350
351
352
353 "Description": "Interacts with known DarkComet registry keys",
354 "Details":
355
356 "Key": "HKEY_CURRENT_USER\\Software\\DC3_FEXEC"
357
358
359 "Key": "HKEY_CURRENT_USER\\Software\\DC3_FEXEC\\3d3783a0-703a-11de-8c7a-806e6f6e6963-3250959951"
360
361
362 "Key": "HKEY_CURRENT_USER\\Software\\DC2_USERS"
363
364
365
366
367 "Description": "Drops a binary and executes it",
368 "Details":
369
370 "binary": "C:\\Users\\user\\AppData\\Roaming\\6L01.exe"
371
372
373 "binary": "C:\\Users\\user\\AppData\\Roaming\\w0Fg.exe"
374
375
376
377
378 "Description": "Created network traffic indicative of malicious activity",
379 "Details":
380
381 "signature": "ET DNS Query to a *.top domain - Likely Hostile"
382
383
384
385
386
387* Started Service:
388
389* Mutexes:
390 "Local\\10MU_ACBPIDS_S-1-5-5-0-108179",
391 "Local\\10MU_ACB10_S-1-5-5-0-108179",
392 "Global\\552FFA80-3393-423d-8671-7BA046BB5906",
393 "CicLoadWinStaWinSta0",
394 "Local\\MSCTF.CtfMonitorInstMutexDefault1",
395 "Global\\MsoShellExtRegAccess_S-1-5-21-0000000000-0000000000-0000000000-1000",
396 "WindowsRemoteResilienceJavaOracleServiceMutex",
397 "DCMIN_MUTEX-SZWH1ZD",
398 "Global\\ADAP_WMI_ENTRY",
399 "Global\\RefreshRA_Mutex",
400 "Global\\RefreshRA_Mutex_Lib",
401 "Global\\RefreshRA_Mutex_Flag"
402
403
404* Modified Files:
405 "C:\\Users\\user\\AppData\\Local\\Temp\\autC814.tmp",
406 "C:\\Users\\user\\AppData\\Roaming\\w0Fg.mpeg",
407 "C:\\Users\\user\\AppData\\Local\\Temp\\autC854.tmp",
408 "C:\\Users\\user\\AppData\\Roaming\\6L01.ze",
409 "C:\\Users\\user\\AppData\\Roaming\\w0Fg.jpg",
410 "C:\\Users\\user\\AppData\\Roaming\\6L01.cod",
411 "C:\\Users\\user\\AppData\\Roaming\\w0Fg.exe",
412 "C:\\Users\\user\\AppData\\Roaming\\6L01.exe",
413 "C:\\Users\\user\\AppData\\Local\\Temp\\CVRAFE9.tmp.cvr",
414 "C:\\Windows\\System32\\OracleJava\\javaupdate.exe",
415 "C:\\Users\\user\\AppData\\Roaming\\qqipk\\qqipk.exe",
416 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
417
418
419* Deleted Files:
420 "C:\\Users\\user\\AppData\\Local\\Temp\\autC814.tmp",
421 "C:\\Users\\user\\AppData\\Local\\Temp\\autC854.tmp",
422 "C:\\Users\\user\\AppData\\Roaming\\w0Fg.jpg",
423 "C:\\Users\\user\\AppData\\Roaming\\6L01.cod",
424 "C:\\Users\\user\\AppData\\Roaming\\w0Fg.mpeg",
425 "C:\\Users\\user\\AppData\\Roaming\\6L01.ze",
426 "C:\\Users\\user\\AppData\\Local\\Temp\\CVRAFE9.tmp",
427 "C:\\Users\\user\\AppData\\Local\\Temp\\CVRAFE9.tmp.cvr",
428 "C:\\Users\\user\\AppData\\Roaming\\w0Fg.exe"
429
430
431* Modified Registry Keys:
432 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\EXCELFiles",
433 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\Resiliency\\StartupItems",
434 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\Resiliency\\StartupItems\\y-z",
435 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\ProductFiles",
436 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LanguageResources\\EnabledLanguages\\1033",
437 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Migration\\Excel",
438 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\MTTT",
439 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Feedback\\AppUsageData_2",
440 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\FontInfoCache",
441 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\Options",
442 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\Options\\Options5",
443 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\Options\\OptionFormat",
444 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\Options\\Pos",
445 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\MTTF",
446 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\MTTA",
447 "HKEY_CURRENT_USER\\Software\\DC3_FEXEC",
448 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DarkComet RAT",
449 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserInit",
450 "HKEY_CURRENT_USER\\Software\\Resilience Software",
451 "HKEY_CURRENT_USER\\Software\\Resilience Software\\Digit",
452 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\5d2ce34a-15dd-4a44-a1b7-f1823107f48e",
453 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\5d2ce34a-15dd-4a44-a1b7-f1823107f48e",
454 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5d2ce34a-15dd-4a44-a1b7-f1823107f48e",
455 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations",
456 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations\\LowRiskFileTypes",
457 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\1806",
458 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\1806"
459
460
461* Deleted Registry Keys:
462 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\Resiliency\\StartupItems\\y-z",
463 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\MTTT"
464
465
466* DNS Communications:
467
468 "type": "A",
469 "request": "fyzee.top",
470 "answers":
471
472
473
474* Domains:
475
476 "ip": "",
477 "domain": "fyzee.top"
478
479
480
481* Network Communication - ICMP:
482
483* Network Communication - HTTP:
484
485* Network Communication - SMTP:
486
487* Network Communication - Hosts:
488
489 "country_name": "Romania",
490 "ip": "193.84.64.159",
491 "inaddrarpa": "",
492 "hostname": ""
493
494
495
496* Network Communication - IRC: