Overview

overview

10

Static

static

3

JaffaCakes...20.exe

windows7-x64

10

JaffaCakes...20.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/01/2025, 22:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_60ff825e3ff5052c835683f1fb29c120.exe

  • Size

    747KB

  • MD5

    60ff825e3ff5052c835683f1fb29c120

  • SHA1

    a9cfe3bf2cec17f9418796472f7df10c8e185bd9

  • SHA256

    2fb57730888928c519502ebd41cf6ea6397ddbf156e2e997046b6103666f9cab

  • SHA512

    0aa723755a46c73991222a6c30d566f2cbf5b803846741b8c03e638af77c9af62e08a000e6421ba2b48f97d2d66cee02cee6fa762d75b28e140f7ba3f2d18d3c

  • SSDEEP

    12288:AWK7oOJcwYaz1scSsuvKfKdEJuw/p4ot36uddMVL88Dp76c:6Fttz1sZspidZw/6wmV16

Score
10/10
darkcometslavesdiscoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

slaves

C2

droplul.no-ip.biz:1604

Mutex

DC_MUTEX-0CW3JAL

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    zV0CJmM1DVd0

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60ff825e3ff5052c835683f1fb29c120.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60ff825e3ff5052c835683f1fb29c120.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60ff825e3ff5052c835683f1fb29c120.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60ff825e3ff5052c835683f1fb29c120.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60ff825e3ff5052c835683f1fb29c120.exe" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60ff825e3ff5052c835683f1fb29c120.exe" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1216
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1256
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2608
      • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
        "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2496
        • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
          "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
          4⤵
            PID:2484
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60ff825e3ff5052c835683f1fb29c120.exe
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60ff825e3ff5052c835683f1fb29c120.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1724
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1504

    Network

    • flag-us
      DNS
      droplul.no-ip.biz
      JaffaCakes118_60ff825e3ff5052c835683f1fb29c120.exe
      Remote address:
      8.8.8.8:53
      Request
      droplul.no-ip.biz
      IN A
      Response
    No results found
    • 8.8.8.8:53
      droplul.no-ip.biz
      dns
      JaffaCakes118_60ff825e3ff5052c835683f1fb29c120.exe
      63 B
       123 B
       1
      1

      DNS Request

      droplul.no-ip.biz

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      Filesize

      747KB

      MD5

      60ff825e3ff5052c835683f1fb29c120

      SHA1

      a9cfe3bf2cec17f9418796472f7df10c8e185bd9

      SHA256

      2fb57730888928c519502ebd41cf6ea6397ddbf156e2e997046b6103666f9cab

      SHA512

      0aa723755a46c73991222a6c30d566f2cbf5b803846741b8c03e638af77c9af62e08a000e6421ba2b48f97d2d66cee02cee6fa762d75b28e140f7ba3f2d18d3c

      Download Submit

    • memory/1724-74-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1724-75-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1724-72-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1724-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2608-42-0x0000000000190000-0x0000000000191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2608-25-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2752-21-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2752-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2752-11-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2752-9-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2752-19-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2752-3-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2752-20-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2752-15-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2752-18-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2752-1-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2752-51-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2752-22-0x0000000000210000-0x0000000000211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2752-13-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2752-7-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2752-5-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.