Overview

overview

10

Static

static

10

JaffaCakes...24.exe

windows7-x64

10

JaffaCakes...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-01-2025 00:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_61a85259801468a7e86d8a969775e624.exe

  • Size

    678KB

  • MD5

    61a85259801468a7e86d8a969775e624

  • SHA1

    ec7ac1ac05f91093140967692d845f6aabafa660

  • SHA256

    5e34a191bcc951ec9c9e4eea6a09f5202b136b574a1a04fd9d323484257547f0

  • SHA512

    88b3baca3fbf601ebbc33b515ba0bf057cebc393e27c7fa043a157784003ea9e75252560127f2221bc516a5335b9f39e77016f7a3dddaeca4b24b886080d1dc9

  • SSDEEP

    12288:g8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORixyl:ZUKoN0bUxgGa/pfBHDb+y1HgZ

Score
10/10
darkcometdiscoverypersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61a85259801468a7e86d8a969775e624.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61a85259801468a7e86d8a969775e624.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61a85259801468a7e86d8a969775e624.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 4
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3348
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3588
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    678KB

    MD5

    61a85259801468a7e86d8a969775e624

    SHA1

    ec7ac1ac05f91093140967692d845f6aabafa660

    SHA256

    5e34a191bcc951ec9c9e4eea6a09f5202b136b574a1a04fd9d323484257547f0

    SHA512

    88b3baca3fbf601ebbc33b515ba0bf057cebc393e27c7fa043a157784003ea9e75252560127f2221bc516a5335b9f39e77016f7a3dddaeca4b24b886080d1dc9

    Download Submit

  • memory/1684-0-0x00000000007D0000-0x00000000007D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1684-13-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2724-15-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/3588-16-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/3588-14-0x0000000002250000-0x0000000002251000-memory.dmp

    Filesize

    4KB

    Download