Overview

overview

10

Static

static

3

JaffaCakes...67.exe

windows7-x64

10

JaffaCakes...67.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-01-2025 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_678cce26caba12d63851afc55fdee867.exe

  • Size

    1.3MB

  • MD5

    678cce26caba12d63851afc55fdee867

  • SHA1

    296b3517e29afcaa35c19a26e62f206b56c18a05

  • SHA256

    3b14c3713630bed5f72738e402d82eba4d07f14bc14c0945c14b0424a4894560

  • SHA512

    4d2cfbbf3a7af785cb17ac38d8e416e4577574e8690bcbcf0c2001ce69bbe8f404300683e6f974c452e6b783b35ff1d1a14ab32c76308d0ceafbbc48f0298c15

  • SSDEEP

    24576:DZRRDQrveoR31b9lUjjEJCNEeSDDoyY3GsYe4qHasSMXLqT2KBFGKaDB3vQCGtUO:VRRMvFFxWIJOyDG3we4qrXLBKgB4aOl

Score
10/10
darkcometdiscoveryevasionpersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 14 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_678cce26caba12d63851afc55fdee867.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_678cce26caba12d63851afc55fdee867.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2140
    • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.28T06.06\Virtual\STUBEXE\8.0.1112\@DESKTOP@\1.exe
      "C:\Users\Admin\Desktop\1.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2868
      • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.28T06.06\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Desktop\1.exe" +s +h
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2772
        • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.28T06.06\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe
          attrib "C:\Users\Admin\Desktop\1.exe" +s +h
          4⤵
          • Sets file to hidden
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2996
      • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.28T06.06\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Desktop" +s +h
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2992
        • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.28T06.06\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe
          attrib "C:\Users\Admin\Desktop" +s +h
          4⤵
          • Sets file to hidden
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:772
      • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.28T06.06\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
        notepad
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2436
      • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.28T06.06\Native\STUBEXE\8.0.1112\@DOCUMENTS@\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2964
        • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.28T06.06\Native\STUBEXE\8.0.1112\@PROGRAMFILES@\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:848
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          4⤵
            PID:1716
          • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.28T06.06\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
            notepad
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1644

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.28T06.06\Native\STUBEXE\8.0.1112\@PROGRAMFILES@\Internet Explorer\iexplore.exe
      Filesize

      17KB

      MD5

      991606ede8cb57c666ec847aa74a0ef7

      SHA1

      88eb5acca7f1c3fcaa0688a52e91a1c3ef4e17c0

      SHA256

      6e0007092cca15dfcee693b3c0e4f165a19caa1d95dd26fdf6c171b47e982f87

      SHA512

      63bf29756199a7095ad9533f03bc400b0dd63bde0d8c1cac78434ebf49b04ed95e37b2a06dbf841692313d80d0d3a4ab7ee8e3e1133bae6848761813ac1096af

      Download Submit

    • \Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.28T06.06\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe
      Filesize

      17KB

      MD5

      17bdb0d40b76c272137d0a3283559a83

      SHA1

      40462e7a47f94c11c9ff7ae5bc826b48f95be57e

      SHA256

      21866c2264e2edd4458940b0bc3730568e9867b4ac2177b4e7c1ddf601b81f4b

      SHA512

      d7e43ddb689872288ed98486eebc01579459e4bd6c505d55b4bff1cbde534871f1dc538550be93ea97a1c76a6afabebdbad5a5d99867b284a164b48653f8e0cf

      Download Submit

    • \Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.28T06.06\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe
      Filesize

      17KB

      MD5

      ae94a75a83cbe2307b932b3af492d5ce

      SHA1

      a5c3d44899c3d133815c1d74a0016190f5394999

      SHA256

      d111c6f792e77b3c81a1be1c3c95db71cd53bdd8fe5027cb8734f71315816407

      SHA512

      feabae30331f399767d5dfecca2a4d72cbae3f1dd234e18585ea12cde683fb169814627cd32b98ccfb8824ef33b34f121ecb4824715a12fef4719033d8ca969b

      Download Submit

    • \Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.28T06.06\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
      Filesize

      17KB

      MD5

      ff1483d8bb2144a0d88e9f768fc9e7ae

      SHA1

      0fdc73ea2206c46cde661dd94252073e742429b9

      SHA256

      f6da548fe834f1e1a8911f47f73d810405fb7f234ebdd48f6d8f52c8c0545442

      SHA512

      ea6e5e2b0afc4ad7b124e974bca697485ded076cd17a1e8f85b3348f389f84178557f8b66f08126ca9473cc9ad9c10fdf8d9c074eacc261ef7069c4262b3a3bc

      Download Submit

    • \Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.28T06.06\Virtual\MODIFIED\@DESKTOP@\1.exe
      Filesize

      1.1MB

      MD5

      f454fed63833b22fa0127470df336ed7

      SHA1

      8aa2e7aa48633f146ccb8101ba4a330a7ee87df0

      SHA256

      4d0cf6fc01d8ed9a4c63b58005d93bbf05af139f3dffc99d026a512104ed2bed

      SHA512

      f417293bb30c2bf7b486ad1899808e76c466a40329916f0ac2a2dda312e0a082b833eb387e8ee8e146e892e532d84de8189bed1143ff7304bf6045e13732fa53

      Download Submit

    • \Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.28T06.06\Virtual\STUBEXE\8.0.1112\@DESKTOP@\1.exe
      Filesize

      17KB

      MD5

      6bf33738ad08da0a90eb269d69fc5cf1

      SHA1

      30414feda7eabed7ec9990750ec8e82e11696a7b

      SHA256

      8de4559ded2cbda4f38783f882caf04c49d603d4bf87c8173287a9c638315432

      SHA512

      427f1969e9ec5907b9f6070e41a28e1b8f9d5d947f907835a53baeaf3d5e86a113f4b0bc5d06634282a71decc355b30608d96dad93cb60d701f9d49770aa787b

      Download Submit

    • memory/2140-4-0x0000000010000000-0x0000000010037000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2140-19-0x0000000000220000-0x0000000000292000-memory.dmp

      Filesize

      456KB

      Download

    • memory/2140-2-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2140-1-0x00000000775A0000-0x00000000775A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2140-5-0x0000000010000000-0x0000000010037000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2140-12-0x0000000003070000-0x00000000031ED000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2140-195-0x0000000000220000-0x0000000000292000-memory.dmp

      Filesize

      456KB

      Download

    • memory/2140-0-0x0000000000220000-0x0000000000292000-memory.dmp

      Filesize

      456KB

      Download

    • memory/2140-18-0x0000000003070000-0x00000000031ED000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2140-3-0x0000000010000000-0x0000000010037000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2140-8-0x0000000000220000-0x0000000000292000-memory.dmp

      Filesize

      456KB

      Download

    • memory/2140-7-0x0000000010000000-0x0000000010037000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2140-6-0x0000000010000000-0x0000000010037000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2436-55-0x00000000000F0000-0x00000000000F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2772-81-0x000000004AD00000-0x000000004AD4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2868-44-0x0000000000400000-0x000000000057D000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2868-20-0x0000000000660000-0x00000000006D2000-memory.dmp

      Filesize

      456KB

      Download

    • memory/2868-130-0x0000000005D40000-0x0000000005EBD000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2868-13-0x0000000000400000-0x000000000057D000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2868-14-0x0000000000400000-0x000000000057D000-memory.dmp

      Filesize

      1.5MB

      Download