Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 08:36

General

  • Target

    JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe

  • Size

    779KB

  • MD5

    6b6a94ac17d74979c41f9df5dd987740

  • SHA1

    f51f2ad7cb34073d5ef5fc900368369202331506

  • SHA256

    0a1da724132eca214511cff376c2ba53ae7fa63b96d6f60a3f51a205caf43e90

  • SHA512

    0e0329f21bd82ac2d7dd6dd67b9a5c49b09a92d2294b506176454d80420447a2746f2240353c64e16ce6714afbec9a5df5ccb87011dc0a39f76984282b31d69d

  • SSDEEP

    12288:h4YJH6lgnTSwfC55c7nnoUIRk1WtEupY5saNLlSsl5HOYdyYLI:h4+H6lpwfC56DOq0tEupSB6Cf0

Malware Config

Extracted

Family

darkcomet

Botnet

HaCkEd

C2

imasoldier.zapto.org:1065

Mutex

DC_MUTEX-F4Y6Y3U

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    NvNoWDafnVkg

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ztmp\t11631.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Users\Admin\AppData\Local\Temp\afolder\2.exe
        2.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4144
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ztmp\t13571.bat" "C:\Users\Admin\AppData\Local\Temp\afolder\2.exe" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4424
          • C:\Users\Admin\AppData\Local\Temp\afolder\1.exe
            1.exe
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4892
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\afolder\1.exe" +s +h
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:876
              • C:\Windows\SysWOW64\attrib.exe
                attrib "C:\Users\Admin\AppData\Local\Temp\afolder\1.exe" +s +h
                7⤵
                • Sets file to hidden
                • System Location Discovery: System Language Discovery
                • Views/modifies file attributes
                PID:1916
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\afolder" +s +h
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1700
              • C:\Windows\SysWOW64\attrib.exe
                attrib "C:\Users\Admin\AppData\Local\Temp\afolder" +s +h
                7⤵
                • Sets file to hidden
                • System Location Discovery: System Language Discovery
                • Views/modifies file attributes
                PID:4912
            • C:\Windows\SysWOW64\notepad.exe
              notepad
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2376
            • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
              "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
              6⤵
              • Modifies security service
              • Windows security bypass
              • Executes dropped EXE
              • Windows security modification
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4752
              • C:\Windows\SysWOW64\notepad.exe
                notepad
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\afolder\1.exe

    Filesize

    659KB

    MD5

    a5c281dab973219f324282acea6e9d36

    SHA1

    0b295a4cfeab1953e8d0b2ee6e08c3f9002be9a0

    SHA256

    1d473afb1ffb75541405e7c0a24673dd266eccc00d386aff67016f1bd1e8153c

    SHA512

    3588d64d4a1bf91bc473d5734f7f7c457d2bd7d7a5e28443137410602a34ad90decf32c4bfb080ce3219cf3eede492773efc724d27f4c354bb42e9f3e36a5c8d

  • C:\Users\Admin\AppData\Local\Temp\afolder\2.exe

    Filesize

    719KB

    MD5

    37be355dc1b396e577b4fc4c10a05db0

    SHA1

    da566574177c5e5f1b61b639454fdff20cff2996

    SHA256

    d8b3e4f5a91aeebd08dfa46bb2269475a28d4ea21af9dbdb0a10413d38879fef

    SHA512

    897ba71b0baad9c64a3cf228dc5bfee7cf4282277899da984ad13a79e8ec40c749de926573b3498e92234c45c970e89ab801337a53ebfa3fe6e2af58566fdc0e

  • C:\Users\Admin\AppData\Local\Temp\ztmp\t11631.bat

    Filesize

    205B

    MD5

    33933e17f7c35079a56cf8a3e0bbc995

    SHA1

    d3cc52bd65e17c4f125aa75d0b723f8b9ba68217

    SHA256

    68e1629e42db2a53a40121a78f41bc36041006a197f640f2e8ab997011013be0

    SHA512

    763cc69d43c4143697dce76abc1e54a9787eb3c58a263c682ad3d17840c4f24b88a46b8a7249b31f4425175e54c25970a5c5684c9c35303ab4a0e14f40ecd955

  • C:\Users\Admin\AppData\Local\Temp\ztmp\t13571.bat

    Filesize

    205B

    MD5

    d71819b55bd111f54e417f07a895d4f2

    SHA1

    98be31c1d3b7a227396cf16ad3206f2fe3f01a1e

    SHA256

    52bef660c1697c5b44a24be4a205a1721682fd08e7fa19bfb8303bc15b8090ab

    SHA512

    68d71b6a4b5172fce208d355ecf9aeb61fc449597c5171e3937c362b0f622b11cc39bf6a8e67098f8ab07fbb4c076f51c8fa6509f6223e6dc50a4ad9949dced3

  • memory/2376-23-0x00000000013B0000-0x00000000013B1000-memory.dmp

    Filesize

    4KB

  • memory/3376-82-0x00000000009A0000-0x00000000009A1000-memory.dmp

    Filesize

    4KB

  • memory/4752-88-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4752-94-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4752-86-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4752-87-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4752-98-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4752-89-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4752-90-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4752-91-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4752-92-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4752-93-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4752-85-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4752-95-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4752-96-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4752-97-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/4892-83-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB