Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
03-01-2025 12:25
General
-
Target
JaffaCakes118_6c9cd2ac3054887bb594424d4869cfda.exe
-
Size
542KB
-
MD5
6c9cd2ac3054887bb594424d4869cfda
-
SHA1
7973c8d27ba2a38f80261fb99b988d608986e0c0
-
SHA256
2746393bac3d91352de667262c740964ba3b4a36481bf1c229bcdf16ae804eb1
-
SHA512
1cb6b4b1d3959ab1d4834f50b2974e624190986d18b77cfdcfcdf4f884e1fec61dd64e67335917319ccf534184eb73877b7e7f21c43c527dbda262f43ff439e0
-
SSDEEP
12288:IPtk6jP8Gw9OHhBZtqliSdBb2cFQfK0rKQ:IPtkUx8OBiiSdBbmf7K
Malware Config
Extracted
darkcomet
Guest16_min
rawaz.no-ip.biz:1604
DCMIN_MUTEX-05QLF3E
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
nKzbvZtX7gLR
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c9cd2ac3054887bb594424d4869cfda.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c9cd2ac3054887bb594424d4869cfda.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD50f01571a3e4c71eb4313175aae86488e
SHA12ba648afe2cd52edf5f25e304f77d457abf7ac0e
SHA2568cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022
SHA512159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
4KB
-
Filesize
712KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
1024KB