Overview

overview

10

Static

static

3

JaffaCakes...00.exe

windows7-x64

10

JaffaCakes...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    7s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_6cf8a0eb629274855c5d9cc835b63100.exe

  • Size

    732KB

  • MD5

    6cf8a0eb629274855c5d9cc835b63100

  • SHA1

    516425f5d7bc9efb9c474d590d2f8829ac6ab8ad

  • SHA256

    bdab0a13436bc6f68b636846cce096d536c9a1ef9484fc56610445cd635a124d

  • SHA512

    01a4088bc5fbc205401cc12772fd9b76f1724725a7fc73cc03532b2f77994db7247661610e1ef25e5d5f2a1ee59d26518fc2079f487a8923ef8552aa03b47339

  • SSDEEP

    12288:KYALrNF5J0QUoTyq5EVmIGRvZ7n8DhvAUCi61z8rITclHwuaV9QljPXax77:VQUZq5EMRNnqyiQ8rITcxwua4j/aV7

Score
10/10
darkcometrj12discoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

rj12

C2

rj12.no-ip.org:83

Mutex

DC_MUTEX-UJ053AT

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    0UacqjMnCbw4

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 15 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cf8a0eb629274855c5d9cc835b63100.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cf8a0eb629274855c5d9cc835b63100.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Modifies WinLogon for persistence
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3416
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:2976
        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
          3⤵
            PID:736
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3560
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\.exe"
            3⤵
            • Modifies WinLogon for persistence
            • System Location Discovery: System Language Discovery
            PID:664
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3376
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
            3⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2152
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4008
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
            3⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:5024
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2264
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
            3⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1344
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3696
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
            3⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1800
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3172
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
            3⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:3112
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3788
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
            3⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1804
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1788
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
            3⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:4880
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2400
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
            3⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:3508
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2428
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
            3⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:464
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1860
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
            3⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1428
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
          2⤵
          • System Location Discovery: System Language Discovery
          PID:4060
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
            3⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:4648
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2336
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
            3⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1560
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
          2⤵
          • System Location Discovery: System Language Discovery
          PID:5076
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
            3⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1424
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
          2⤵
          • System Location Discovery: System Language Discovery
          PID:4420
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows® Internet Explorer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe
            3⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2332
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
          PID:2780
          • C:\Windows\explorer.exe
            explorer.exe /LOADSAVEDWINDOWS
            2⤵
              PID:3908

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            Filesize

            1.1MB

            MD5

            d881de17aa8f2e2c08cbb7b265f928f9

            SHA1

            08936aebc87decf0af6e8eada191062b5e65ac2a

            SHA256

            b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

            SHA512

            5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

            Download Submit

          • memory/2176-12-0x00000000747A0000-0x0000000074D51000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2176-1-0x00000000747A0000-0x0000000074D51000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2176-2-0x00000000747A0000-0x0000000074D51000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2176-3-0x00000000747A0000-0x0000000074D51000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2176-0-0x00000000747A2000-0x00000000747A3000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2176-77-0x00000000747A0000-0x0000000074D51000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2176-73-0x00000000747A0000-0x0000000074D51000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2176-11-0x00000000747A2000-0x00000000747A3000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2976-14-0x0000000000630000-0x0000000000631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3416-7-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

            Download

          • memory/3416-6-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

            Download

          • memory/3416-5-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

            Download

          • memory/3416-9-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

            Download

          • memory/3416-74-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

            Download

          • memory/3416-8-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

            Download