Overview

overview

10

Static

static

3

JaffaCakes...b7.exe

windows7-x64

10

JaffaCakes...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2025 14:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe

  • Size

    1.8MB

  • MD5

    ca774575a2253b0aa51d7294cc45e5b7

  • SHA1

    150df3f0e8e861f802157084bc64a8ec8b34fa42

  • SHA256

    62db18b1b1d4ac66d198ecfbc1195dc13373fd29833c58bf71cfa4255679c578

  • SHA512

    8fd26c938e24f67c1f25e22bc59b73ffcf44ecdf6454eddf42d7ccb19fa132533b5d8ac2a2aea43c298e9c1858d769a5c9b514db71441daacec32a35c4573b07

  • SSDEEP

    49152:3IYjlLwtsGun9LIo3BBdLbrfTVzvjYK1nmD6:YYj9wtsGuLf/v8K1nmD6

Score
10/10
darkcometwarzonerat2021new-sept-1discoveryinfostealerpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

2021New-Sept-1

C2

45.74.4.244:35888

Mutex

DC_MUTEX-7DDJ5ZC

Attributes
  • InstallPath

    wirar.exe

  • gencode

    cYaHnoJ4tARs

  • install

    true

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    false

  • reg_key

    rar

Extracted

Family

warzonerat

C2

45.74.4.244:5205

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzonerat family
    warzonerat
  • Warzone RAT payload 8 IoCs
    rat
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 18 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Users\Admin\AppData\Local\Temp\G2mifggz3gPsEgfT.exe
      "C:\Users\Admin\AppData\Local\Temp\G2mifggz3gPsEgfT.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Users\Admin\AppData\Local\Temp\G2mifggz3gPsEgfT.exe
        "C:\Users\Admin\AppData\Local\Temp\G2mifggz3gPsEgfT.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1680
    • C:\Users\Admin\AppData\Local\Temp\uQLoKtrjVfIx82MW.exe
      "C:\Users\Admin\AppData\Local\Temp\uQLoKtrjVfIx82MW.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Users\Admin\AppData\Local\Temp\uQLoKtrjVfIx82MW.exe
        "C:\Users\Admin\AppData\Local\Temp\uQLoKtrjVfIx82MW.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\ProgramData\images.exe
          "C:\ProgramData\images.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:968
          • C:\ProgramData\images.exe
            "C:\ProgramData\images.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2956
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1768
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe"
      2⤵
        PID:2376
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe"
        2⤵
        • Modifies WinLogon for persistence
        • Drops file in Drivers directory
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2876
        • C:\Users\Admin\Documents\wirar.exe
          "C:\Users\Admin\Documents\wirar.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1368
          • C:\Users\Admin\AppData\Local\Temp\3nRW08FEXxk4hbhL.exe
            "C:\Users\Admin\AppData\Local\Temp\3nRW08FEXxk4hbhL.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1760
            • C:\Users\Admin\AppData\Local\Temp\3nRW08FEXxk4hbhL.exe
              "C:\Users\Admin\AppData\Local\Temp\3nRW08FEXxk4hbhL.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1096
          • C:\Users\Admin\AppData\Local\Temp\Gt68zF8lNOaH0jPh.exe
            "C:\Users\Admin\AppData\Local\Temp\Gt68zF8lNOaH0jPh.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1984
            • C:\Users\Admin\AppData\Local\Temp\Gt68zF8lNOaH0jPh.exe
              "C:\Users\Admin\AppData\Local\Temp\Gt68zF8lNOaH0jPh.exe"
              5⤵
              • Executes dropped EXE
              PID:2500
            • C:\Users\Admin\AppData\Local\Temp\Gt68zF8lNOaH0jPh.exe
              "C:\Users\Admin\AppData\Local\Temp\Gt68zF8lNOaH0jPh.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:236
          • C:\Users\Admin\Documents\wirar.exe
            "C:\Users\Admin\Documents\wirar.exe"
            4⤵
            • Executes dropped EXE
            PID:1828
          • C:\Users\Admin\Documents\wirar.exe
            "C:\Users\Admin\Documents\wirar.exe"
            4⤵
            • Executes dropped EXE
            PID:1344
          • C:\Users\Admin\Documents\wirar.exe
            "C:\Users\Admin\Documents\wirar.exe"
            4⤵
            • Executes dropped EXE
            PID:2044
          • C:\Users\Admin\Documents\wirar.exe
            "C:\Users\Admin\Documents\wirar.exe"
            4⤵
            • Executes dropped EXE
            PID:1120
          • C:\Users\Admin\Documents\wirar.exe
            "C:\Users\Admin\Documents\wirar.exe"
            4⤵
            • Executes dropped EXE
            PID:2200
          • C:\Users\Admin\Documents\wirar.exe
            "C:\Users\Admin\Documents\wirar.exe"
            4⤵
            • Executes dropped EXE
            PID:1040

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\uQLoKtrjVfIx82MW.exe
      Filesize

      588KB

      MD5

      72d376e15678248531147e2b99a5506a

      SHA1

      b00bbc94047cbfecd2252630f223432a0655040d

      SHA256

      b7c6b990631465389889e1d1e5760044a161f60886ed05a2f9930288e59084e7

      SHA512

      3a2b6f1810bdc4d8e6807d5d7e1f8db9a81ea3527bfc03b0c8435da3223ace84af9cc27d83be1d1d65e1a21b382b2686b87ace6f7d31ba6fab7d3beed72ea193

      Download Submit

    • \Users\Admin\AppData\Local\Temp\G2mifggz3gPsEgfT.exe
      Filesize

      646KB

      MD5

      451ab0b0c52f20e51e8fcdb8b2b97d2e

      SHA1

      677179dfdb1576fcee1c064916735aae6e4e8ae1

      SHA256

      4980a38edecf75929294468ab5e32a26cc235d2544a9047de66c4620c9f835d0

      SHA512

      697ed282486addf8f0da329deaa9134790d6b4766f5bc7be37f466f3e16aa2167286c57fd3771c96177a78698f93a6e674d2efaebda5f8da5d330a714821d8c1

      Download Submit

    • \Users\Admin\Documents\wirar.exe
      Filesize

      1.8MB

      MD5

      ca774575a2253b0aa51d7294cc45e5b7

      SHA1

      150df3f0e8e861f802157084bc64a8ec8b34fa42

      SHA256

      62db18b1b1d4ac66d198ecfbc1195dc13373fd29833c58bf71cfa4255679c578

      SHA512

      8fd26c938e24f67c1f25e22bc59b73ffcf44ecdf6454eddf42d7ccb19fa132533b5d8ac2a2aea43c298e9c1858d769a5c9b514db71441daacec32a35c4573b07

      Download Submit

    • memory/1680-114-0x0000000000160000-0x0000000000161000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1680-116-0x0000000000160000-0x0000000000161000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1748-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1748-52-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1748-63-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1748-66-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1748-60-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1748-58-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1748-56-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1748-54-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1748-50-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1748-48-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2608-85-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2608-83-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2608-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2660-1-0x0000000074970000-0x0000000074F1B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2660-2-0x0000000074970000-0x0000000074F1B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2660-87-0x0000000074970000-0x0000000074F1B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2660-0-0x0000000074971000-0x0000000074972000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2816-12-0x0000000074970000-0x0000000074F1B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2816-86-0x0000000074970000-0x0000000074F1B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2876-36-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2876-27-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2876-29-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2876-31-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2876-25-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2876-19-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2876-21-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2876-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2876-33-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2876-23-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2876-37-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2904-65-0x0000000074970000-0x0000000074F1B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2904-18-0x0000000074970000-0x0000000074F1B000-memory.dmp

      Filesize

      5.7MB

      Download