Overview

overview

10

Static

static

3

JaffaCakes...c2.exe

windows7-x64

10

JaffaCakes...c2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2025, 17:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe

  • Size

    1.9MB

  • MD5

    0fe6a2ad84739f138c16c693028072c2

  • SHA1

    50ffc480400d902ce23dbabe7559a057850938d7

  • SHA256

    01eeaec2582724bff9646c88fb477ea945f55915dfd0da9d619a404797820e5a

  • SHA512

    80f92cd708f32bb6aa7398dda7a2652433f95ffcb178fb0186dcdcdd97ba7dcc0a448b02e4a754b379d568bf562ca173fc7517958326ecbc6f5c548c2bf165f3

  • SSDEEP

    24576:kV1HEA3zhTIzjvfn+Hg5z8OdXGkTIjF66310:kDGyB1

Score
10/10
darkcometdiscoverypersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Users\Admin\AppData\Local\Temp\winamp\explorer.exe
      C:\Users\Admin\AppData\Local\Temp\\winamp\explorer.exe
      2⤵
        PID:3760
      • C:\Users\Admin\AppData\Local\Temp\winamp\explorer.exe
        C:\Users\Admin\AppData\Local\Temp\\winamp\explorer.exe
        2⤵
        • Modifies WinLogon for persistence
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3624
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5096
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 5
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:212
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2236
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 5
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2956
        • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
          "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:336

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      Filesize

      1.1MB

      MD5

      d881de17aa8f2e2c08cbb7b265f928f9

      SHA1

      08936aebc87decf0af6e8eada191062b5e65ac2a

      SHA256

      b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

      SHA512

      5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
      Filesize

      82B

      MD5

      35d96e874ae0a97b4464c075405abd90

      SHA1

      1bc253a3e046a221d448ff19509abd57994f203a

      SHA256

      a8cbec11cd44fcc0dbc150d99fde233c9cdfdbed5a78e87449a000f6993c7b34

      SHA512

      6e5f180cbc2c9cdde5fe2721092c6c0599f3c9900711082a4690a25478fd6fba7b3c6d75f771e474317ad27e5ac378bc19d4d6570cac7e8f76411da6fd8cd46a

      Download Submit

    • memory/2260-0-0x0000000075592000-0x0000000075593000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2260-1-0x0000000075590000-0x0000000075B41000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2260-2-0x0000000075590000-0x0000000075B41000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2260-17-0x0000000075590000-0x0000000075B41000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3624-9-0x0000000000400000-0x00000000004C3000-memory.dmp

      Filesize

      780KB

      Download

    • memory/3624-11-0x0000000002270000-0x0000000002271000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3624-10-0x0000000000400000-0x00000000004C3000-memory.dmp

      Filesize

      780KB

      Download

    • memory/3624-7-0x0000000000400000-0x00000000004C3000-memory.dmp

      Filesize

      780KB

      Download

    • memory/3624-82-0x0000000000400000-0x00000000004C3000-memory.dmp

      Filesize

      780KB

      Download