Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
-
submitted
05/02/2025, 22:55
General
-
Target
JaffaCakes118_a491b24a3c210e20cb1aa80cc2291955.exe
-
Size
2.0MB
-
MD5
a491b24a3c210e20cb1aa80cc2291955
-
SHA1
fc288d367fe581e0538a4a20ea4b2c6671ddc29a
-
SHA256
0042904bde2751113928cf97783b2c83918287adb922965385f5a330c810a8ff
-
SHA512
62144581ed8a7b0472eb5ffbdb7a77f234a477f8aafa7e54b146ce4be473214d3c674e9c1d42d9da23cbb5693c8049126af9b627655532b01aef02ab29af3509
-
SSDEEP
49152:hDdiWQUCI9O/BMy3Zbg5gOssSKLiHBxPrp7P2EnDkF:RdiLI9Xy3ZburssS02BxPNqEna
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 11 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NTFS ADS 28 IoCs
-
Runs ping.exe 1 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a491b24a3c210e20cb1aa80cc2291955.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a491b24a3c210e20cb1aa80cc2291955.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\java.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\java2.bat3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\java2.bat" "4⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe2⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe2⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\per.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 600003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Indexer .exe"C:\Users\Admin\AppData\Local\Temp\Indexer .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 600003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Indexer .exe"C:\Users\Admin\AppData\Local\Temp\Indexer .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 600003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Indexer .exe"C:\Users\Admin\AppData\Local\Temp\Indexer .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 600003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Indexer .exe"C:\Users\Admin\AppData\Local\Temp\Indexer .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 600003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Indexer .exe"C:\Users\Admin\AppData\Local\Temp\Indexer .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe4⤵
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 600003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
971B
MD59c16cb8e3921a67da38d8a8f89d32dcf
SHA1c2cdb84ec77437f371c6c71f2b1e93b81ece1e0e
SHA25679fbeca5b4117f57435f7154fb8d49c041156960540055ff6f0331a0b4950fee
SHA512427a5ef0efaf5ad163a5fc7e0d9d28727e40dd20690c6fb076a4f9717f416e0eaa03ba5006b0096260eaa1b6c3a4709529ef363d549d8fe8186f0810ed736ebe
-
Filesize
971B
MD5f0c0e17beff2da6f63bb0cdcd823d49d
SHA179afa5cf686046d55ee7e9af9221ccb5f035f653
SHA2567aefb433eedebd76391574eab1bcf29be0e72c5041afbca19b36b58d0877c0d2
SHA512429dd8781c41c5f689498edb8887ae04e1915a19fcdfd964e0b3d980b98f73f9b74dbbb0d4938c7acb23f57cc7ce6457d81edd3bb0a44a8f81d3e38333331dff
-
Filesize
971B
MD511368cab4796faa9f2181ea78ef85063
SHA1258fb85bf93fd3f5a4d4b77452830f151e12aea0
SHA2569e3831d91a13747ffb5be394ab9983b0fa3c18f9f016c7033a39fdaae7961f49
SHA51268f79ec2f4d99fc24744abc4240b22ac7abc27952dd0a0189843d0e4ce75844bb498110453d3924732cfd034efa546f28e2dc904c194b366a84a146438ef1736
-
Filesize
971B
MD5798441ec7e0c37b921c51f6df4f50bde
SHA1856fac338c2034313a98a6475c5c19319008df79
SHA2564d9ed88239d70582f6a0cd8b9bcd3d1d458f833d6d978accb3b993d5f3b97739
SHA5128d35f479b41ffb5d771cc3a1b4f4d9c919c98c65b09145680d2212a4e1dd6354b964c8edb8d6f1d19020ace00d2386b22b4b650753012a0a4570aa5b63320016
-
Filesize
971B
MD5a6ed984aeba328e4ef5596adc40bfb7b
SHA1eeb57d0ad3dd6c58536b4e1ca955ff85d9a381b1
SHA2567abf014f2c5d1fee2de1ce4ec4a9c74719ea9a12ec20d6ed3535e06a6a505a0d
SHA5128154018f2694acc5809c2e9b4d5ccc2a449f029053c39596852daf8de97126db934a3be4229fdd5211db2371fe93f78e2a7e6eabe5297105de0a7dcfe5c6f287
-
Filesize
971B
MD57cda569d903e9892ffc96e6d101e991e
SHA158ec3e05605f5e8ee77d00b819cfbc17bbee4a76
SHA256a6381bfba08666c6eade166ef8a4bf0c88f0a632190d9accf3067c2c8691874c
SHA51286083f1c21ef9025b10c55a72c6f073cd9f8d761152e9d128c94858cce0bc929543354e7734458e9409686e00c2646377897b94262f0770fb50b88724826c4a2
-
Filesize
971B
MD57f95e96a24545cd7e8bda8512082d20c
SHA116a1a14c7fd8f8d7c442cffeedcfaa2266bbedea
SHA256b7fd9c92e72caed828b41d4f549f5d59b5f5d61d3c1335e381adbcd1f37e0796
SHA512d0199a804dd812d750d5abba9092389d2e6a668d840c65f703dd61a9ce4ed4555d8c795a33c0bf8d57dbb0864e1d111d31169612003fdfe40223fa8cd4e1e71c
-
Filesize
499B
MD517f7e5c69c4f1dc984a9810dde3b6982
SHA1601b5cf990955dabd1693049c2ed13b9ee2d2bd9
SHA25688f6579fa5ec5ee4040bc0cc74ff0f95966ccfb0181342f51362c42cc10cee12
SHA512a48162a368d358fe99876d95f0389f07bcbe0f689b741db722d284dbb43dfdeccb0589cc64cb0bad379333bcdbb88c0d3fba7d419572216a219907e2cf501df1
-
Filesize
2.0MB
MD5a491b24a3c210e20cb1aa80cc2291955
SHA1fc288d367fe581e0538a4a20ea4b2c6671ddc29a
SHA2560042904bde2751113928cf97783b2c83918287adb922965385f5a330c810a8ff
SHA51262144581ed8a7b0472eb5ffbdb7a77f234a477f8aafa7e54b146ce4be473214d3c674e9c1d42d9da23cbb5693c8049126af9b627655532b01aef02ab29af3509
-
Filesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
Filesize
47B
MD581bf5400486e5da45ba0c6c1399d843f
SHA1d70a7c4d3f3057a3ef5b8b1c764b40b3d3b4d59d
SHA256d1a915a5e0286b1648a6e094f52813e2b5766dce3acf6342b297f7ca113545f1
SHA512ebeee9eb5249ee1b278bf6c1fbcd91e4c073a241203f218dfa2edfa708a37679c6e6a78751de55b4640a024b32ce4389bd5d931401309163950cd15b4a91c140
-
Filesize
149B
MD5abb26834e1b272333fc2dd0ad0fe5aae
SHA1c26cc0c5a4e386616f1a1736da70653f6b85e5d9
SHA256f50fd1abedfb0012b4efa21a43bfc98160ff82549f125a29a34b17f37f22063b
SHA5123f99312654ac8b8fbc80eb6cecc2d46d0372a4fea64591d671b7c2a3922bcd67d095c4ccd7ae90b8e377c425ac74628aed66b0afc769a9251f7c90efc9d74a15
-
Filesize
111B
MD5c82ae1b9daef094ac36500bb4648b1d8
SHA151b1bfef2998f0ef9ce8ed78877838fac9bfd868
SHA2560acb99bdf92d3d82f3e34e44c3e7262afc84da3e8bf276fb0d99dc7ac43bd910
SHA512b66245061790efb3f9c3bacab819537ebe0e4b60a0df3e194b50c543c3176deb5ca847a631a9255fa261e18c78c008421cc89401b1f10708508c2ad1adfee31c
-
Filesize
971B
MD5fc86ffa0ea5c56f7867c4a293a6833ba
SHA1a08fa33f79ae97fc9081e0edcc46c0b89b3ae1ca
SHA25668dcc3a792183b43c7fa038f8b21289e6667672e834129278f12dbc375140635
SHA5127ad93eeef937de4a8d61c96a9016bb05126e39b836c887143f5dcb5850a45cb5991b796310216b0744f1fe0440f575d7db63bca808d18d27b8ba38a535e30724
-
Filesize
971B
MD5e631fb51fad134ed8d5ab02511ed39ae
SHA1a4b629f488875f540ff99b4734e1f95b7692f785
SHA25617862555210809b5ffb814a3a7bfafe6da13344ccdc782a6c42af913dc3a53a7
SHA51295d50929fb1a8a9ec2faf3ee546005fea464f961a328ba9b4860951ba478f4fb8ee2401d403b7332b878d47f285cdba60cb1e241799e325dd28ae76b116039ad
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
3.5MB
-
Filesize
648KB
-
Filesize
3.5MB
-
Filesize
648KB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
648KB
-
Filesize
3.5MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB