Overview

overview

10

Static

static

3

JaffaCakes...25.exe

windows7-x64

10

JaffaCakes...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/02/2025, 13:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_aba0b440dd25c7f3d8a009009a6abc25.exe

  • Size

    680KB

  • MD5

    aba0b440dd25c7f3d8a009009a6abc25

  • SHA1

    f023abfa140aa9fb9a93eca3a01451df8c7442f7

  • SHA256

    e3b98c6377aedde14ae5dae49e9a7ce7e6bbfc5021537317fe4c071d544999d8

  • SHA512

    341b58620b95cc3f3935d43b685ba47cafbaa1e5c2537d47d84a6cc1ddb51922c547a877d7a2918a96f9ccf46911dac213b0b338b8695c85fe48eb04b53d8939

  • SSDEEP

    12288:e2uoo5daSSM+f1Bf6m68tteXNBZcICMTJT7qpOxTieIiZ2/9ie2:K95dIRfPtPeXuD2TRTieB2/9/2

Score
10/10
darkcometdefense_evasiondiscoverypersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 3 IoCs
    defense_evasion
  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Windows security bypass 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aba0b440dd25c7f3d8a009009a6abc25.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aba0b440dd25c7f3d8a009009a6abc25.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dc Server.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dc Server.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4640
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Windows security bypass
        • Checks BIOS information in registry
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dc Server.exe
    Filesize

    636KB

    MD5

    bfec72c7866e52d29e86c618ed2bda9f

    SHA1

    17e0bfb97a2d7e8b9198f297b4365b8fd963ee4e

    SHA256

    df2583f582149320f0ac91efa431a8dd25ab36b41b4e3e2225f365c44752cf94

    SHA512

    f279ce7ea8a5a0c43c4cbc888cdc933a9545419dac9c5bd1fb7cb40d4ce14c13f6ab5d662c46cc73a157ef69956f32df41e15eeda7a79a5865d1351a9d90ca96

    Download Submit

  • memory/1988-19-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1988-14-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1988-16-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1988-23-0x00000000014B0000-0x00000000014B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1988-22-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1988-21-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1988-20-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1988-18-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1988-15-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1988-13-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1988-24-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/4640-17-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/4640-10-0x0000000002850000-0x0000000002851000-memory.dmp

    Filesize

    4KB

    Download