Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07/02/2025, 04:15
General
-
Target
JaffaCakes118_b2e0d4469ee2d14dfdca5ff323b919db.exe
-
Size
4.0MB
-
MD5
b2e0d4469ee2d14dfdca5ff323b919db
-
SHA1
ce8c0896c8a3840a2c99ec0877614b7eb14b6665
-
SHA256
48163945b7f61883bbef7ce671588278ece93e58a9e5cb9a4385704a53176ad7
-
SHA512
7ee8218f46bc851596ce0538c889ff61d22df243862804d64290171c56e80b67b157c6a8aa7fa24174d40df78223a4968c87f86e95297ce5fe261b3100525103
-
SSDEEP
98304:rBGCkwq9Y29Me/jRA1+IAt2nNRxnrWiVezIPeOyxom:9GJv1R/dA1NAtKTaiV52Oyim
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 17 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b2e0d4469ee2d14dfdca5ff323b919db.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b2e0d4469ee2d14dfdca5ff323b919db.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\REIKO 1.EXE"C:\Users\Admin\AppData\Local\Temp\REIKO 1.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\SA6TSONTOFLASHUNCOMTHEMCR.EXE"C:\Users\Admin\AppData\Local\Temp\SA6TSONTOFLASHUNCOMTHEMCR.EXE"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\java.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\java2.bat4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\java2.bat" "5⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe3⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe3⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\per.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 600004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Indexer .exe"C:\Users\Admin\AppData\Local\Temp\Indexer .exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 600004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Indexer .exe"C:\Users\Admin\AppData\Local\Temp\Indexer .exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 600004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Indexer .exe"C:\Users\Admin\AppData\Local\Temp\Indexer .exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 600004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Indexer .exe"C:\Users\Admin\AppData\Local\Temp\Indexer .exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 600004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Indexer .exe"C:\Users\Admin\AppData\Local\Temp\Indexer .exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 600004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Indexer .exe"C:\Users\Admin\AppData\Local\Temp\Indexer .exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 600004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Indexer .exe"C:\Users\Admin\AppData\Local\Temp\Indexer .exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
C:\Windows\Temp\Defrager.exeC:\Windows\Temp\Defrager.exe5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
499B
MD513840f563b7e837c7db570b3332833a5
SHA1dee01a177a63a813d58653908ccccd693f091676
SHA256333bbd84120abbd26f38f867b6f96265e55bb01dfd111eb0271d88bde3258a60
SHA5122f53086d5af59806f29902f693614e344fd0f75dc0deed4f8d18c95bfd2542ed7abd17aa60eeb8cde9d5c9f04ad42c4f87e3438eedf70cd8f5449f806e083ec5
-
Filesize
1.4MB
MD5498c38476e0d1394049c362df200f851
SHA1ead685e3522f82893ec62e98fc927c827471d4e6
SHA25634ebac4601ebf70369514302ce0deb70866767265a330699eab0995ee5f53aa7
SHA512c8d2a7a76a18731d315b0873838bdd6739be9f6dc45c3db294cd2716df61e7dbdb8789be592dff5912c373da1635c1014d2b745ccfd2ff040fe5cc1210326bf9
-
Filesize
1.9MB
MD542536470c192ab0f6e3bde40bfe93c57
SHA13ad0bbe73034d48291a4057b824fdc225ace7e4c
SHA256ba3fdd59aedaea00881145506285e9047e6900322eb0b8a8908c9e150401ee31
SHA512cc3d2dc1ee2beb60068168e376fd8ead4bfe4930c13d784f012664b6c8b169d9ac6e17aebefd4b44aeab78088831b57e9e85de5d6bd62ad685d6c59ae794a147
-
Filesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
Filesize
47B
MD581bf5400486e5da45ba0c6c1399d843f
SHA1d70a7c4d3f3057a3ef5b8b1c764b40b3d3b4d59d
SHA256d1a915a5e0286b1648a6e094f52813e2b5766dce3acf6342b297f7ca113545f1
SHA512ebeee9eb5249ee1b278bf6c1fbcd91e4c073a241203f218dfa2edfa708a37679c6e6a78751de55b4640a024b32ce4389bd5d931401309163950cd15b4a91c140
-
Filesize
149B
MD5abb26834e1b272333fc2dd0ad0fe5aae
SHA1c26cc0c5a4e386616f1a1736da70653f6b85e5d9
SHA256f50fd1abedfb0012b4efa21a43bfc98160ff82549f125a29a34b17f37f22063b
SHA5123f99312654ac8b8fbc80eb6cecc2d46d0372a4fea64591d671b7c2a3922bcd67d095c4ccd7ae90b8e377c425ac74628aed66b0afc769a9251f7c90efc9d74a15
-
Filesize
111B
MD5c82ae1b9daef094ac36500bb4648b1d8
SHA151b1bfef2998f0ef9ce8ed78877838fac9bfd868
SHA2560acb99bdf92d3d82f3e34e44c3e7262afc84da3e8bf276fb0d99dc7ac43bd910
SHA512b66245061790efb3f9c3bacab819537ebe0e4b60a0df3e194b50c543c3176deb5ca847a631a9255fa261e18c78c008421cc89401b1f10708508c2ad1adfee31c
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
Filesize
4KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB