Overview

overview

10

Static

static

3

JaffaCakes...84.exe

windows7-x64

10

JaffaCakes...84.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/02/2025, 21:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_ea566d5b0ce986826bad6a351d673684.exe

  • Size

    1.3MB

  • MD5

    ea566d5b0ce986826bad6a351d673684

  • SHA1

    0bd88c188e1f7ff92a72ddffc0a0584e913546cb

  • SHA256

    f49c3baf6f5332c0691afe69d271749f22dc91e3e42828b74ed24a42985b0236

  • SHA512

    e579fe290cebef0d90981c87ef75e8ffdb8f7357e881fab00b6366b5c4e8f45bc00325351c7ac6b63f3991e780d1570fbe0dd4db881705ee5de262af34d66055

  • SSDEEP

    24576:p5xWOMQ3B7jSQ7oGOMkyKiRzC0+JOkA7Gua:F93B6Q7oGzkDiRn+JOk

Score
10/10
darkcometdiscoverypersistencerattrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ea566d5b0ce986826bad6a351d673684.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ea566d5b0ce986826bad6a351d673684.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2304
    • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x9AFDDA37897DCEB0\STUBEXE\0x374009F5779B4CA3\document.exe
      "C:\Users\Admin\Desktop\document.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2128
      • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x9AFDDA37897DCEB0\STUBEXE\0x374009F5779B4CA3\msdcsc.exe
        "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2784
        • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x9AFDDA37897DCEB0\STUBEXE\0xAE55B5A6B5129950\notepad.exe
          notepad
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    Filesize

    256KB

    MD5

    2601e27489d84697469faf31987f3bb6

    SHA1

    121e28744067a2fdbcf53e936ac1501cd931a43e

    SHA256

    e54925c5ec2667ae4b05dc189a1c1e19382f603aedc8c9b1b12e64f863593698

    SHA512

    61d64ad1b86adfdb87f7eb04633e0defaee9bdd3bf08297963738d1bf0f8271f53ae40dcac5f6e2ad3640d387080554e0742a293f80935f04ee9177b9ed3cc47

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x9AFDDA37897DCEB0\STUBEXE\0x374009F5779B4CA3\document.exe
    Filesize

    17KB

    MD5

    c4223f2316cb18212389d49a0586f0b2

    SHA1

    b736f0a53108809b3d7213b36b5a460e77a906b0

    SHA256

    7d5877ddbc929b470fa64abf662f281b4d6a814036b9ada5338d9c304f5f9803

    SHA512

    5a346552bd004b50741e074e0411880a6df39b75318eecb88b49683c10a5e84a8f3ef927681b960189828d987f2770e861c2edc408cce443b6ee1c4b2281da31

    Download Submit

  • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Spoon\Sandbox\Word\1.0.0.0\XSandbox.bin
    Filesize

    16B

    MD5

    4d1b45a30f737ecb375e0f8864a61fb5

    SHA1

    8802609b20c01506f76d5c7f28e196f6a03df284

    SHA256

    aa75a5714be2085b8ea551f57a54bdf13f11c0f8c6be348a68948b0705b35769

    SHA512

    bd9a147f9f5f36ded30cb7dfaa150e643a158a8c973e23c076fadb443ddb02b8a9323f012b907d43e0517f1754db846a1fa47b19286d81010c475117e20afdc7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x9AFDDA37897DCEB0\STUBEXE\0xAE55B5A6B5129950\notepad.exe
    Filesize

    17KB

    MD5

    21b223116d45d1aebeeae20b45663f5f

    SHA1

    f71b6756f2967da35ec0af6df5552b87c116395e

    SHA256

    14d3e066c854d631bd8baeb6ad8287712ae401871a71ad3797cc7ed619dc9929

    SHA512

    32645a1685b7bd94dbcf1b986dbbb166b6e02343591af0787c129e6e4c300217c196f1d6ad7be1515c0e0c22e8b44a0128327b8ad86a7f59d0c2ca9c5af6df3f

    Download Submit

  • memory/2128-39-0x0000000000240000-0x00000000002C9000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2128-35-0x0000000000240000-0x00000000002C9000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2128-33-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2128-34-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2304-12-0x0000000000220000-0x00000000002A9000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2304-29-0x0000000000220000-0x00000000002A9000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2304-17-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2304-16-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2304-22-0x0000000000220000-0x00000000002A9000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2304-21-0x0000000000220000-0x00000000002A9000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2304-20-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2304-23-0x0000000000220000-0x00000000002A9000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2304-19-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2304-30-0x0000000000220000-0x00000000002A9000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2304-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2304-18-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2304-13-0x00000000773D0000-0x00000000773D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2304-14-0x0000000076B1F000-0x0000000076B20000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2304-15-0x0000000076B10000-0x0000000076B57000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2304-0-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2304-2-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2304-127-0x0000000076B10000-0x0000000076B57000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2304-4-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2304-126-0x0000000000220000-0x00000000002A9000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2784-57-0x00000000004C0000-0x0000000000549000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2784-56-0x00000000004C0000-0x0000000000549000-memory.dmp

    Filesize

    548KB

    Download