Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
26/02/2025, 19:05
Behavioral task
behavioral1
Sample
JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe
-
Size
1.0MB
-
MD5
27f6e79bf04f1af7f41f50760c597893
-
SHA1
d52d80ccb437c2cc652b98c504f7a0ee1b0136d4
-
SHA256
ce10c10d0a415c12551d2b8273a351d33afac796203bb50cf4d4d2c8d57b8a04
-
SHA512
c062fff700338354c31395cd1f7a63615ffb34ac743286fcd1e3664551032db331d97065dfbf4ef5289c1a8ab2d9733695b8f0c91aee4a366a996c22030636ad
-
SSDEEP
12288:17Ibrt7GShRkOjsjIJ4JMLfodW/hazQ9UcA1kWUktNbgZyyaw6x94n1icb5zMQIp:17MPEQtnFVzIw3lKk1SKTWReDPs
Malware Config
Extracted
darkcomet
Guest16
moodi1231.no-ip.info:1604
DC_MUTEX-FCHAXEB
-
gencode
3DtAFWPacedK
-
install
false
-
offline_keylogger
true
-
persistence
false
Extracted
darkcomet
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
Signatures
-
Darkcomet family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation MsCtfMonitor.exe -
Executes dropped EXE 2 IoCs
pid Process 2008 MsCtfMonitor.exe 2960 rtscom.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Activex Application Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\MsCtfMonitor.exe" MsCtfMonitor.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4760 set thread context of 3120 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 98 PID 2960 set thread context of 5748 2960 rtscom.exe 111 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsCtfMonitor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rtscom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 2008 MsCtfMonitor.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeDebugPrivilege 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe Token: SeIncreaseQuotaPrivilege 3120 AppLaunch.exe Token: SeSecurityPrivilege 3120 AppLaunch.exe Token: SeTakeOwnershipPrivilege 3120 AppLaunch.exe Token: SeLoadDriverPrivilege 3120 AppLaunch.exe Token: SeSystemProfilePrivilege 3120 AppLaunch.exe Token: SeSystemtimePrivilege 3120 AppLaunch.exe Token: SeProfSingleProcessPrivilege 3120 AppLaunch.exe Token: SeIncBasePriorityPrivilege 3120 AppLaunch.exe Token: SeCreatePagefilePrivilege 3120 AppLaunch.exe Token: SeBackupPrivilege 3120 AppLaunch.exe Token: SeRestorePrivilege 3120 AppLaunch.exe Token: SeShutdownPrivilege 3120 AppLaunch.exe Token: SeDebugPrivilege 3120 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 3120 AppLaunch.exe Token: SeChangeNotifyPrivilege 3120 AppLaunch.exe Token: SeRemoteShutdownPrivilege 3120 AppLaunch.exe Token: SeUndockPrivilege 3120 AppLaunch.exe Token: SeManageVolumePrivilege 3120 AppLaunch.exe Token: SeImpersonatePrivilege 3120 AppLaunch.exe Token: SeCreateGlobalPrivilege 3120 AppLaunch.exe Token: 33 3120 AppLaunch.exe Token: 34 3120 AppLaunch.exe Token: 35 3120 AppLaunch.exe Token: 36 3120 AppLaunch.exe Token: SeDebugPrivilege 2008 MsCtfMonitor.exe Token: SeDebugPrivilege 2960 rtscom.exe Token: SeIncreaseQuotaPrivilege 5748 AppLaunch.exe Token: SeSecurityPrivilege 5748 AppLaunch.exe Token: SeTakeOwnershipPrivilege 5748 AppLaunch.exe Token: SeLoadDriverPrivilege 5748 AppLaunch.exe Token: SeSystemProfilePrivilege 5748 AppLaunch.exe Token: SeSystemtimePrivilege 5748 AppLaunch.exe Token: SeProfSingleProcessPrivilege 5748 AppLaunch.exe Token: SeIncBasePriorityPrivilege 5748 AppLaunch.exe Token: SeCreatePagefilePrivilege 5748 AppLaunch.exe Token: SeBackupPrivilege 5748 AppLaunch.exe Token: SeRestorePrivilege 5748 AppLaunch.exe Token: SeShutdownPrivilege 5748 AppLaunch.exe Token: SeDebugPrivilege 5748 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 5748 AppLaunch.exe Token: SeChangeNotifyPrivilege 5748 AppLaunch.exe Token: SeRemoteShutdownPrivilege 5748 AppLaunch.exe Token: SeUndockPrivilege 5748 AppLaunch.exe Token: SeManageVolumePrivilege 5748 AppLaunch.exe Token: SeImpersonatePrivilege 5748 AppLaunch.exe Token: SeCreateGlobalPrivilege 5748 AppLaunch.exe Token: 33 5748 AppLaunch.exe Token: 34 5748 AppLaunch.exe Token: 35 5748 AppLaunch.exe Token: 36 5748 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3120 AppLaunch.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 4760 wrote to memory of 3120 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 98 PID 4760 wrote to memory of 3120 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 98 PID 4760 wrote to memory of 3120 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 98 PID 4760 wrote to memory of 3120 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 98 PID 4760 wrote to memory of 3120 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 98 PID 4760 wrote to memory of 3120 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 98 PID 4760 wrote to memory of 3120 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 98 PID 4760 wrote to memory of 3120 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 98 PID 4760 wrote to memory of 3120 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 98 PID 4760 wrote to memory of 3120 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 98 PID 4760 wrote to memory of 3120 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 98 PID 4760 wrote to memory of 3120 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 98 PID 4760 wrote to memory of 3120 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 98 PID 4760 wrote to memory of 3120 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 98 PID 4760 wrote to memory of 2008 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 99 PID 4760 wrote to memory of 2008 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 99 PID 4760 wrote to memory of 2008 4760 JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe 99 PID 2008 wrote to memory of 2960 2008 MsCtfMonitor.exe 100 PID 2008 wrote to memory of 2960 2008 MsCtfMonitor.exe 100 PID 2008 wrote to memory of 2960 2008 MsCtfMonitor.exe 100 PID 2960 wrote to memory of 5748 2960 rtscom.exe 111 PID 2960 wrote to memory of 5748 2960 rtscom.exe 111 PID 2960 wrote to memory of 5748 2960 rtscom.exe 111 PID 2960 wrote to memory of 5748 2960 rtscom.exe 111 PID 2960 wrote to memory of 5748 2960 rtscom.exe 111 PID 2960 wrote to memory of 5748 2960 rtscom.exe 111 PID 2960 wrote to memory of 5748 2960 rtscom.exe 111 PID 2960 wrote to memory of 5748 2960 rtscom.exe 111 PID 2960 wrote to memory of 5748 2960 rtscom.exe 111 PID 2960 wrote to memory of 5748 2960 rtscom.exe 111 PID 2960 wrote to memory of 5748 2960 rtscom.exe 111 PID 2960 wrote to memory of 5748 2960 rtscom.exe 111 PID 2960 wrote to memory of 5748 2960 rtscom.exe 111 PID 2960 wrote to memory of 5748 2960 rtscom.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_27f6e79bf04f1af7f41f50760c597893.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3120
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\rtscom.exe"C:\Users\Admin\AppData\Local\Temp\rtscom.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5748
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD527f6e79bf04f1af7f41f50760c597893
SHA1d52d80ccb437c2cc652b98c504f7a0ee1b0136d4
SHA256ce10c10d0a415c12551d2b8273a351d33afac796203bb50cf4d4d2c8d57b8a04
SHA512c062fff700338354c31395cd1f7a63615ffb34ac743286fcd1e3664551032db331d97065dfbf4ef5289c1a8ab2d9733695b8f0c91aee4a366a996c22030636ad
-
Filesize
9KB
MD5647877b85c58069ec029be692f92b5a9
SHA183992787b164769fd57db74a6aa76592d1d1ac36
SHA2568c4782baeaa123cec28fdae782020122adfdba8bee767bc3c19f6293b8c88fa4
SHA5126b7bca094fc5f4541ef77cdaf7aaa298661057f7ee60a11bcb7c5dc784d72eecbdbcefdbd69286c259fa4517286f810ee2281c3441a591aedd68ed43afa24ec2