Analysis Overview
SHA256
9f80f443cc464de6d17678e94e25cede1218568b75a2e89a0278b766fb07f37a
Threat Level: Known bad
The file JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0 was found to be: Known bad.
Malicious Activity Summary
Darkcomet family
Darkcomet
Modifies WinLogon for persistence
Sets file to hidden
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Deletes itself
Adds Run key to start application
Program crash
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-27 21:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-27 21:30
Reported
2025-02-27 21:32
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Darkcomet
Darkcomet family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\notepad.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1808 set thread context of 1872 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe |
| PID 2444 set thread context of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe |
| PID 2924 set thread context of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 48
Network
Files
memory/1808-0-0x0000000000020000-0x0000000000024000-memory.dmp
memory/1872-1-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1872-5-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1872-7-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1872-20-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1872-21-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1872-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1872-11-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1872-9-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1872-19-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1872-22-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1872-15-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1872-23-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1872-13-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1872-3-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2708-49-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2708-26-0x0000000000080000-0x0000000000081000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
| MD5 | 2fa2de66b1ca550b11513f0cb325e8e0 |
| SHA1 | 8ecbfa853696eb382744d311cd353a6bf2d2f483 |
| SHA256 | 9f80f443cc464de6d17678e94e25cede1218568b75a2e89a0278b766fb07f37a |
| SHA512 | 86391843d66dd56d35b2eee5e43e02bdc0162d23c61e79b344888cfa41c1ffb8a62f00ff04ec7e59a3eb4c380c1b3d8cda1838b12dda9abe955558bb658bbaa7 |
memory/1872-60-0x0000000000400000-0x00000000004BD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-27 21:30
Reported
2025-02-27 21:32
Platform
win10v2004-20250217-en
Max time kernel
94s
Max time network
144s
Command Line
Signatures
Darkcomet
Darkcomet family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\notepad.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1084 set thread context of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe |
| PID 4780 set thread context of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe |
| PID 1968 set thread context of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fa2de66b1ca550b11513f0cb325e8e0.exe" +s +h
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2324 -ip 2324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 224
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1084-0-0x00000000001D0000-0x00000000001D4000-memory.dmp
memory/2052-1-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2052-2-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2052-3-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2052-4-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2052-5-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4348-8-0x0000000000720000-0x0000000000721000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
| MD5 | 2fa2de66b1ca550b11513f0cb325e8e0 |
| SHA1 | 8ecbfa853696eb382744d311cd353a6bf2d2f483 |
| SHA256 | 9f80f443cc464de6d17678e94e25cede1218568b75a2e89a0278b766fb07f37a |
| SHA512 | 86391843d66dd56d35b2eee5e43e02bdc0162d23c61e79b344888cfa41c1ffb8a62f00ff04ec7e59a3eb4c380c1b3d8cda1838b12dda9abe955558bb658bbaa7 |
memory/2052-69-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1968-73-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1968-74-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2324-75-0x0000000000400000-0x00000000004C4000-memory.dmp
memory/1968-76-0x0000000000400000-0x00000000004BD000-memory.dmp