Analysis Overview
SHA256
835a841e88d2e1271dd94e02f014328ff3dbceb824f7b2a28d8709272ef182b8
Threat Level: Known bad
The file JaffaCakes118_2acc16a150393bae22055e5612e71af1 was found to be: Known bad.
Malicious Activity Summary
Darkcomet
Darkcomet family
Writes to the Master Boot Record (MBR)
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-27 04:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-27 04:44
Reported
2025-02-27 04:47
Platform
win7-20240903-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Darkcomet
Darkcomet family
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2392 set thread context of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe |
| PID 2672 set thread context of 2648 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp |
Files
memory/2672-2-0x0000000000400000-0x00000000004AE000-memory.dmp
memory/2672-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2672-6-0x0000000000400000-0x00000000004AE000-memory.dmp
memory/2672-14-0x0000000000400000-0x00000000004AE000-memory.dmp
memory/2672-12-0x0000000000400000-0x00000000004AE000-memory.dmp
memory/2672-4-0x0000000000400000-0x00000000004AE000-memory.dmp
memory/2648-17-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2648-25-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2648-19-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2648-21-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2648-41-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2648-42-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2672-40-0x0000000000400000-0x00000000004AE000-memory.dmp
memory/2648-39-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2648-36-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2648-31-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2648-29-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2648-27-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2648-23-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2648-35-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2648-45-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2648-44-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2648-43-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2648-46-0x0000000000400000-0x00000000004AF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-27 04:44
Reported
2025-02-27 04:47
Platform
win10v2004-20250217-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Darkcomet
Darkcomet family
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 928 set thread context of 64 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe |
| PID 64 set thread context of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2acc16a150393bae22055e5612e71af1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/64-2-0x0000000000400000-0x00000000004AE000-memory.dmp
memory/64-4-0x0000000000400000-0x00000000004AE000-memory.dmp
memory/2340-8-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2340-7-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/64-11-0x0000000000400000-0x00000000004AE000-memory.dmp
memory/2340-12-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2340-13-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2340-14-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2340-16-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2340-17-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2340-15-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2340-18-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2340-20-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2340-22-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2340-24-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2340-27-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2340-28-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2340-29-0x0000000000400000-0x00000000004AF000-memory.dmp