Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/02/2025, 04:49

General

  • Target

    JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe

  • Size

    251KB

  • MD5

    2ad0882bd65c724bc72a5551cfc4deac

  • SHA1

    aa4ad1269bc7852513c2c09b3b83f19b62b370e4

  • SHA256

    3764002f8b40e8752ba731f80116fa83adff90d1e142cd1a8973515418d97d7b

  • SHA512

    f554741dc123ead7faff2342467609385f020feb12c330c8090a65635c1d3cc95322a5ef886b9e88b07f60af5920babeeb6917f016c693311cdc4db352449aee

  • SSDEEP

    6144:McNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37s:McW7KEZlPzCy37

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

62.201.240.82:1604

Mutex

DC_MUTEX-Q2YYCL4

Attributes
  • InstallPath

    MSDCSC\msdcsc.bat

  • gencode

    WYKYDgPxBWPJ

  • install

    true

  • offline_keylogger

    true

  • password

    0123456789

  • persistence

    true

  • reg_key

    MicroUpdate

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3744
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.bat
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.bat"
      2⤵
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
        • Disables RegEdit via registry modification
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3456
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\MSDCSC\msdcsc.bat

    Filesize

    251KB

    MD5

    2ad0882bd65c724bc72a5551cfc4deac

    SHA1

    aa4ad1269bc7852513c2c09b3b83f19b62b370e4

    SHA256

    3764002f8b40e8752ba731f80116fa83adff90d1e142cd1a8973515418d97d7b

    SHA512

    f554741dc123ead7faff2342467609385f020feb12c330c8090a65635c1d3cc95322a5ef886b9e88b07f60af5920babeeb6917f016c693311cdc4db352449aee

  • memory/780-8-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/780-9-0x00000000007D0000-0x00000000007D1000-memory.dmp

    Filesize

    4KB

  • memory/780-12-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/1192-13-0x0000000000F80000-0x0000000000F81000-memory.dmp

    Filesize

    4KB

  • memory/3456-10-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/3744-0-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/3744-1-0x0000000002350000-0x0000000002351000-memory.dmp

    Filesize

    4KB

  • memory/3744-15-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB