Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/02/2025, 19:05

General

  • Target

    JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe

  • Size

    749KB

  • MD5

    33ecc627f63b589e7ff67c248d1ec3cf

  • SHA1

    8a2a93ff1553cf2450c9eca7842d8b118b5554a5

  • SHA256

    453976d3f2a82bb38764809e037bd2cb845a3e190d0de31d7c145fc9d6fc5246

  • SHA512

    5636ac89275f9faa37c25aea1fd0216e493a637e9635361e4575429ee06875441b44b6f8f236d427577f22fa24d3caef8ec4f9499bc1adf27e049869156f6632

  • SSDEEP

    12288:5wnH/+HdB63tW/xWp2yS2Y+WiB2R4phHNWVXwGnT9E4ysep+YVtVFQ/f3Fz:iHKdcW5H2Y+WiB2RCWtxT9EnsfYVtTQH

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

freakyland.no-ip.biz:84

Mutex

DC_MUTEX-F54S21D

Attributes
  • gencode

    $z2GzzGzm=iD

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_33ecc627f63b589e7ff67c248d1ec3cf.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\jI82l\PCGWIN32.LI5

    Filesize

    2KB

    MD5

    c4e9f32138049dc7f8eebacb9bc6a4e7

    SHA1

    effb1b364002580fc2a25c8f64afc80f3184af6f

    SHA256

    7f3cbefaf8f0f7dab5a28fe6c16ab34816b8e568db29aa7b875fbf37a2d526fb

    SHA512

    cfaa70d563d597e8aa0d37d1312aa820b19a6967767e545a2c4241fb8a91679ad6132fda781edd3581e369e42f162881e849ffbcd81c7b15128fecdb3d263ffa

  • C:\ProgramData\jI82l\PCGWIN32.LI5

    Filesize

    2KB

    MD5

    e5825b207e27fcfa469128e6d910fca2

    SHA1

    5260aa28ff74d3c172f54d338bf8eaa24b87d947

    SHA256

    08b5e8c1e7d50025320dd7ffaac4939b1398100b46217eff50fcdcbb612b3e0d

    SHA512

    349c508f2e4de22f6a2c2b69ccadf5c15d240d64bcdddd437f0722ccafa0e2a8d499c8e9c360a4cd845eba645dcd4c448b4e34b34323b9020f5b9f6f07e77dbd

  • memory/2424-0-0x0000000013140000-0x000000001320D000-memory.dmp

    Filesize

    820KB

  • memory/2424-12-0x00000000002F0000-0x00000000002F1000-memory.dmp

    Filesize

    4KB

  • memory/2424-21-0x0000000013140000-0x000000001320D000-memory.dmp

    Filesize

    820KB

  • memory/2444-13-0x0000000013140000-0x000000001320D000-memory.dmp

    Filesize

    820KB

  • memory/2444-20-0x0000000013140000-0x000000001320D000-memory.dmp

    Filesize

    820KB

  • memory/2444-22-0x0000000013140000-0x000000001320D000-memory.dmp

    Filesize

    820KB

  • memory/2444-19-0x0000000013140000-0x000000001320D000-memory.dmp

    Filesize

    820KB

  • memory/2444-17-0x0000000013140000-0x000000001320D000-memory.dmp

    Filesize

    820KB

  • memory/2444-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2444-35-0x0000000013140000-0x000000001320D000-memory.dmp

    Filesize

    820KB