Analysis

  • max time kernel
    144s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/03/2025, 06:31

General

  • Target

    JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe

  • Size

    1.4MB

  • MD5

    374e6afe24154e3613673122861ce0cf

  • SHA1

    2cfd69c9bb0f9f20ebe971c1dfe909fb11601a75

  • SHA256

    ae3507004a75fcdd9a75b8453ef276328cf089476ce0d840c027feaf0056f13d

  • SHA512

    b887235ab7852a5f4073b67fe5b89034c0741cf87dfe4541caf3974a0322e9c0784010a86d2e8eedaad73cf058b2f8d11be5f212730b4ff388613d13d9ef81ae

  • SSDEEP

    24576:+R3lQvH82TNdxtlF2jx1JT7ySLrJ7BcBBTXjYkhFH5tMdzFpLgitgN:8lQvH3dozB7ySPryTTnFHPED1g

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:200

michaelmichael.myftp.org:200

Mutex

DC_MUTEX-L8WW51F

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    WcQCytYXn2FT

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Modifies WinLogon for persistence
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2668
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wg1flxsj.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6C442FDB7514821B5B3546D3AB8B4A6.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3672
    • C:\Users\Admin\AppData\Roaming\246535.exe
      "C:\Users\Admin\AppData\Roaming\246535.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES10A0.tmp

    Filesize

    1KB

    MD5

    e1c60275e242fff8001bcb7c9c23e34b

    SHA1

    3a4c069c6751c54828874df05d09e7f11e322228

    SHA256

    8f0bb6401a89267e375ef282651679bb448ac0141423759ffd95b7a6f160ccb3

    SHA512

    c9e77a1cded24b1aefa50e47563d77ee30da69d9d6b7584c2c7323561bc7f01fee99d5baf5e54342d57801e3e40cfb60e3b8a281427eb5347852b3f3968646fd

  • C:\Users\Admin\AppData\Local\Temp\vbcE6C442FDB7514821B5B3546D3AB8B4A6.TMP

    Filesize

    880B

    MD5

    459f17fff65bc1f8d8f876e58626f93f

    SHA1

    984986836d1bfe17c5bce7939bb96f08ca5ea182

    SHA256

    852e11326fe00a3ce5affd5dbb6258a4e5c6956e2c2654c7371e6c73b1644cd0

    SHA512

    312c9a9507c37087d2799ae062723651e752c50fe3bb43cd42d214fcb830c3d6196d24dad0812a1bc14700175689a6aa21db411623fe432071191801182c0e93

  • C:\Users\Admin\AppData\Local\Temp\wg1flxsj.0.vb

    Filesize

    1KB

    MD5

    26b5026eab85d8e3d21427ffeba6c8a3

    SHA1

    b2361ad23c266730e9af34500be54ff9391961b7

    SHA256

    d36997f507d4ca2e49640d979b558b819fe494ecaa678d587fe19f8d018d68ca

    SHA512

    4306e5e1b4657c55dced4ec2428edff313672fd675af197eee25ca7306a5512f8df7f42fab2253614f6a851c1f44ca3793fa062fdc199a8bf7647c89c723559d

  • C:\Users\Admin\AppData\Local\Temp\wg1flxsj.cmdline

    Filesize

    234B

    MD5

    f7cc3e92b0cad61d8238100483da1f2e

    SHA1

    6ade823dea52af3f83853e06eac52dcd377de710

    SHA256

    19e98299b48a4136ce17dcd60a47027079b262ffa718aab27c432bfb778152f5

    SHA512

    dd054c219d9a1939d6cc64c77a19a1748f3cfe1d4785c6a0dbf92ddea8cc3e10b9d14ccf86049da218b068de4963ea800e73476134218b7cde5bf033a976364d

  • C:\Users\Admin\AppData\Roaming\246535.exe

    Filesize

    7KB

    MD5

    e08e1baaee539c9a015b7b986dd2e344

    SHA1

    513e172e1574b3cf6d44ec2b8f4881ae69e97201

    SHA256

    e38c599dcd27791a425d66c4f2e112b8a2788a84ef0da88282f745d8b7aff3ca

    SHA512

    71aa40d91bc1c090ff89b88033cdac0b6ac01d0512fb514e0b1739e074e1758f76f5cdb17a591c318a7f5c219c83f5752ff1c2cbc746be2755d4398105ce461a

  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

    Filesize

    1.1MB

    MD5

    d881de17aa8f2e2c08cbb7b265f928f9

    SHA1

    08936aebc87decf0af6e8eada191062b5e65ac2a

    SHA256

    b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

    SHA512

    5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

  • memory/1692-74-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

  • memory/1692-23-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

  • memory/2312-93-0x00000000746E0000-0x0000000074C91000-memory.dmp

    Filesize

    5.7MB

  • memory/2312-88-0x00000000746E2000-0x00000000746E3000-memory.dmp

    Filesize

    4KB

  • memory/2312-89-0x00000000746E0000-0x0000000074C91000-memory.dmp

    Filesize

    5.7MB

  • memory/2312-0-0x00000000746E2000-0x00000000746E3000-memory.dmp

    Filesize

    4KB

  • memory/2312-2-0x00000000746E0000-0x0000000074C91000-memory.dmp

    Filesize

    5.7MB

  • memory/2312-1-0x00000000746E0000-0x0000000074C91000-memory.dmp

    Filesize

    5.7MB

  • memory/2556-11-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2556-86-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2556-12-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2556-7-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2556-6-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2556-5-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB