Analysis Overview
SHA256
ae3507004a75fcdd9a75b8453ef276328cf089476ce0d840c027feaf0056f13d
Threat Level: Known bad
The file JaffaCakes118_374e6afe24154e3613673122861ce0cf was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Darkcomet family
Darkcomet
Drops startup file
Executes dropped EXE
Uses the VBS compiler for execution
Loads dropped DLL
Checks computer location settings
Drops desktop.ini file(s)
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-01 06:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-01 06:31
Reported
2025-03-01 06:33
Platform
win7-20240729-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Darkcomet
Darkcomet family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe | C:\Users\Admin\AppData\Roaming\639624.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe | C:\Users\Admin\AppData\Roaming\639624.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\639624.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2700 set thread context of 2988 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\639624.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\omzthacu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc36E8.tmp"
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
C:\Users\Admin\AppData\Roaming\639624.exe
"C:\Users\Admin\AppData\Roaming\639624.exe"
Network
Files
memory/2700-0-0x0000000074351000-0x0000000074352000-memory.dmp
memory/2700-1-0x0000000074350000-0x00000000748FB000-memory.dmp
memory/2700-2-0x0000000074350000-0x00000000748FB000-memory.dmp
memory/2988-3-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2988-9-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2988-8-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2988-7-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2988-5-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2988-21-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2988-20-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2988-19-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2988-16-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2988-12-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2988-15-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2988-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2988-11-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2988-10-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\omzthacu.cmdline
| MD5 | 1f7c5e7bedd13d75e15acca15021ed44 |
| SHA1 | 6f0ae2a03cb9e497d151ec1957f0e3859321c556 |
| SHA256 | 147e940988ca7c8ac2fab3008fa4ce28b4b77a5b0158e7597bd8ec72d083be05 |
| SHA512 | a8b21be5faff7f34dbccce3ed9241d359a9924179f949b5a2480febe8a3f502252d9b114cff911417eddc2b4d80df7c0b821f51331cb06954841228fa060d179 |
C:\Users\Admin\AppData\Local\Temp\omzthacu.0.vb
| MD5 | f5555e48384cd68aa11b1bd87b77a787 |
| SHA1 | 46d9a88b64161f24a54beee58613dbcbaadfe509 |
| SHA256 | 17617822583638e9f98c05066a19254fbefe9ffeed6890f0a99f65b44af0bd91 |
| SHA512 | 41300bfa2c0c16b3f794594b5bfe4fbc85ec257bdd930b0ae4d151ad6a9869b5a22dbd9ddd8f834fe8096c56cf9f5d5c1553148c5e4c84f430f2e305f28d75f7 |
memory/2668-27-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2668-36-0x0000000000400000-0x000000000051E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RES36E9.tmp
| MD5 | a5f452e06875da32b03e6bfcbf0ad59c |
| SHA1 | fd3b5db5bf5662f88d2f04c83976cd3b0456b796 |
| SHA256 | 6e543785f2f05f9804196d07b93f42da7a88dc9e9beda6d3e3d670670bc6a95f |
| SHA512 | dddf90876ddedf1a4da9580e3a0e4c96809d425000e629302fdd192f419689603634b22e033a2e627c3c655e4be08c4125b72641b18870cd29da8fdb11a32f6c |
C:\Users\Admin\AppData\Local\Temp\vbc36E8.tmp
| MD5 | 0ede81a10d8a8470634485061fe0a1d3 |
| SHA1 | 5fdb47474f188620014469d2e98014de230bef9d |
| SHA256 | 08ab7778187d0e4c751e38a6bd395c0380088609b2663addc55e75a1ef6ed7e2 |
| SHA512 | 7abae6d02b34d01ef2dd8fada7e25885974846ca2379e589e72fe6680684bef0698afce8679fca0026f2b78eb7473f2e4075291d0c687ca1755021482898ea70 |
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
| MD5 | 34aa912defa18c2c129f1e09d75c1d7e |
| SHA1 | 9c3046324657505a30ecd9b1fdb46c05bde7d470 |
| SHA256 | 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386 |
| SHA512 | d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98 |
memory/2988-44-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\Users\Admin\AppData\Roaming\639624.exe
| MD5 | 0d0c6e4452ee6c82c0e4eda6631826e3 |
| SHA1 | b134efd9a8f94c8a7e998bc9e508e594fab59493 |
| SHA256 | 87749799af8245411a11367ba00d99de4205adbe5a2e2ad17b428b1330343bdb |
| SHA512 | fcac53f4c1b0a97b707d49182c590216ee4006a453ec73620b11a9746c21d201b22603341ae58dd087e18b5ea690eb7212f72b07fac24ebf1eb105283896bd1b |
memory/2700-51-0x0000000074350000-0x00000000748FB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-01 06:31
Reported
2025-03-01 06:33
Platform
win10v2004-20250217-en
Max time kernel
144s
Max time network
130s
Command Line
Signatures
Darkcomet
Darkcomet family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe | C:\Users\Admin\AppData\Roaming\246535.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe | C:\Users\Admin\AppData\Roaming\246535.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\246535.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2312 set thread context of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\246535.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wg1flxsj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6C442FDB7514821B5B3546D3AB8B4A6.TMP"
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
C:\Users\Admin\AppData\Roaming\246535.exe
"C:\Users\Admin\AppData\Roaming\246535.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2312-0-0x00000000746E2000-0x00000000746E3000-memory.dmp
memory/2312-1-0x00000000746E0000-0x0000000074C91000-memory.dmp
memory/2312-2-0x00000000746E0000-0x0000000074C91000-memory.dmp
memory/2556-5-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2556-6-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2556-11-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2556-7-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2556-12-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wg1flxsj.cmdline
| MD5 | f7cc3e92b0cad61d8238100483da1f2e |
| SHA1 | 6ade823dea52af3f83853e06eac52dcd377de710 |
| SHA256 | 19e98299b48a4136ce17dcd60a47027079b262ffa718aab27c432bfb778152f5 |
| SHA512 | dd054c219d9a1939d6cc64c77a19a1748f3cfe1d4785c6a0dbf92ddea8cc3e10b9d14ccf86049da218b068de4963ea800e73476134218b7cde5bf033a976364d |
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
| MD5 | d881de17aa8f2e2c08cbb7b265f928f9 |
| SHA1 | 08936aebc87decf0af6e8eada191062b5e65ac2a |
| SHA256 | b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0 |
| SHA512 | 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34 |
memory/1692-23-0x0000000000400000-0x000000000051F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wg1flxsj.0.vb
| MD5 | 26b5026eab85d8e3d21427ffeba6c8a3 |
| SHA1 | b2361ad23c266730e9af34500be54ff9391961b7 |
| SHA256 | d36997f507d4ca2e49640d979b558b819fe494ecaa678d587fe19f8d018d68ca |
| SHA512 | 4306e5e1b4657c55dced4ec2428edff313672fd675af197eee25ca7306a5512f8df7f42fab2253614f6a851c1f44ca3793fa062fdc199a8bf7647c89c723559d |
C:\Users\Admin\AppData\Local\Temp\vbcE6C442FDB7514821B5B3546D3AB8B4A6.TMP
| MD5 | 459f17fff65bc1f8d8f876e58626f93f |
| SHA1 | 984986836d1bfe17c5bce7939bb96f08ca5ea182 |
| SHA256 | 852e11326fe00a3ce5affd5dbb6258a4e5c6956e2c2654c7371e6c73b1644cd0 |
| SHA512 | 312c9a9507c37087d2799ae062723651e752c50fe3bb43cd42d214fcb830c3d6196d24dad0812a1bc14700175689a6aa21db411623fe432071191801182c0e93 |
C:\Users\Admin\AppData\Local\Temp\RES10A0.tmp
| MD5 | e1c60275e242fff8001bcb7c9c23e34b |
| SHA1 | 3a4c069c6751c54828874df05d09e7f11e322228 |
| SHA256 | 8f0bb6401a89267e375ef282651679bb448ac0141423759ffd95b7a6f160ccb3 |
| SHA512 | c9e77a1cded24b1aefa50e47563d77ee30da69d9d6b7584c2c7323561bc7f01fee99d5baf5e54342d57801e3e40cfb60e3b8a281427eb5347852b3f3968646fd |
memory/1692-74-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2556-86-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2312-88-0x00000000746E2000-0x00000000746E3000-memory.dmp
memory/2312-89-0x00000000746E0000-0x0000000074C91000-memory.dmp
C:\Users\Admin\AppData\Roaming\246535.exe
| MD5 | e08e1baaee539c9a015b7b986dd2e344 |
| SHA1 | 513e172e1574b3cf6d44ec2b8f4881ae69e97201 |
| SHA256 | e38c599dcd27791a425d66c4f2e112b8a2788a84ef0da88282f745d8b7aff3ca |
| SHA512 | 71aa40d91bc1c090ff89b88033cdac0b6ac01d0512fb514e0b1739e074e1758f76f5cdb17a591c318a7f5c219c83f5752ff1c2cbc746be2755d4398105ce461a |
memory/2312-93-0x00000000746E0000-0x0000000074C91000-memory.dmp