Overview

overview

10

Static

static

3

JaffaCakes...b2.exe

windows7-x64

10

JaffaCakes...b2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/03/2025, 17:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_77543d0eaa86dc3ea9c7de273abf61b2.exe

  • Size

    2.2MB

  • MD5

    77543d0eaa86dc3ea9c7de273abf61b2

  • SHA1

    3f0d55d6b9b7379459dfc7be7a8134cfad3c6214

  • SHA256

    e7f905fcba3d2ef6dde568e3c7b6b2be8d9a8f3a735266f282e3615bf6c255aa

  • SHA512

    82424af7a04f4894846f702127e222f013df4d499643894719c4b656fec38a7b21bdecbb8a22cebc25e50741cb00ff1da7227787a79285f927353cd51519fc89

  • SSDEEP

    49152:j/WhjQ0LXINTAqB9pTXFicZLSTukr7vMnAxctou0t41xfsVO6:jey0pqB9pTEcZOqkrgnOctou7xk

Score
10/10
darkcomettestdefense_evasiondiscoveryrattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

test

C2

192.168.2.209:81

emirhan-rat1.no-ip.biz:81
Mutex

DC_MUTEX-K5NM6CF

Attributes
  • gencode

    ZYb2qnWyxxS1

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Windows security bypass 2 TTPs 1 IoCs
    defense_evasiontrojan
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Windows security modification 2 TTPs 1 IoCs
    defense_evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77543d0eaa86dc3ea9c7de273abf61b2.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77543d0eaa86dc3ea9c7de273abf61b2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77543d0eaa86dc3ea9c7de273abf61b2.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77543d0eaa86dc3ea9c7de273abf61b2.exe"
      2⤵
      • Checks BIOS information in registry
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77543d0eaa86dc3ea9c7de273abf61b2.exe
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77543d0eaa86dc3ea9c7de273abf61b2.exe
        3⤵
        • Windows security bypass
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4420
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
            PID:2880
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            4⤵
              PID:2540

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3144-26-0x0000000000400000-0x00000000006CB000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/3144-0-0x0000000000400000-0x00000000006CB000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/4420-31-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

        Download

      • memory/4420-27-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

        Download

      • memory/4420-45-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

        Download

      • memory/4420-43-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

        Download

      • memory/4420-41-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

        Download

      • memory/4420-39-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

        Download

      • memory/4420-21-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

        Download

      • memory/4420-37-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

        Download

      • memory/4420-25-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

        Download

      • memory/4420-35-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

        Download

      • memory/4420-29-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

        Download

      • memory/4420-33-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

        Download

      • memory/4420-32-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

        Download

      • memory/4884-2-0x0000000000400000-0x00000000006CB000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/4884-11-0x00000000025D0000-0x0000000002712000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4884-4-0x00000000025D0000-0x0000000002712000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4884-24-0x00000000025D0000-0x0000000002712000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4884-17-0x0000000000400000-0x00000000006CB000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/4884-18-0x00000000025D0000-0x0000000002712000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4884-16-0x0000000000400000-0x00000000006CB000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/4884-15-0x0000000000400000-0x00000000006CB000-memory.dmp

        Filesize

        2.8MB

        Download