Overview

overview

10

Static

static

10

JaffaCakes...19.exe

windows7-x64

10

JaffaCakes...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/03/2025, 21:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_84c7d8597e548caeb258298376c27519.exe

  • Size

    663KB

  • MD5

    84c7d8597e548caeb258298376c27519

  • SHA1

    b5ccbdb78d80af0c91b8378e9c4a2ee4f779f91c

  • SHA256

    fdc4c6e08abd577ef436c0efbaeccfec398adf59bd049820110b8028b6129eac

  • SHA512

    54666ae9801bd95d6482788b8855f85b87aa7d1df00cfd3265407f010f980ad6612b4f7f3c9c444baf06831856431a66b50ccfb3b114d79bc9abdcd7e5e84022

  • SSDEEP

    12288:3pwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/Y:ZwAcu99lPzvxP+Bsz2XjWTRMQckkIXnA

Score
10/10
darkcometsbsdefense_evasiondiscoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

sbs

C2

127.0.0.1:21

Mutex

DC_MUTEX-D77XKZP

Attributes
  • InstallPath

    Windupdt\winupdate.exe

  • gencode

    cyolL=+r#6rV

  • install

    true

  • offline_keylogger

    true

  • password

    never mind

  • persistence

    true

  • reg_key

    winupdater

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Windows security bypass 2 TTPs 1 IoCs
    defense_evasiontrojan
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84c7d8597e548caeb258298376c27519.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84c7d8597e548caeb258298376c27519.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2504
    • C:\Users\Admin\AppData\Local\Temp\TOT.EXE
      "C:\Users\Admin\AppData\Local\Temp\TOT.EXE"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2372
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Windows security bypass
      • Checks BIOS information in registry
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2960
    • C:\Windows\SysWOW64\ping.exe
      ping 127.0.0.1 -n 5 > NUL del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84c7d8597e548caeb258298376c27519.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BAT.BAT
    Filesize

    247B

    MD5

    8cdbb527e8c2f50aadbc2fd59657a5f7

    SHA1

    a6f18862015ef5a2f7426c364ded713346c75a83

    SHA256

    ed1be1cff5f6f1119ca6695c72d2deb3f9c7fb04cebce8852e202ce54eff379e

    SHA512

    40a6d335b4864b1dac303895e2c0f93d45be06e5457b94fca0d357265cd58efd38e220d7fa6054ca94eb89a3b214a2f104c77ff74644a54be3e1bf46c931a525

    Download Submit

  • \Users\Admin\AppData\Local\Temp\TOT.EXE
    Filesize

    27KB

    MD5

    ddcde928805f0acae7491c46f791ebe0

    SHA1

    1af656bac2e38a54fbf9f4e8c250341fd7953fe0

    SHA256

    9a1150347f1d9428c91130c2f77dbe4aeade037ed812d01b7669c53be09165f4

    SHA512

    749e11dfbf1847a6035f0f3134aed3112c77add27b6cc06509cc930aa9bb2c05740a4a687c382ff30b3470b920404ad8a848165430aa7f92d01ad379713a0f69

    Download Submit

  • memory/2004-30-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2004-0-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-27-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2960-31-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2960-29-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2960-23-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2960-28-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2960-32-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2960-36-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2960-35-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2960-34-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2960-33-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2960-37-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download