Overview

overview

10

Static

static

3

JaffaCakes...09.exe

windows7-x64

10

JaffaCakes...09.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2025, 18:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_9103394e428bf63d87620aee6ba1d209.exe

  • Size

    687KB

  • MD5

    9103394e428bf63d87620aee6ba1d209

  • SHA1

    fcb5e6b70042d5badfc9e4ad8f5c844b286f5913

  • SHA256

    dabe2af6daac473c4a6b321aa03d1064ebfaca772542b2ee882fb400746c057b

  • SHA512

    88e480d681760165a5f2ccfd03d8bd6b25ee3f28d0abda1d05c750283f3cbb9c79644706c163be5a1f0ae3546e6195cce87a1e82846b8ebf958e33366303cb20

  • SSDEEP

    12288:ZFf8Zo8N0CQ82o1gR9AilAVJ+q2Zn0f0Q4lkhI9SxzNs4k5:Z9OoM0L8HOeiOVgVW14YmS1Ns4k5

Score
10/10
darkcometguest16defense_evasiondiscoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-WGL61C9

Attributes
  • InstallPath

    Windupdt\winupdate.exe

  • gencode

    CgP9ATPpuVQg

  • install

    true

  • offline_keylogger

    true

  • password

    Pa$$w0rd

  • persistence

    true

  • reg_key

    winupdater

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 51 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 34 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 64 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9103394e428bf63d87620aee6ba1d209.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9103394e428bf63d87620aee6ba1d209.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9103394e428bf63d87620aee6ba1d209.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3104
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:5320
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4100
      • C:\Windupdt\winupdate.exe
        "C:\Windupdt\winupdate.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4760
        • C:\Windupdt\winupdate.exe
          4⤵
          • Modifies firewall policy service
          • Checks BIOS information in registry
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:3940
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5676
    • C:\Windupdt\winupdate.exe
      C:\Windupdt\winupdate.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4592
      • C:\Windupdt\winupdate.exe
        3⤵
        • Modifies firewall policy service
        • Checks BIOS information in registry
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:4616
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Windupdt\winupdate.exe
      C:\Windupdt\winupdate.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4528
      • C:\Windupdt\winupdate.exe
        3⤵
        • Modifies firewall policy service
        • Checks BIOS information in registry
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4612
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe
    1⤵
      PID:1860
      • C:\Windupdt\winupdate.exe
        C:\Windupdt\winupdate.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5452
        • C:\Windupdt\winupdate.exe
          3⤵
          • Modifies firewall policy service
          • Checks BIOS information in registry
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:2208
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe
      1⤵
        PID:4008
        • C:\Windupdt\winupdate.exe
          C:\Windupdt\winupdate.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5224
          • C:\Windupdt\winupdate.exe
            3⤵
            • Modifies firewall policy service
            • Checks BIOS information in registry
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Enumerates system info in registry
            PID:5580
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe
        1⤵
          PID:4332
          • C:\Windupdt\winupdate.exe
            C:\Windupdt\winupdate.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2564
            • C:\Windupdt\winupdate.exe
              3⤵
              • Modifies firewall policy service
              • Checks BIOS information in registry
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Enumerates system info in registry
              PID:3904
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe
          1⤵
            PID:4324
            • C:\Windupdt\winupdate.exe
              C:\Windupdt\winupdate.exe
              2⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3044
              • C:\Windupdt\winupdate.exe
                3⤵
                • Modifies firewall policy service
                • Checks BIOS information in registry
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Checks processor information in registry
                • Enumerates system info in registry
                PID:3056
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe
            1⤵
              PID:3464
              • C:\Windupdt\winupdate.exe
                C:\Windupdt\winupdate.exe
                2⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4924
                • C:\Windupdt\winupdate.exe
                  3⤵
                  • Modifies firewall policy service
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Checks processor information in registry
                  • Enumerates system info in registry
                  PID:4980
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe
              1⤵
                PID:3260
                • C:\Windupdt\winupdate.exe
                  C:\Windupdt\winupdate.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:1636
                  • C:\Windupdt\winupdate.exe
                    3⤵
                    • Modifies firewall policy service
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Checks processor information in registry
                    • Enumerates system info in registry
                    PID:6044
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe
                1⤵
                  PID:5208
                  • C:\Windupdt\winupdate.exe
                    C:\Windupdt\winupdate.exe
                    2⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:5288
                    • C:\Windupdt\winupdate.exe
                      3⤵
                      • Modifies firewall policy service
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Checks processor information in registry
                      • Enumerates system info in registry
                      PID:5292
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe
                  1⤵
                    PID:624
                    • C:\Windupdt\winupdate.exe
                      C:\Windupdt\winupdate.exe
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:3684
                      • C:\Windupdt\winupdate.exe
                        3⤵
                        • Modifies firewall policy service
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Checks processor information in registry
                        • Enumerates system info in registry
                        PID:2452
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe
                    1⤵
                      PID:1860
                      • C:\Windupdt\winupdate.exe
                        C:\Windupdt\winupdate.exe
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:3428
                        • C:\Windupdt\winupdate.exe
                          3⤵
                          • Modifies firewall policy service
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Checks processor information in registry
                          • Enumerates system info in registry
                          PID:6096
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe
                      1⤵
                        PID:852
                        • C:\Windupdt\winupdate.exe
                          C:\Windupdt\winupdate.exe
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:3984
                          • C:\Windupdt\winupdate.exe
                            3⤵
                            • Modifies firewall policy service
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Checks processor information in registry
                            • Enumerates system info in registry
                            PID:4448
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe
                        1⤵
                          PID:5048
                          • C:\Windupdt\winupdate.exe
                            C:\Windupdt\winupdate.exe
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            PID:4164
                            • C:\Windupdt\winupdate.exe
                              3⤵
                              • Modifies firewall policy service
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Checks processor information in registry
                              • Enumerates system info in registry
                              PID:1512
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe
                          1⤵
                            PID:1760
                            • C:\Windupdt\winupdate.exe
                              C:\Windupdt\winupdate.exe
                              2⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of SetWindowsHookEx
                              PID:3496
                              • C:\Windupdt\winupdate.exe
                                3⤵
                                • Modifies firewall policy service
                                • Checks BIOS information in registry
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Checks processor information in registry
                                • Enumerates system info in registry
                                PID:6084
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe
                            1⤵
                              PID:5304
                              • C:\Windupdt\winupdate.exe
                                C:\Windupdt\winupdate.exe
                                2⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of SetWindowsHookEx
                                PID:2224
                                • C:\Windupdt\winupdate.exe
                                  3⤵
                                  • Modifies firewall policy service
                                  • Checks BIOS information in registry
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Checks processor information in registry
                                  • Enumerates system info in registry
                                  PID:3164
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe
                              1⤵
                                PID:3400
                                • C:\Windupdt\winupdate.exe
                                  C:\Windupdt\winupdate.exe
                                  2⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5908
                                  • C:\Windupdt\winupdate.exe
                                    3⤵
                                    • Modifies firewall policy service
                                    • Checks BIOS information in registry
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Checks processor information in registry
                                    • Enumerates system info in registry
                                    PID:3340

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windupdt\winupdate.exe
                                Filesize

                                687KB

                                MD5

                                9103394e428bf63d87620aee6ba1d209

                                SHA1

                                fcb5e6b70042d5badfc9e4ad8f5c844b286f5913

                                SHA256

                                dabe2af6daac473c4a6b321aa03d1064ebfaca772542b2ee882fb400746c057b

                                SHA512

                                88e480d681760165a5f2ccfd03d8bd6b25ee3f28d0abda1d05c750283f3cbb9c79644706c163be5a1f0ae3546e6195cce87a1e82846b8ebf958e33366303cb20

                                Download Submit

                              • memory/3104-5-0x0000000013140000-0x00000000131F6000-memory.dmp

                                Filesize

                                728KB

                                Download

                              • memory/3104-4-0x0000000013140000-0x00000000131F6000-memory.dmp

                                Filesize

                                728KB

                                Download

                              • memory/3104-2-0x0000000013140000-0x00000000131F6000-memory.dmp

                                Filesize

                                728KB

                                Download

                              • memory/3104-6-0x00000000021F0000-0x00000000021F1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3104-3-0x0000000013140000-0x00000000131F6000-memory.dmp

                                Filesize

                                728KB

                                Download

                              • memory/3104-34-0x0000000013140000-0x00000000131F6000-memory.dmp

                                Filesize

                                728KB

                                Download

                              • memory/4100-12-0x0000000000400000-0x0000000000407000-memory.dmp

                                Filesize

                                28KB

                                Download

                              • memory/4100-14-0x0000000000400000-0x0000000000407000-memory.dmp

                                Filesize

                                28KB

                                Download

                              • memory/4100-40-0x0000000000400000-0x0000000000407000-memory.dmp

                                Filesize

                                28KB

                                Download

                              • memory/4612-31-0x0000000013140000-0x00000000131F6000-memory.dmp

                                Filesize

                                728KB

                                Download

                              • memory/4612-32-0x0000000013140000-0x00000000131F6000-memory.dmp

                                Filesize

                                728KB

                                Download

                              • memory/4612-30-0x0000000013140000-0x00000000131F6000-memory.dmp

                                Filesize

                                728KB

                                Download

                              • memory/5320-8-0x0000000000B60000-0x0000000000B61000-memory.dmp

                                Filesize

                                4KB

                                Download