Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
29/03/2025, 18:43
General
-
Target
JaffaCakes118_927a4dcb9526b2e79dc6d11e67eef066.exe
-
Size
1.3MB
-
MD5
927a4dcb9526b2e79dc6d11e67eef066
-
SHA1
3803682042ee1d5521aae4dbf6d972c21fc75a7e
-
SHA256
2daceb62312f99c4dd461400d8edf9d60df08a960744804c57db80f80a1af73a
-
SHA512
18256255b8e2f1d6a0ee969a05ef7ab16f8ed58de156a8b93bdef9fd856e19d4052638ee890128af785936b1acf573f7eb389eac50c64267d61ceb5e7724c32d
-
SSDEEP
24576:YUKoN0bUxgGa/pfBHDb+y1HgZ8lVlNMeeaPqmZC/CTLqI6i:LK1A6C7eXXw/CP4i
Malware Config
Extracted
darkcomet
Guest16
lastdede.zapto.org:81
DC_MUTEX-F54S21D
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
v-.=-u.dMS00
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of FindShellTrayWindow 49 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_927a4dcb9526b2e79dc6d11e67eef066.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_927a4dcb9526b2e79dc6d11e67eef066.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\BEETHOVEN 9 NOLU SENFONISI (SCHERZO).WMA"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\BEETHOVEN 9 NOLU SENFONISI (SCHERZO).WMA"3⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
604KB
MD57e40b30400b058ff9200cc41b853146d
SHA1ba6697098d646e5d1f293496e3a98ad855040d09
SHA256d83bbdaa27f44696dcc71f7345e683f4b2a1b3b996f0e1f063de80bac6a90076
SHA5128379cdb1695c6fb2de5f58891fd1ee57fdf405b3f39f20f48134ed28440e0f3fdb363a79557a8c938b450896405d852f4de891613e7b1d61a724c00ae14c962f
-
Filesize
1.3MB
MD5927a4dcb9526b2e79dc6d11e67eef066
SHA13803682042ee1d5521aae4dbf6d972c21fc75a7e
SHA2562daceb62312f99c4dd461400d8edf9d60df08a960744804c57db80f80a1af73a
SHA51218256255b8e2f1d6a0ee969a05ef7ab16f8ed58de156a8b93bdef9fd856e19d4052638ee890128af785936b1acf573f7eb389eac50c64267d61ceb5e7724c32d
-
Filesize
92KB
-
Filesize
96KB
-
Filesize
992KB
-
Filesize
208KB
-
Filesize
2.7MB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
16.7MB
-
Filesize
992KB
-
Filesize
208KB
-
Filesize
2.7MB
-
Filesize
68KB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
116KB
-
Filesize
92KB
-
Filesize
96KB
-
Filesize
2.0MB
-
Filesize
96KB
-
Filesize
260KB
-
Filesize
412KB
-
Filesize
144KB
-
Filesize
88KB
-
Filesize
132KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
788KB
-
Filesize
68KB
-
Filesize
188KB
-
Filesize
64KB
-
Filesize
92KB
-
Filesize
1.5MB
-
Filesize
68KB
-
Filesize
496KB
-
Filesize
192KB
-
Filesize
96KB
-
Filesize
108KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
1.4MB
-
Filesize
4KB
-
Filesize
1.4MB