Overview

overview

10

Static

static

10

JaffaCakes...66.exe

windows7-x64

10

JaffaCakes...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2025, 18:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_927a4dcb9526b2e79dc6d11e67eef066.exe

  • Size

    1.3MB

  • MD5

    927a4dcb9526b2e79dc6d11e67eef066

  • SHA1

    3803682042ee1d5521aae4dbf6d972c21fc75a7e

  • SHA256

    2daceb62312f99c4dd461400d8edf9d60df08a960744804c57db80f80a1af73a

  • SHA512

    18256255b8e2f1d6a0ee969a05ef7ab16f8ed58de156a8b93bdef9fd856e19d4052638ee890128af785936b1acf573f7eb389eac50c64267d61ceb5e7724c32d

  • SSDEEP

    24576:YUKoN0bUxgGa/pfBHDb+y1HgZ8lVlNMeeaPqmZC/CTLqI6i:LK1A6C7eXXw/CP4i

Score
10/10
darkcometguest16discoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

lastdede.zapto.org:81

Mutex

DC_MUTEX-F54S21D

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    v-.=-u.dMS00

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 17 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_927a4dcb9526b2e79dc6d11e67eef066.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_927a4dcb9526b2e79dc6d11e67eef066.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\BEETHOVEN 9 NOLU SENFONISI (SCHERZO).WMA"
      2⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3828
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4228
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3612
      • C:\Program Files\VideoLAN\VLC\vlc.exe
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\BEETHOVEN 9 NOLU SENFONISI (SCHERZO).WMA"
        3⤵
          PID:1700
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1652
          • C:\Program Files\VideoLAN\VLC\vlc.exe
            "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\BEETHOVEN 9 NOLU SENFONISI (SCHERZO).WMA"
            4⤵
              PID:4368
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x2ec 0x464
        1⤵
          PID:392

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\BEETHOVEN 9 NOLU SENFONISI (SCHERZO).WMA
          Filesize

          604KB

          MD5

          7e40b30400b058ff9200cc41b853146d

          SHA1

          ba6697098d646e5d1f293496e3a98ad855040d09

          SHA256

          d83bbdaa27f44696dcc71f7345e683f4b2a1b3b996f0e1f063de80bac6a90076

          SHA512

          8379cdb1695c6fb2de5f58891fd1ee57fdf405b3f39f20f48134ed28440e0f3fdb363a79557a8c938b450896405d852f4de891613e7b1d61a724c00ae14c962f

          Download Submit

        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          Filesize

          1.3MB

          MD5

          927a4dcb9526b2e79dc6d11e67eef066

          SHA1

          3803682042ee1d5521aae4dbf6d972c21fc75a7e

          SHA256

          2daceb62312f99c4dd461400d8edf9d60df08a960744804c57db80f80a1af73a

          SHA512

          18256255b8e2f1d6a0ee969a05ef7ab16f8ed58de156a8b93bdef9fd856e19d4052638ee890128af785936b1acf573f7eb389eac50c64267d61ceb5e7724c32d

          Download Submit

        • memory/1652-25-0x0000000000400000-0x000000000055E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1700-17-0x00007FF9EDBF0000-0x00007FF9EDC24000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1700-16-0x00007FF6968B0000-0x00007FF6969A8000-memory.dmp

          Filesize

          992KB

          Download

        • memory/1700-21-0x00007FF9F0190000-0x00007FF9F01A1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1700-20-0x00007FF9F0CE0000-0x00007FF9F0CF7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1700-19-0x00007FF9F3360000-0x00007FF9F3378000-memory.dmp

          Filesize

          96KB

          Download

        • memory/1700-18-0x00007FF9DB410000-0x00007FF9DB6C6000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3612-11-0x0000000002110000-0x0000000002111000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3612-26-0x0000000000400000-0x000000000055E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3828-57-0x00007FF9E9B10000-0x00007FF9E9B21000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3828-54-0x00007FF9E9C90000-0x00007FF9E9CD1000-memory.dmp

          Filesize

          260KB

          Download

        • memory/3828-44-0x00007FF9EDBF0000-0x00007FF9EDC24000-memory.dmp

          Filesize

          208KB

          Download

        • memory/3828-43-0x00007FF6968B0000-0x00007FF6969A8000-memory.dmp

          Filesize

          992KB

          Download

        • memory/3828-46-0x00007FF9F3360000-0x00007FF9F3378000-memory.dmp

          Filesize

          96KB

          Download

        • memory/3828-47-0x00007FF9F0CE0000-0x00007FF9F0CF7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/3828-48-0x00007FF9F0190000-0x00007FF9F01A1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3828-49-0x00007FF9EEC30000-0x00007FF9EEC47000-memory.dmp

          Filesize

          92KB

          Download

        • memory/3828-50-0x00007FF9EA090000-0x00007FF9EA0A1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3828-45-0x00007FF9DB410000-0x00007FF9DB6C6000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3828-52-0x00007FF9E9E80000-0x00007FF9E9E91000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3828-51-0x00007FF9E9EA0000-0x00007FF9E9EBD000-memory.dmp

          Filesize

          116KB

          Download

        • memory/3828-53-0x00007FF9DB010000-0x00007FF9DB21B000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3828-60-0x00007FF9E9A60000-0x00007FF9E9A7B000-memory.dmp

          Filesize

          108KB

          Download

        • memory/3828-59-0x00007FF9E9A80000-0x00007FF9E9A91000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3828-58-0x00007FF9E9AA0000-0x00007FF9E9AB1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3828-55-0x00007FF9E9C60000-0x00007FF9E9C81000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3828-56-0x00007FF9E9C40000-0x00007FF9E9C58000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4228-24-0x0000000000400000-0x000000000055E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4368-32-0x00007FF6968B0000-0x00007FF6969A8000-memory.dmp

          Filesize

          992KB

          Download

        • memory/4368-33-0x00007FF9EDBF0000-0x00007FF9EDC24000-memory.dmp

          Filesize

          208KB

          Download

        • memory/4368-34-0x00007FF9DB410000-0x00007FF9DB6C6000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/4368-35-0x00007FF9F3360000-0x00007FF9F3378000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4368-36-0x00007FF9F0CE0000-0x00007FF9F0CF7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/4368-37-0x00007FF9F0190000-0x00007FF9F01A1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4712-0-0x0000000002300000-0x0000000002301000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4712-23-0x0000000000400000-0x000000000055E000-memory.dmp

          Filesize

          1.4MB

          Download