Overview

overview

10

Static

static

3

JaffaCakes...98.exe

windows7-x64

10

JaffaCakes...98.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2025, 18:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_929f77a47a4a33455ccdb7366ef0ff98.exe

  • Size

    899KB

  • MD5

    929f77a47a4a33455ccdb7366ef0ff98

  • SHA1

    38b8140d139c212b12ac4fbef64a339da3a50af9

  • SHA256

    cca77ef16e89bff979f6abf9b435cf7c433f664f6003648a4645530c37a857a4

  • SHA512

    8cab77bc38be2aca1ded368a3ffac1f56d21351ea24c0271daf0b11d833d0e120c9a2be9061248aa951cb268efdf7b42aa157bc54415e7f6154475ad22835488

  • SSDEEP

    12288:EdQyETqOIG8u8IaPowniyjkRmFm9fMVa5t3OYyd0kf5jkJxL1XWkGl4IsGikcDho:EdQuOIG8gsTo3N3OYif5jOWkwtsBxmH

Score
10/10
darkcometo0ziildiscoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

O0ziil

C2

dylz-h4ck.no-ip.org:1324

Mutex

DC_MUTEX-09AT1EJ

Attributes
  • InstallPath

    system32/winlogon.exe

  • gencode

    wM-hxmeQDf2%

  • install

    true

  • offline_keylogger

    true

  • password

    dinounou

  • persistence

    true

  • reg_key

    winlogon

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_929f77a47a4a33455ccdb7366ef0ff98.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_929f77a47a4a33455ccdb7366ef0ff98.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
    Filesize

    715KB

    MD5

    520a0d514865c7b47f0ff777e8b0eb6d

    SHA1

    95f13f1f821cea475bd4b1f84dcac0451f19a6e0

    SHA256

    2acbda4ff8fbb755d6c68abbb028ef3e205d942a056986343c3958f62a4787f1

    SHA512

    f42bb992a1a3710230523edcbfc52ccc0f3ca96a0529dc476a525974a2e3608d0f0ecbd7075cdbe99e7c30e2f89c46138bbddd22561d06c92e935cfd0ae9e5d9

    Download Submit

  • memory/2104-0-0x000007FEF587E000-0x000007FEF587F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2104-1-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2104-2-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2104-3-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2104-11-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2704-30-0x00000000025F0000-0x0000000002600000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2988-12-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2988-14-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB

    Download