Overview

overview

10

Static

static

10

JaffaCakes...67.exe

windows7-x64

10

JaffaCakes...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2025, 18:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_92bd43f58c78a41f0b27a018bfb7f367.exe

  • Size

    271KB

  • MD5

    92bd43f58c78a41f0b27a018bfb7f367

  • SHA1

    8cac44f1a7f8b507baecf228a97538758b464ecf

  • SHA256

    90c720c9410e1575ef1dabdf2e1640b55f123339d372589de814eb06096b47ec

  • SHA512

    1142d9662ca560bc8011ddbd22f11fc2724c1e33e617a6fc74cbafc5e354180762c15426f6abbe668a9b5a40bf08c1087995bf3f6f279415e85885419458f3b3

  • SSDEEP

    6144:oz+ZIja7JiVzDfdUITRilQ37imhVltGNPl4/fRq4vTBxvVjk5CKOR:oz+4KMVzDfrTRYQ3+WltCiHE4vTB3cwR

Score
10/10
darkcometflyffdefense_evasiondiscoverypersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Flyff

C2

crashmob.no-ip.biz:1090

Mutex

DC_MUTEX-W1S6CAL

Attributes
  • InstallPath

    C:\Dokumente und Einstellungen\All Users\Startmen�\Programme\Autostart

  • gencode

    Fd�kkey$KJxb

  • install

    true

  • offline_keylogger

    false

  • password

    1a6c7c5de758a2e5933e962b1a5538a1bf11ba42d88e96b9d873d4eba9

  • persistence

    false

  • reg_key

    logon

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 3 IoCs
    defense_evasion
  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Windows security bypass 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables RegEdit via registry modification 1 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 5 IoCs
  • NTFS ADS 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • System policy modification 1 TTPs 3 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92bd43f58c78a41f0b27a018bfb7f367.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92bd43f58c78a41f0b27a018bfb7f367.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies firewall policy service
    • Modifies security service
    • Windows security bypass
    • Disables RegEdit via registry modification
    • Checks BIOS information in registry
    • Windows security modification
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:2320
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Modify Registry

8
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/292-20-0x0000000002960000-0x0000000002970000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2320-8-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2320-14-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2320-3-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2320-4-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2320-5-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2320-6-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2320-7-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2320-0-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2320-2-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2320-9-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2320-13-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2320-15-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2320-16-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2320-17-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2320-18-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2320-19-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/2320-1-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2320-21-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download