Overview

overview

10

Static

static

3

JaffaCakes...51.exe

windows7-x64

10

JaffaCakes...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    2s
  • max time network
    5s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2025, 18:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe

  • Size

    4.3MB

  • MD5

    92f1fec21358cd78e8e4ac141f306a51

  • SHA1

    bb04365c02979696b716ff338b4c753ed6b9216c

  • SHA256

    bbca032c041e362e0e16fa9feb8d4f922302cbedd37d7a82723d9f48c4942e07

  • SHA512

    c30225b9e9b1a9eef4d4bb91a769ae9fc18122e85764a76ff173626dcb04591c35400fc452a4da572930df02caa1c1b2ca521154947c6faf609e465a7de52065

  • SSDEEP

    98304:9N9i17FiopkxhnabECb3bgr7nbmD2dXol+7r7QpV3FU/x8:rQ17FimkatgvHJol07ud

Score
10/10
darkcometrat5defense_evasiondiscoveryrattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

rat5

C2

hacker1qaz.no-ip.org:4445

Mutex

DC_MUTEX-D9Y8Z5C

Attributes
  • InstallPath

    ysdcsc.exe

  • gencode

    wdiS39FWlk0u

  • install

    true

  • offline_keylogger

    false

  • persistence

    true

  • reg_key

    MicosoftUpdate

rc4.plain
1
#KCMDDC5#-890

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    defense_evasion
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2604-0-0x0000000000400000-0x0000000000D44000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2604-1-0x0000000000401000-0x000000000044E000-memory.dmp

    Filesize

    308KB

    Download

  • memory/2604-2-0x0000000000400000-0x0000000000D44000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2604-3-0x0000000000400000-0x0000000000D44000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2604-4-0x0000000000400000-0x0000000000D44000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2604-5-0x0000000000400000-0x0000000000D44000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2604-6-0x0000000000400000-0x0000000000D44000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2604-7-0x0000000000400000-0x0000000000D44000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2604-8-0x0000000000400000-0x0000000000D44000-memory.dmp

    Filesize

    9.3MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.