Overview

overview

10

Static

static

3

JaffaCakes...51.exe

windows7-x64

10

JaffaCakes...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2025, 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe

  • Size

    4.3MB

  • MD5

    92f1fec21358cd78e8e4ac141f306a51

  • SHA1

    bb04365c02979696b716ff338b4c753ed6b9216c

  • SHA256

    bbca032c041e362e0e16fa9feb8d4f922302cbedd37d7a82723d9f48c4942e07

  • SHA512

    c30225b9e9b1a9eef4d4bb91a769ae9fc18122e85764a76ff173626dcb04591c35400fc452a4da572930df02caa1c1b2ca521154947c6faf609e465a7de52065

  • SSDEEP

    98304:9N9i17FiopkxhnabECb3bgr7nbmD2dXol+7r7QpV3FU/x8:rQ17FimkatgvHJol07ud

Score
10/10
darkcometrat5defense_evasiondiscoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

rat5

C2

hacker1qaz.no-ip.org:4445

Mutex

DC_MUTEX-D9Y8Z5C

Attributes
  • InstallPath

    ysdcsc.exe

  • gencode

    wdiS39FWlk0u

  • install

    true

  • offline_keylogger

    false

  • persistence

    true

  • reg_key

    MicosoftUpdate

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    defense_evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5764
    • C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5892
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
    1⤵
      PID:1956
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
      1⤵
        PID:6120
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
        1⤵
          PID:4008
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
          1⤵
            PID:2948
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
            1⤵
              PID:5712
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
              1⤵
                PID:5728
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
                1⤵
                  PID:852
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
                  1⤵
                    PID:5932
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
                    1⤵
                      PID:2960
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
                      1⤵
                        PID:5092
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
                        1⤵
                          PID:5228
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
                          1⤵
                            PID:888
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
                            1⤵
                              PID:3020
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
                              1⤵
                                PID:440
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
                                1⤵
                                  PID:4608
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
                                  1⤵
                                    PID:4748

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe
                                    Filesize

                                    4.3MB

                                    MD5

                                    92f1fec21358cd78e8e4ac141f306a51

                                    SHA1

                                    bb04365c02979696b716ff338b4c753ed6b9216c

                                    SHA256

                                    bbca032c041e362e0e16fa9feb8d4f922302cbedd37d7a82723d9f48c4942e07

                                    SHA512

                                    c30225b9e9b1a9eef4d4bb91a769ae9fc18122e85764a76ff173626dcb04591c35400fc452a4da572930df02caa1c1b2ca521154947c6faf609e465a7de52065

                                    Download Submit

                                  • memory/5764-0-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5764-1-0x00000000779D4000-0x00000000779D6000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/5764-2-0x0000000000401000-0x000000000044E000-memory.dmp

                                    Filesize

                                    308KB

                                    Download

                                  • memory/5764-3-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5764-4-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5764-5-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5764-8-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5764-15-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-78-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-84-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-71-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-72-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-73-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-74-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-75-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-76-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-77-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-69-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-79-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-80-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-81-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-82-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-83-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-70-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-85-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-86-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-87-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-88-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-89-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-90-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-91-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-92-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-93-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-94-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-95-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-96-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-97-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download

                                  • memory/5892-98-0x0000000000400000-0x0000000000D44000-memory.dmp

                                    Filesize

                                    9.3MB

                                    Download