Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 18:51
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe
-
Size
4.3MB
-
MD5
92f1fec21358cd78e8e4ac141f306a51
-
SHA1
bb04365c02979696b716ff338b4c753ed6b9216c
-
SHA256
bbca032c041e362e0e16fa9feb8d4f922302cbedd37d7a82723d9f48c4942e07
-
SHA512
c30225b9e9b1a9eef4d4bb91a769ae9fc18122e85764a76ff173626dcb04591c35400fc452a4da572930df02caa1c1b2ca521154947c6faf609e465a7de52065
-
SSDEEP
98304:9N9i17FiopkxhnabECb3bgr7nbmD2dXol+7r7QpV3FU/x8:rQ17FimkatgvHJol07ud
Malware Config
Extracted
darkcomet
rat5
hacker1qaz.no-ip.org:4445
DC_MUTEX-D9Y8Z5C
-
InstallPath
ysdcsc.exe
-
gencode
wdiS39FWlk0u
-
install
true
-
offline_keylogger
false
-
persistence
true
-
reg_key
MicosoftUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\ysdcsc.exe" JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ysdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe -
Executes dropped EXE 1 IoCs
pid Process 5892 ysdcsc.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine ysdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicosoftUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\ysdcsc.exe" JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicosoftUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\ysdcsc.exe" ysdcsc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe 5892 ysdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysdcsc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe 5892 ysdcsc.exe 5892 ysdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeSecurityPrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeTakeOwnershipPrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeLoadDriverPrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeSystemProfilePrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeSystemtimePrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeProfSingleProcessPrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeIncBasePriorityPrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeCreatePagefilePrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeBackupPrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeRestorePrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeShutdownPrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeDebugPrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeSystemEnvironmentPrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeChangeNotifyPrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeRemoteShutdownPrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeUndockPrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeManageVolumePrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeImpersonatePrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeCreateGlobalPrivilege 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: 33 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: 34 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: 35 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: 36 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe Token: SeIncreaseQuotaPrivilege 5892 ysdcsc.exe Token: SeSecurityPrivilege 5892 ysdcsc.exe Token: SeTakeOwnershipPrivilege 5892 ysdcsc.exe Token: SeLoadDriverPrivilege 5892 ysdcsc.exe Token: SeSystemProfilePrivilege 5892 ysdcsc.exe Token: SeSystemtimePrivilege 5892 ysdcsc.exe Token: SeProfSingleProcessPrivilege 5892 ysdcsc.exe Token: SeIncBasePriorityPrivilege 5892 ysdcsc.exe Token: SeCreatePagefilePrivilege 5892 ysdcsc.exe Token: SeBackupPrivilege 5892 ysdcsc.exe Token: SeRestorePrivilege 5892 ysdcsc.exe Token: SeShutdownPrivilege 5892 ysdcsc.exe Token: SeDebugPrivilege 5892 ysdcsc.exe Token: SeSystemEnvironmentPrivilege 5892 ysdcsc.exe Token: SeChangeNotifyPrivilege 5892 ysdcsc.exe Token: SeRemoteShutdownPrivilege 5892 ysdcsc.exe Token: SeUndockPrivilege 5892 ysdcsc.exe Token: SeManageVolumePrivilege 5892 ysdcsc.exe Token: SeImpersonatePrivilege 5892 ysdcsc.exe Token: SeCreateGlobalPrivilege 5892 ysdcsc.exe Token: 33 5892 ysdcsc.exe Token: 34 5892 ysdcsc.exe Token: 35 5892 ysdcsc.exe Token: 36 5892 ysdcsc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5764 wrote to memory of 5892 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe 92 PID 5764 wrote to memory of 5892 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe 92 PID 5764 wrote to memory of 5892 5764 JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92f1fec21358cd78e8e4ac141f306a51.exe"1⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5764 -
C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe1⤵PID:1956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe1⤵PID:6120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe1⤵PID:4008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe1⤵PID:2948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe1⤵PID:5712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe1⤵PID:5728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe1⤵PID:852
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe1⤵PID:5932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe1⤵PID:2960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe1⤵PID:5092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe1⤵PID:5228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe1⤵PID:888
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe1⤵PID:3020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe1⤵PID:440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe1⤵PID:4608
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\ysdcsc.exe1⤵PID:4748
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD592f1fec21358cd78e8e4ac141f306a51
SHA1bb04365c02979696b716ff338b4c753ed6b9216c
SHA256bbca032c041e362e0e16fa9feb8d4f922302cbedd37d7a82723d9f48c4942e07
SHA512c30225b9e9b1a9eef4d4bb91a769ae9fc18122e85764a76ff173626dcb04591c35400fc452a4da572930df02caa1c1b2ca521154947c6faf609e465a7de52065