Overview

overview

10

Static

static

3

JaffaCakes...3a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/04/2025, 09:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_b43ba85a03bf4335d1d3909c8efa173a.exe

  • Size

    1.2MB

  • MD5

    b43ba85a03bf4335d1d3909c8efa173a

  • SHA1

    dfa4d47a3adf9327b7a7bc31218a2b71cb1dcc5d

  • SHA256

    bf9e49eaecc0dd3028a01ed883419c9c939f9f2e63f94453b7dd4829f7d95e66

  • SHA512

    ee27aa6899dcafbc4498cda3daa415338c5261e353ae67c1083e37356ff1735e6bca41818cf1a5fbba05867168cd92876da43a17d5197c02a48baaad255db296

  • SSDEEP

    24576:LESXV0YFkxerjdJ6dqOuSxqMuv4ktUIvTfZbnDfS0mTBypPEIRDL:BF0Y6xerjLUqMqz16kx3K0mTBypcSD

Score
10/10
darkcometguest16defense_evasiondiscoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

hostmee.no-ip.org:1604

Mutex

DC_MUTEX-3WPRR8U

Attributes
  • gencode

    vFVvoYk4wjmc

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies firewall policy service 3 TTPs 3 IoCs
    defense_evasion
  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Windows security bypass 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b43ba85a03bf4335d1d3909c8efa173a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b43ba85a03bf4335d1d3909c8efa173a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Users\Admin\AppData\Local\Temp\winamp\wincom.exe
      C:\Users\Admin\AppData\Local\Temp\\winamp\wincom.exe
      2⤵
      • Modifies firewall policy service
      • Modifies security service
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2816
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Program Files
    1⤵
      PID:5708
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
      1⤵
        PID:1120

      Network

      MITRE ATT&CK Enterprise v16

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\winamp\wincom.exe
        Filesize

        1.1MB

        MD5

        d881de17aa8f2e2c08cbb7b265f928f9

        SHA1

        08936aebc87decf0af6e8eada191062b5e65ac2a

        SHA256

        b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

        SHA512

        5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

        Download Submit

      • memory/1184-23-0x0000000000400000-0x00000000008AE000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/1184-1-0x0000000074DC2000-0x0000000074DC3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1184-2-0x0000000074DC0000-0x0000000075371000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1184-3-0x0000000074DC0000-0x0000000075371000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1184-0-0x0000000000400000-0x00000000008AE000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/1184-24-0x0000000074DC0000-0x0000000075371000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2816-25-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-29-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-19-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-21-0x0000000002500000-0x0000000002501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2816-15-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-10-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-20-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-7-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-26-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-27-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-28-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-17-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-30-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-31-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-32-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-33-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-34-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-35-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-36-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-37-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/2816-38-0x0000000000400000-0x00000000004B4000-memory.dmp

        Filesize

        720KB

        Download