Overview

overview

10

Static

static

10

3178fcad2d...18.exe

windows10-ltsc_2021-x64

10

3178fcad2d...18.exe

windows11-21h2-x64

10

Resubmissions

14/04/2025, 04:20

250414-ex92msynx2 10

14/04/2025, 03:24

250414-dydt6aztet 10

14/04/2025, 02:53

250414-ddh85sy1bs 10

13/04/2025, 19:39

250413-ydbjhssks5 10

13/04/2025, 01:50

250413-b9pdxswpt2 10

13/04/2025, 01:45

250413-b6f85swwgw 10

12/04/2025, 16:37

250412-t49rsaykv4 10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14/04/2025, 02:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe

  • Size

    658KB

  • MD5

    3178fcad2d2c2f3c0f4f70aecfb18db7

  • SHA1

    0ecad6522214f9bef4dd8f2f8eb927827bc4971c

  • SHA256

    dd8650f0e484ba0ea4775ccce3a9644bba747ee92f1b534628525c7ceedc69f9

  • SHA512

    57148c860850344b1086c8765c083862d57d99119914e218aca4c8e80dc9cbe48d206b6aefaea9ad5cda58a459ff5888f1bc82f6fabacd2aa81f52818cef4985

  • SSDEEP

    12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hV:KZ1xuVVjfFoynPaVBUR8f+kN10EBP

Score
10/10
darkcometguest16defense_evasiondiscoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-7X99PTF

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    DNgeskLTppzX

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    System32.dll

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Executes dropped EXE 17 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe" +s +h
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe" +s +h
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2344
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:920
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4800
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2452
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:244
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1456
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4912
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3844
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3296
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5152
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3904
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2952
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2792
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2960
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:6060
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5504
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1248
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5288
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5548
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4196
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5848
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3592
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1276
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3932

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    Filesize

    658KB

    MD5

    3178fcad2d2c2f3c0f4f70aecfb18db7

    SHA1

    0ecad6522214f9bef4dd8f2f8eb927827bc4971c

    SHA256

    dd8650f0e484ba0ea4775ccce3a9644bba747ee92f1b534628525c7ceedc69f9

    SHA512

    57148c860850344b1086c8765c083862d57d99119914e218aca4c8e80dc9cbe48d206b6aefaea9ad5cda58a459ff5888f1bc82f6fabacd2aa81f52818cef4985

    Download Submit

  • memory/1248-37-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1276-53-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1456-8-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1752-11-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1752-0-0x0000000002470000-0x0000000002471000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2452-13-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2452-6-0x0000000002230000-0x0000000002231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2792-28-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2952-25-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2960-31-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3592-50-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3844-16-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3904-22-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4196-43-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4800-10-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4912-14-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5152-19-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5288-40-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5848-47-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/6060-34-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download