Overview

overview

10

Static

static

3

JaffaCakes...9b.exe

windows10-2004-x64

10

JaffaCakes...9b.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/04/2025, 03:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_bc56976bbcc722af33dee6c3d395be9b.exe

  • Size

    480KB

  • MD5

    bc56976bbcc722af33dee6c3d395be9b

  • SHA1

    2a2e6cb1f22b2fff1b4e1ceb3698ee8800ec59ed

  • SHA256

    b1e54f7e0b8233ec5ff57b3c2aca46b242205915cac4b6e06c51d14911e978f8

  • SHA512

    fd317b6211721210f4553319b57856cba0297179a2f0d41116a3144299d7ff9d9a99c1739e3a3388784f2ad11e37d5fe8afb4439c90ed4b8a333d4e413c54e70

  • SSDEEP

    12288:ty1lFipP5dFl9DhwZ0PRfwzp35HGPHb6kyQwTRHbVDU:ty1lc3TlnwkOaHhE

Score
10/10
darkcometms-dosdefense_evasiondiscoverypersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

ms-dos

C2

pourmoi.zapto.org:2000

pourmoi.zapto.org:200

pourmoi.zapto.org:1604

pourmoi.zapto.org:164

pourmoi.zapto.org:80
Mutex

DC_MUTEX-HM3EBEZ

Attributes
  • gencode

    .o3or#SP7wV0

  • install

    false

  • offline_keylogger

    true

  • password

    da06101266

  • persistence

    false

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Sets file to hidden 1 TTPs 4 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 30 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc56976bbcc722af33dee6c3d395be9b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc56976bbcc722af33dee6c3d395be9b.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5760
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:976
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4408
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:6088
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\winfile.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Users\Admin\AppData\Local\Temp\winfile.exe
      C:\Users\Admin\AppData\Local\Temp\winfile.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:6048
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:752
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4616
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
            5⤵
            • Sets file to hidden
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2720
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4640
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
            5⤵
            • Sets file to hidden
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:6060

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
    Filesize

    70B

    MD5

    73b0495dfd90f2f77a64d3ac7f6e7c03

    SHA1

    0503c56481fda524b90139b4d2e0b686765c355f

    SHA256

    0a4c374db7dcbe8944a2a3fc0d774247861318cc55494fe8b6f001fe46a69fc2

    SHA512

    9d6fbe22f8441cf2b78506bde2535e4137af1c200fe36272d4fb0adea8f33360c93cb1619c3b667514f185d632a078760ebc0f47eeb0825979e468a7c2c88e39

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
    Filesize

    62B

    MD5

    c6abd7a109bb37ab773b9e79b91b7741

    SHA1

    7933b8795914b27483d2afed35b3830e8bf5bdb6

    SHA256

    8bc84b3ddfd9c295f555926bf1c311be423732423c585ca90796cdee7a245629

    SHA512

    35d14c9b7366a4737e3685223d55d85c583c7fbe73274577424dc8d9960cc78c79a80a8b42a62f6d9d9962ddd60cf2a332411d4ac18196258dc9d5b0b575e3dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\winfile.exe
    Filesize

    480KB

    MD5

    bc56976bbcc722af33dee6c3d395be9b

    SHA1

    2a2e6cb1f22b2fff1b4e1ceb3698ee8800ec59ed

    SHA256

    b1e54f7e0b8233ec5ff57b3c2aca46b242205915cac4b6e06c51d14911e978f8

    SHA512

    fd317b6211721210f4553319b57856cba0297179a2f0d41116a3144299d7ff9d9a99c1739e3a3388784f2ad11e37d5fe8afb4439c90ed4b8a333d4e413c54e70

    Download Submit

  • memory/752-44-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/752-45-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/752-27-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-55-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-36-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-9-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-65-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-64-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-63-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-17-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-62-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-10-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-61-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-6-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-38-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-39-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-58-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-37-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-5-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-60-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-11-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-49-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-50-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-51-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-52-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-53-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-54-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-59-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-56-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1792-57-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/5760-1-0x00000000746D0000-0x0000000074C81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5760-0-0x00000000746D2000-0x00000000746D3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5760-2-0x00000000746D0000-0x0000000074C81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5760-12-0x00000000746D0000-0x0000000074C81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/6048-30-0x00000000746D0000-0x0000000074C81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/6048-20-0x00000000746D0000-0x0000000074C81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/6048-19-0x00000000746D0000-0x0000000074C81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/6048-18-0x00000000746D2000-0x00000000746D3000-memory.dmp

    Filesize

    4KB

    Download