Overview

overview

10

Static

static

3

JaffaCakes...9b.exe

windows10-2004-x64

10

JaffaCakes...9b.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    97s
  • max time network
    147s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18/04/2025, 03:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_bc56976bbcc722af33dee6c3d395be9b.exe

  • Size

    480KB

  • MD5

    bc56976bbcc722af33dee6c3d395be9b

  • SHA1

    2a2e6cb1f22b2fff1b4e1ceb3698ee8800ec59ed

  • SHA256

    b1e54f7e0b8233ec5ff57b3c2aca46b242205915cac4b6e06c51d14911e978f8

  • SHA512

    fd317b6211721210f4553319b57856cba0297179a2f0d41116a3144299d7ff9d9a99c1739e3a3388784f2ad11e37d5fe8afb4439c90ed4b8a333d4e413c54e70

  • SSDEEP

    12288:ty1lFipP5dFl9DhwZ0PRfwzp35HGPHb6kyQwTRHbVDU:ty1lc3TlnwkOaHhE

Score
10/10
darkcometms-dosdefense_evasiondiscoverypersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

ms-dos

C2

pourmoi.zapto.org:2000

pourmoi.zapto.org:200

pourmoi.zapto.org:1604

pourmoi.zapto.org:164

pourmoi.zapto.org:80
Mutex

DC_MUTEX-HM3EBEZ

Attributes
  • gencode

    .o3or#SP7wV0

  • install

    false

  • offline_keylogger

    true

  • password

    da06101266

  • persistence

    false

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Sets file to hidden 1 TTPs 4 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc56976bbcc722af33dee6c3d395be9b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc56976bbcc722af33dee6c3d395be9b.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5344
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:5088
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:868
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3468
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\winfile.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3220
    • C:\Users\Admin\AppData\Local\Temp\winfile.exe
      C:\Users\Admin\AppData\Local\Temp\winfile.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4200
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4412
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
            5⤵
            • Sets file to hidden
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2076
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4388
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
            5⤵
            • Sets file to hidden
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:4964

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
    Filesize

    70B

    MD5

    73b0495dfd90f2f77a64d3ac7f6e7c03

    SHA1

    0503c56481fda524b90139b4d2e0b686765c355f

    SHA256

    0a4c374db7dcbe8944a2a3fc0d774247861318cc55494fe8b6f001fe46a69fc2

    SHA512

    9d6fbe22f8441cf2b78506bde2535e4137af1c200fe36272d4fb0adea8f33360c93cb1619c3b667514f185d632a078760ebc0f47eeb0825979e468a7c2c88e39

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
    Filesize

    62B

    MD5

    c6abd7a109bb37ab773b9e79b91b7741

    SHA1

    7933b8795914b27483d2afed35b3830e8bf5bdb6

    SHA256

    8bc84b3ddfd9c295f555926bf1c311be423732423c585ca90796cdee7a245629

    SHA512

    35d14c9b7366a4737e3685223d55d85c583c7fbe73274577424dc8d9960cc78c79a80a8b42a62f6d9d9962ddd60cf2a332411d4ac18196258dc9d5b0b575e3dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\winfile.exe
    Filesize

    480KB

    MD5

    bc56976bbcc722af33dee6c3d395be9b

    SHA1

    2a2e6cb1f22b2fff1b4e1ceb3698ee8800ec59ed

    SHA256

    b1e54f7e0b8233ec5ff57b3c2aca46b242205915cac4b6e06c51d14911e978f8

    SHA512

    fd317b6211721210f4553319b57856cba0297179a2f0d41116a3144299d7ff9d9a99c1739e3a3388784f2ad11e37d5fe8afb4439c90ed4b8a333d4e413c54e70

    Download Submit

  • memory/2312-20-0x0000000074650000-0x0000000074C01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2312-19-0x0000000074651000-0x0000000074652000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2312-38-0x0000000074650000-0x0000000074C01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2312-21-0x0000000074650000-0x0000000074C01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2556-1-0x0000000074650000-0x0000000074C01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2556-2-0x0000000074650000-0x0000000074C01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2556-15-0x0000000074650000-0x0000000074C01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2556-0-0x0000000074651000-0x0000000074652000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4200-45-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4200-43-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-51-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-62-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-34-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-32-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-11-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-12-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-33-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-5-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-9-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-8-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-48-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-52-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-35-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-50-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-49-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-53-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-54-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-55-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-56-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-57-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-58-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-59-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-60-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-61-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-13-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-63-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4908-64-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download