File name:

794db9699bff6a6747ac8117087397d9JaffaCakes118

Full analysis: https://app.any.run/tasks/67e3b5c0-a929-477f-860e-e9e5eb99ade3
Verdict: Malicious activity
Threats:

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

Malware Trends Tracker     >>>
Analysis date: May 27, 2024, 15:38:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
darkcomet
rat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

794DB9699BFF6A6747AC8117087397D9

SHA1:

82AE9573A54CB47BD978174E224AE055708ECA6D

SHA256:

F1951CAFD5128ED59D7D88BDA503F1EF3DC54769C5B1CE5EA710FB66EE585F76

SSDEEP:

12288:F52f0Uj8alHv1jAivC/7tIeaPpEE+rmNrK:F5C0UoalHv1jASC/7tIeaPpEEWKrK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 794db9699bff6a6747ac8117087397d9JaffaCakes118.exe (PID: 6448)

    • Changes the autorun value in the registry

      • 794db9699bff6a6747ac8117087397d9JaffaCakes118.exe (PID: 6448)
      • msdcsc.exe (PID: 6608)

    • Changes the login/logoff helper path in the registry

      • 794db9699bff6a6747ac8117087397d9JaffaCakes118.exe (PID: 6448)

    • DARKCOMET has been detected (YARA)

      • msdcsc.exe (PID: 6608)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 794db9699bff6a6747ac8117087397d9JaffaCakes118.exe (PID: 6448)

    • Start notepad (likely ransomware note)

      • 794db9699bff6a6747ac8117087397d9JaffaCakes118.exe (PID: 6448)

    • Reads the date of Windows installation

      • 794db9699bff6a6747ac8117087397d9JaffaCakes118.exe (PID: 6448)

    • Reads security settings of Internet Explorer

      • 794db9699bff6a6747ac8117087397d9JaffaCakes118.exe (PID: 6448)

    • Starts itself from another location

      • 794db9699bff6a6747ac8117087397d9JaffaCakes118.exe (PID: 6448)

    • Connects to unusual port

      • msdcsc.exe (PID: 6608)

  • INFO

    • Create files in a temporary directory

      • 794db9699bff6a6747ac8117087397d9JaffaCakes118.exe (PID: 6448)

    • Reads the computer name

      • 794db9699bff6a6747ac8117087397d9JaffaCakes118.exe (PID: 6448)

    • Checks supported languages

      • 794db9699bff6a6747ac8117087397d9JaffaCakes118.exe (PID: 6448)

    • Process checks computer location settings

      • 794db9699bff6a6747ac8117087397d9JaffaCakes118.exe (PID: 6448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (38.2)
.exe | Win32 EXE Yoda's Crypter (37.5)
.dll | Win32 Dynamic Link Library (generic) (9.2)
.exe | Win32 Executable (generic) (6.3)
.exe | Win16/32 Executable Delphi generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:06:08 11:12:27+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 253952
InitializedDataSize: 36864
UninitializedDataSize: 520192
EntryPoint: 0xbd8d0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.0.0.0
ProductVersionNumber: 4.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Remote Service Application
CompanyName: Microsoft Corp.
FileDescription: Remote Service Application
FileVersion: 1, 0, 0, 1
InternalName: MSRSAAPP
LegalCopyright: Copyright (C) 1999
OriginalFileName: MSRSAAP.EXE
ProductName: Remote Service Application
ProductVersion: 4, 0, 0, 0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 794db9699bff6a6747ac8117087397d9jaffacakes118.exe notepad.exe no specs #DARKCOMET msdcsc.exe

Process information

PID
CMD
Path
Indicators
Parent process
6448"C:\Users\admin\Desktop\794db9699bff6a6747ac8117087397d9JaffaCakes118.exe" C:\Users\admin\Desktop\794db9699bff6a6747ac8117087397d9JaffaCakes118.exe
explorer.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\794db9699bff6a6747ac8117087397d9jaffacakes118.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6532notepadC:\Windows\SysWOW64\notepad.exe794db9699bff6a6747ac8117087397d9JaffaCakes118.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
54067200
Version:
10.0.19041.1 (WinBuild.160101.0800)
6608"C:\Users\admin\AppData\Local\Temp\MSDCSC\msdcsc.exe" C:\Users\admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
794db9699bff6a6747ac8117087397d9JaffaCakes118.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Version:
1, 0, 0, 1
Total events
4 442
Read events
4 417
Write events
25
Delete events
0

Modification events

(PID) Process:(6448) 794db9699bff6a6747ac8117087397d9JaffaCakes118.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicroUpdate
Value:
C:\Users\admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
(PID) Process:(6448) 794db9699bff6a6747ac8117087397d9JaffaCakes118.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:UserInit
Value:
C:\Windows\system32\userinit.exe,C:\Users\admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
(PID) Process:(6448) 794db9699bff6a6747ac8117087397d9JaffaCakes118.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6448) 794db9699bff6a6747ac8117087397d9JaffaCakes118.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6448) 794db9699bff6a6747ac8117087397d9JaffaCakes118.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6448) 794db9699bff6a6747ac8117087397d9JaffaCakes118.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6448) 794db9699bff6a6747ac8117087397d9JaffaCakes118.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6608) msdcsc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicroUpdate
Value:
C:\Users\admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6448794db9699bff6a6747ac8117087397d9JaffaCakes118.exeC:\Users\admin\AppData\Local\Temp\MSDCSC\msdcsc.exeexecutable
MD5:794DB9699BFF6A6747AC8117087397D9
SHA256:F1951CAFD5128ED59D7D88BDA503F1EF3DC54769C5B1CE5EA710FB66EE585F76
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
25
DNS requests
6
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
23.10.249.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5548
svchost.exe
GET
200
2.22.201.205:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.22.201.205:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5944
RUXIMICS.exe
GET
200
2.22.201.205:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5944
RUXIMICS.exe
GET
200
23.10.249.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5548
svchost.exe
GET
200
23.10.249.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5548
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5548
svchost.exe
23.10.249.17:80
crl.microsoft.com
Akamai International B.V.
CH
unknown
5944
RUXIMICS.exe
23.10.249.17:80
crl.microsoft.com
Akamai International B.V.
CH
unknown
5140
MoUsoCoreWorker.exe
23.10.249.17:80
crl.microsoft.com
Akamai International B.V.
CH
unknown
5548
svchost.exe
2.22.201.205:80
www.microsoft.com
AKAMAI-AS
FR
unknown
5140
MoUsoCoreWorker.exe
2.22.201.205:80
www.microsoft.com
AKAMAI-AS
FR
unknown
5944
RUXIMICS.exe
2.22.201.205:80
www.microsoft.com
AKAMAI-AS
FR
unknown
178.57.243.55:1604
lololololol228.ddns.net
Flex Ltd.
RU
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.10.249.17
  • 23.10.249.24
whitelisted
www.microsoft.com
  • 2.22.201.205
whitelisted
lololololol228.ddns.net
  • 178.57.243.55
unknown
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
self.events.data.microsoft.com
  • 20.44.10.123
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
2184
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
794db9699bff6a6747ac8117087397d9JaffaCakes118