darkcomet | 00c74003c836810249535540ca35991ed322257b34b238815c45ad7c5b798379

General

Target

f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Size

696KB
MD5

f19963d3be14b2814ebb426d696946d1
SHA1

b59615351092d16bf8351770e5babf14b9e98773
SHA256

00c74003c836810249535540ca35991ed322257b34b238815c45ad7c5b798379
SHA512

6dc3f6bfa3fd6f065496392ff753b72e47d6440e56d74e669faa963c7d0064655a80e967bdd47c6cf9ff197f7917285988f46e24875394897249dea3523b015a
SSDEEP

12288:8Bw47KoNeh77kTqnHu0EVQwmtKJZb5UsdRr3cPYgtjR+SI:8Bw2khAqMWoh5hV2jR+7

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

lujadex.no-ip.org:5250

Mutex

DC_MUTEX-TSV5AGW

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
2JDQ9S3gs62T
install
true
offline_keylogger
true
password
my974637
persistence
false
reg_key
WinUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

msdcsc.exemsdcsc.exe

pid process

2568 msdcsc.exe
2680 msdcsc.exe

pid	process
2568	msdcsc.exe
2680	msdcsc.exe

Loads dropped DLL 8 IoCs

Processes:

f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exemsdcsc.exemsdcsc.exe

pid	process
2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
2568	msdcsc.exe
2568	msdcsc.exe
2568	msdcsc.exe
2568	msdcsc.exe
2680	msdcsc.exe
2680	msdcsc.exe
2680	msdcsc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exef19963d3be14b2814ebb426d696946d1_JaffaCakes118.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\name_me = "C:\\Users\\Admin\\AppData\\Roaming\\test.exe"	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\name_me = "C:\\Users\\Admin\\AppData\\Roaming\\test.exe"	msdcsc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exemsdcsc.exe

description	pid	process	target process
PID 2184 set thread context of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2568 set thread context of 2680	2568	msdcsc.exe	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeSecurityPrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeBackupPrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeRestorePrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeShutdownPrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeDebugPrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeUndockPrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: 33	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: 34	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: 35	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeRestorePrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeBackupPrivilege	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2680	msdcsc.exe
Token: SeSecurityPrivilege	2680	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2680	msdcsc.exe
Token: SeLoadDriverPrivilege	2680	msdcsc.exe
Token: SeSystemProfilePrivilege	2680	msdcsc.exe
Token: SeSystemtimePrivilege	2680	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2680	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2680	msdcsc.exe
Token: SeCreatePagefilePrivilege	2680	msdcsc.exe
Token: SeBackupPrivilege	2680	msdcsc.exe
Token: SeRestorePrivilege	2680	msdcsc.exe
Token: SeShutdownPrivilege	2680	msdcsc.exe
Token: SeDebugPrivilege	2680	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2680	msdcsc.exe
Token: SeChangeNotifyPrivilege	2680	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2680	msdcsc.exe
Token: SeUndockPrivilege	2680	msdcsc.exe
Token: SeManageVolumePrivilege	2680	msdcsc.exe
Token: SeImpersonatePrivilege	2680	msdcsc.exe
Token: SeCreateGlobalPrivilege	2680	msdcsc.exe
Token: 33	2680	msdcsc.exe
Token: 34	2680	msdcsc.exe
Token: 35	2680	msdcsc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exemsdcsc.exemsdcsc.exe

pid	process
2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
2568	msdcsc.exe
2568	msdcsc.exe
2680	msdcsc.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exef19963d3be14b2814ebb426d696946d1_JaffaCakes118.exemsdcsc.exe

description	pid	process	target process
PID 2184 wrote to memory of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2184 wrote to memory of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2184 wrote to memory of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2184 wrote to memory of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2184 wrote to memory of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2184 wrote to memory of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2184 wrote to memory of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2184 wrote to memory of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2184 wrote to memory of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2184 wrote to memory of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2184 wrote to memory of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2184 wrote to memory of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2184 wrote to memory of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2184 wrote to memory of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2184 wrote to memory of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2184 wrote to memory of 2168	2184	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
PID 2168 wrote to memory of 2568	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	msdcsc.exe
PID 2168 wrote to memory of 2568	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	msdcsc.exe
PID 2168 wrote to memory of 2568	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	msdcsc.exe
PID 2168 wrote to memory of 2568	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	msdcsc.exe
PID 2168 wrote to memory of 2568	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	msdcsc.exe
PID 2168 wrote to memory of 2568	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	msdcsc.exe
PID 2168 wrote to memory of 2568	2168	f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe	msdcsc.exe
PID 2568 wrote to memory of 2680	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2680	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2680	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2680	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2680	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2680	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2680	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2680	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2680	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2680	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2680	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2680	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2680	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2680	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2680	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2680	2568	msdcsc.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2680

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\test.exe
Filesize
696KB

MD5
26dcd20b3c031d1cbe330d3bcbbf5ca2

SHA1
b81b9dff59f38f9f48fd49050b89412aa2a2d1f8

SHA256
5a1306015fd0358c0f8459bd12ba885190d9576fe8cea22f539b6255c1fb185e

SHA512
571b89bb8a4923eb2c84ad8876b36875d2506df43a1adfec38f0bdaae6e9475c809a10d5be6f87aa724e44da7dcae49f0a0006fbb956a7690fb02c0aa111ab6b

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
696KB

MD5
f19963d3be14b2814ebb426d696946d1

SHA1
b59615351092d16bf8351770e5babf14b9e98773

SHA256
00c74003c836810249535540ca35991ed322257b34b238815c45ad7c5b798379

SHA512
6dc3f6bfa3fd6f065496392ff753b72e47d6440e56d74e669faa963c7d0064655a80e967bdd47c6cf9ff197f7917285988f46e24875394897249dea3523b015a

Download Submit
memory/2168-24-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2168-12-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2168-4-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2168-10-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2168-33-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2168-14-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2168-16-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2168-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2168-19-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2168-20-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2168-38-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2168-22-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2168-2-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2168-25-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2168-8-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2168-6-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2184-1-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2184-21-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2568-42-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2568-63-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2680-69-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2680-64-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2680-70-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2680-73-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2680-72-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2680-71-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2680-74-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2680-76-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2680-77-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads