darkcomet | 3ec0a079d0652f425432709ad41d60476a26558047714ab87975567270d6d83f

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Size

728KB
MD5

f910ba6ba0a9de0c1f139c1199e89875
SHA1

e60e5ef468071cb34c645190710e87437bdf2794
SHA256

3ec0a079d0652f425432709ad41d60476a26558047714ab87975567270d6d83f
SHA512

55e8047d32be884d43b126fa23a2a000e44c75cc5639a3fa25cd18da40946d74a86ec49d6efe5d0424449c3aeb9de24d6e03513637c96f0672ea7e697530cad5
SSDEEP

12288:qgqCYAk9Fv6ifHjKqM3ZjU1jPeu+69EoHcboSpu56HH:qkk9FvSqAOwucbvp7

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\microsoft\\winupdate.exe"	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

winupdate.exewinupdate.exe

pid	Process
3920	winupdate.exe
2112	winupdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\microsoft\\winupdate.exe"	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	pid	Process	procid_target
PID 3192 set thread context of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	92
PID 3920 set thread context of 2112	3920	winupdate.exe	95

Drops file in Windows directory 4 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	ioc	Process
File created	C:\Windows\microsoft\winupdate.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
File opened for modification	C:\Windows\microsoft\winupdate.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
File opened for modification	C:\Windows\microsoft\	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
File opened for modification	C:\Windows\microsoft\winupdate.exe	winupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe

Modifies registry class 1 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeSecurityPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeBackupPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeRestorePrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeShutdownPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeDebugPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeUndockPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: 33	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: 34	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: 35	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: 36	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2112	winupdate.exe
Token: SeSecurityPrivilege	2112	winupdate.exe
Token: SeTakeOwnershipPrivilege	2112	winupdate.exe
Token: SeLoadDriverPrivilege	2112	winupdate.exe
Token: SeSystemProfilePrivilege	2112	winupdate.exe
Token: SeSystemtimePrivilege	2112	winupdate.exe
Token: SeProfSingleProcessPrivilege	2112	winupdate.exe
Token: SeIncBasePriorityPrivilege	2112	winupdate.exe
Token: SeCreatePagefilePrivilege	2112	winupdate.exe
Token: SeBackupPrivilege	2112	winupdate.exe
Token: SeRestorePrivilege	2112	winupdate.exe
Token: SeShutdownPrivilege	2112	winupdate.exe
Token: SeDebugPrivilege	2112	winupdate.exe
Token: SeSystemEnvironmentPrivilege	2112	winupdate.exe
Token: SeChangeNotifyPrivilege	2112	winupdate.exe
Token: SeRemoteShutdownPrivilege	2112	winupdate.exe
Token: SeUndockPrivilege	2112	winupdate.exe
Token: SeManageVolumePrivilege	2112	winupdate.exe
Token: SeImpersonatePrivilege	2112	winupdate.exe
Token: SeCreateGlobalPrivilege	2112	winupdate.exe
Token: 33	2112	winupdate.exe
Token: 34	2112	winupdate.exe
Token: 35	2112	winupdate.exe
Token: 36	2112	winupdate.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exewinupdate.exe

pid	Process
3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
3920	winupdate.exe
2112	winupdate.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exef910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	pid	Process	procid_target
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	92
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	92
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	92
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	92
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	92
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	92
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	92
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	92
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	92
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	92
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	92
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	92
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	92
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	92
PID 3100 wrote to memory of 4976	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	93
PID 3100 wrote to memory of 4976	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	93
PID 3100 wrote to memory of 4976	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	93
PID 3100 wrote to memory of 3920	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	94
PID 3100 wrote to memory of 3920	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	94
PID 3100 wrote to memory of 3920	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	94
PID 3920 wrote to memory of 2112	3920	winupdate.exe	95
PID 3920 wrote to memory of 2112	3920	winupdate.exe	95
PID 3920 wrote to memory of 2112	3920	winupdate.exe	95
PID 3920 wrote to memory of 2112	3920	winupdate.exe	95
PID 3920 wrote to memory of 2112	3920	winupdate.exe	95
PID 3920 wrote to memory of 2112	3920	winupdate.exe	95
PID 3920 wrote to memory of 2112	3920	winupdate.exe	95
PID 3920 wrote to memory of 2112	3920	winupdate.exe	95
PID 3920 wrote to memory of 2112	3920	winupdate.exe	95
PID 3920 wrote to memory of 2112	3920	winupdate.exe	95
PID 3920 wrote to memory of 2112	3920	winupdate.exe	95
PID 3920 wrote to memory of 2112	3920	winupdate.exe	95
PID 3920 wrote to memory of 2112	3920	winupdate.exe	95
PID 3920 wrote to memory of 2112	3920	winupdate.exe	95

C:\Users\Admin\AppData\Local\Temp\f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    PID:4976
- - C:\Windows\microsoft\winupdate.exe
    "C:\Windows\microsoft\winupdate.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\microsoft\winupdate.exe
      C:\Windows\microsoft\winupdate.exe
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3712 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsoft\winupdate.exe

Filesize
728KB

MD5
f910ba6ba0a9de0c1f139c1199e89875

SHA1
e60e5ef468071cb34c645190710e87437bdf2794

SHA256
3ec0a079d0652f425432709ad41d60476a26558047714ab87975567270d6d83f

SHA512
55e8047d32be884d43b126fa23a2a000e44c75cc5639a3fa25cd18da40946d74a86ec49d6efe5d0424449c3aeb9de24d6e03513637c96f0672ea7e697530cad5

Download Submit
memory/2112-90-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-92-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-84-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-98-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-85-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-97-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-96-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-77-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-78-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-79-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/2112-80-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-86-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-82-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-83-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-95-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-94-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-81-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-87-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/2112-88-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-89-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-93-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2112-91-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3100-4-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3100-2-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3100-7-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3100-5-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3100-68-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3100-3-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3100-6-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download