darkcomet | 64ea99edbcd0043f4224688f6fbb0216c4495dd1dfed553eae3fcdc75c97f963

Analysis

max time kernel
119s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe
Size

1.5MB
MD5

f96e1bf66b8130410009d9385fb1d4b2
SHA1

07c00813f7acc4385b8e560e3e225bc8428f6318
SHA256

64ea99edbcd0043f4224688f6fbb0216c4495dd1dfed553eae3fcdc75c97f963
SHA512

3d883743614fcf11b4f3514d73166fe80f6c5df0c45feb8d05d3ab8ad51fb77dccb5e6b2bbe13bfa62e8e946873196ae62bcd9aed60b2c2c6b4b2037b9cad7ed
SSDEEP

24576:8HhKD9sk9ovoFZVA/+JH6REiH5BdDbKZU6P23tDkqDGNbw6OT:/9dDJaRNHbdDB24DkPN

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

127.0.0.1:1604

Mutex

DC_MUTEX-BJPQTYY

Attributes

InstallPath
PDF_ChallanList_1_21_2016 12_00_00 AM
gencode
clubUqWbr20Q
install
true
offline_keylogger
true
password
0123456789
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\PDF_ChallanList_1_21_2016 12_00_00 AM"	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\PDF_ChallanList_1_21_2016 12_00_00 AM"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1916 set thread context of 1676	1916	f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe	28

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid	Process
2900	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

vbc.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1676	vbc.exe
Token: SeSecurityPrivilege	1676	vbc.exe
Token: SeTakeOwnershipPrivilege	1676	vbc.exe
Token: SeLoadDriverPrivilege	1676	vbc.exe
Token: SeSystemProfilePrivilege	1676	vbc.exe
Token: SeSystemtimePrivilege	1676	vbc.exe
Token: SeProfSingleProcessPrivilege	1676	vbc.exe
Token: SeIncBasePriorityPrivilege	1676	vbc.exe
Token: SeCreatePagefilePrivilege	1676	vbc.exe
Token: SeBackupPrivilege	1676	vbc.exe
Token: SeRestorePrivilege	1676	vbc.exe
Token: SeShutdownPrivilege	1676	vbc.exe
Token: SeDebugPrivilege	1676	vbc.exe
Token: SeSystemEnvironmentPrivilege	1676	vbc.exe
Token: SeChangeNotifyPrivilege	1676	vbc.exe
Token: SeRemoteShutdownPrivilege	1676	vbc.exe
Token: SeUndockPrivilege	1676	vbc.exe
Token: SeManageVolumePrivilege	1676	vbc.exe
Token: SeImpersonatePrivilege	1676	vbc.exe
Token: SeCreateGlobalPrivilege	1676	vbc.exe
Token: 33	1676	vbc.exe
Token: 34	1676	vbc.exe
Token: 35	1676	vbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid	Process
2900	AcroRd32.exe
2900	AcroRd32.exe
2900	AcroRd32.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exevbc.exe

description	pid	Process	procid_target
PID 1916 wrote to memory of 1676	1916	f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe	28
PID 1916 wrote to memory of 1676	1916	f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe	28
PID 1916 wrote to memory of 1676	1916	f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe	28
PID 1916 wrote to memory of 1676	1916	f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe	28
PID 1916 wrote to memory of 1676	1916	f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe	28
PID 1916 wrote to memory of 1676	1916	f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe	28
PID 1916 wrote to memory of 1676	1916	f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe	28
PID 1916 wrote to memory of 1676	1916	f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe	28
PID 1916 wrote to memory of 1676	1916	f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe	28
PID 1916 wrote to memory of 1676	1916	f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe	28
PID 1916 wrote to memory of 1676	1916	f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe	28
PID 1916 wrote to memory of 1676	1916	f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe	28
PID 1916 wrote to memory of 1676	1916	f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe	28
PID 1676 wrote to memory of 2900	1676	vbc.exe	29
PID 1676 wrote to memory of 2900	1676	vbc.exe	29
PID 1676 wrote to memory of 2900	1676	vbc.exe	29
PID 1676 wrote to memory of 2900	1676	vbc.exe	29
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30
PID 1676 wrote to memory of 2064	1676	vbc.exe	30

C:\Users\Admin\AppData\Local\Temp\f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f96e1bf66b8130410009d9385fb1d4b2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PDF_CHALLANLIST_1_21_2016 12_00_00 AM.PDF"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2900
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PDF_CHALLANLIST_1_21_2016 12_00_00 AM.PDF

Filesize
24KB

MD5
7ab2cbee381c1e16113b7d05a0d713ae

SHA1
18295bd9e209484101619a892c1567112db389ea

SHA256
376d111e98fd8e0e2a87381c66c1f3576525a1b641cbf63bbe9ce94bc581d569

SHA512
ef93a060234860a0d4a287dbe9d21d81651231a43b17f309df531ce1c2e2cbf3da6f31e7a81a8caf3cc7b4f42c39db6aa6c98bea771e9a861bb7dd27d9f9370a

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e355ba2621339c41d50929e7b1a4cb03

SHA1
f38fcd3876b8eec267adbbd291f6576049d3e59a

SHA256
be2deaa09f4a897c674c09cad9dff7ac33c3eb5ebcff0f3d3f764530f643693f

SHA512
421317e3bdcbddee3a4ab2fc188fd6695a8409eaf339a53f674c9f930eba7423838dedd82f66973ffadda82338bd6b9eb4b3688aa9b02054cfb8b1c40fcab432

Download Submit
memory/1676-15-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1676-20-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1676-4-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1676-5-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1676-7-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1676-9-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1676-11-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1676-13-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1676-53-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1676-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1676-19-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1676-3-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1676-24-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1676-22-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1676-23-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1916-21-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1916-2-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/1916-0-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1916-1-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2064-29-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2064-51-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download