darkcomet | 0b366adfcdfb5f69dce19a4083115cfd946dd951ee3ca0c9ca04d6a5d3d78b64

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21-04-2024 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.exe
Size

401KB
MD5

ffaeeee9071cef34ec7e83431860733e
SHA1

d053f64e9d0630adcb9a9df1c4de3c3da2ffcfe3
SHA256

0b366adfcdfb5f69dce19a4083115cfd946dd951ee3ca0c9ca04d6a5d3d78b64
SHA512

891d4d3212500453e4c42098debe5e5bfe019924b93c45801661dce933fd749b8e77c02c67c5d998f279bf30cc84267b927a321a4bca7268d246f274ea506e12
SSDEEP

6144:NOavyIMd/QD4yK8WL3jhmsHzaMX7LtpXyAkfzAjI9ESYqIdXY8xE6zNTVWGR3m2h:4avNK8WL3j3OA7LTClLAjzqtnGP

Score

10^/10

darkcomet appii persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

appii

201.211.234.221:81

Mutex

DC_MUTEX-AMG0NUQ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
eLS5S4kxZdKp
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE

Executes dropped EXE 2 IoCs

Processes:

msdcsc.exemsdcsc.EXE

pid	Process
2556	msdcsc.exe
2168	msdcsc.EXE

Loads dropped DLL 2 IoCs

Processes:

ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE

pid	Process
2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2956-4-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2956-9-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2956-10-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2956-5-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2956-11-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2956-12-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2956-14-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2956-13-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2956-28-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2168-40-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2168-41-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2168-42-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2168-44-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2168-75-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2168-76-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2168-77-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2168-78-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2168-80-0x0000000000400000-0x00000000004E8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXEmsdcsc.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.EXE

Drops file in System32 directory 4 IoCs

Processes:

ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXEmsdcsc.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.EXE	msdcsc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.exemsdcsc.exe

description	pid	Process	procid_target
PID 2856 set thread context of 2956	2856	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.exe	28
PID 2556 set thread context of 2168	2556	msdcsc.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXEmsdcsc.EXE

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeSecurityPrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeTakeOwnershipPrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeLoadDriverPrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeSystemProfilePrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeSystemtimePrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeProfSingleProcessPrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeIncBasePriorityPrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeCreatePagefilePrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeBackupPrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeRestorePrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeShutdownPrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeDebugPrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeSystemEnvironmentPrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeChangeNotifyPrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeRemoteShutdownPrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeUndockPrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeManageVolumePrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeImpersonatePrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeCreateGlobalPrivilege	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: 33	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: 34	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: 35	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
Token: SeIncreaseQuotaPrivilege	2168	msdcsc.EXE
Token: SeSecurityPrivilege	2168	msdcsc.EXE
Token: SeTakeOwnershipPrivilege	2168	msdcsc.EXE
Token: SeLoadDriverPrivilege	2168	msdcsc.EXE
Token: SeSystemProfilePrivilege	2168	msdcsc.EXE
Token: SeSystemtimePrivilege	2168	msdcsc.EXE
Token: SeProfSingleProcessPrivilege	2168	msdcsc.EXE
Token: SeIncBasePriorityPrivilege	2168	msdcsc.EXE
Token: SeCreatePagefilePrivilege	2168	msdcsc.EXE
Token: SeBackupPrivilege	2168	msdcsc.EXE
Token: SeRestorePrivilege	2168	msdcsc.EXE
Token: SeShutdownPrivilege	2168	msdcsc.EXE
Token: SeDebugPrivilege	2168	msdcsc.EXE
Token: SeSystemEnvironmentPrivilege	2168	msdcsc.EXE
Token: SeChangeNotifyPrivilege	2168	msdcsc.EXE
Token: SeRemoteShutdownPrivilege	2168	msdcsc.EXE
Token: SeUndockPrivilege	2168	msdcsc.EXE
Token: SeManageVolumePrivilege	2168	msdcsc.EXE
Token: SeImpersonatePrivilege	2168	msdcsc.EXE
Token: SeCreateGlobalPrivilege	2168	msdcsc.EXE
Token: 33	2168	msdcsc.EXE
Token: 34	2168	msdcsc.EXE
Token: 35	2168	msdcsc.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.exemsdcsc.exemsdcsc.EXE

pid	Process
2856	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.exe
2556	msdcsc.exe
2168	msdcsc.EXE

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.exeffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXEmsdcsc.exemsdcsc.EXE

description	pid	Process	procid_target
PID 2856 wrote to memory of 2956	2856	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2956	2856	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2956	2856	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2956	2856	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2956	2856	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2956	2856	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2956	2856	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2956	2856	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.exe	28
PID 2956 wrote to memory of 2556	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE	29
PID 2956 wrote to memory of 2556	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE	29
PID 2956 wrote to memory of 2556	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE	29
PID 2956 wrote to memory of 2556	2956	ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE	29
PID 2556 wrote to memory of 2168	2556	msdcsc.exe	30
PID 2556 wrote to memory of 2168	2556	msdcsc.exe	30
PID 2556 wrote to memory of 2168	2556	msdcsc.exe	30
PID 2556 wrote to memory of 2168	2556	msdcsc.exe	30
PID 2556 wrote to memory of 2168	2556	msdcsc.exe	30
PID 2556 wrote to memory of 2168	2556	msdcsc.exe	30
PID 2556 wrote to memory of 2168	2556	msdcsc.exe	30
PID 2556 wrote to memory of 2168	2556	msdcsc.exe	30
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31
PID 2168 wrote to memory of 2884	2168	msdcsc.EXE	31

C:\Users\Admin\AppData\Local\Temp\ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE
  "C:\Users\Admin\AppData\Local\Temp\ffaeeee9071cef34ec7e83431860733e_JaffaCakes118.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
    "C:\Windows\system32\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\MSDCSC\msdcsc.EXE
      "C:\Windows\SysWOW64\MSDCSC\msdcsc.EXE"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
401KB

MD5
ffaeeee9071cef34ec7e83431860733e

SHA1
d053f64e9d0630adcb9a9df1c4de3c3da2ffcfe3

SHA256
0b366adfcdfb5f69dce19a4083115cfd946dd951ee3ca0c9ca04d6a5d3d78b64

SHA512
891d4d3212500453e4c42098debe5e5bfe019924b93c45801661dce933fd749b8e77c02c67c5d998f279bf30cc84267b927a321a4bca7268d246f274ea506e12

Download Submit
memory/2168-75-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2168-78-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2168-77-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2168-76-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2168-40-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2168-44-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2168-43-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2168-42-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2168-80-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2168-41-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2884-74-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2884-45-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2956-11-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2956-28-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2956-15-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2956-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2956-14-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2956-12-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2956-2-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2956-5-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2956-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2956-10-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2956-9-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2956-4-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download