Analysis Overview
SHA256
542892dc639bb13bbc6ffb0e7cb10cdecab1c33ac01ee79633496301b1f7e2cc
Threat Level: Known bad
The file 5d0f26def1e96977eeb1afd1e8d81ced_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Darkcomet
Darkcomet family
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-20 03:56
Signatures
Darkcomet family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 03:56
Reported
2024-05-20 03:58
Platform
win7-20240221-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\Celesty Binder\最火软件站.url"
Network
Files
memory/2352-0-0x0000000001D80000-0x0000000001D81000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-20 03:56
Reported
2024-05-20 03:58
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
138s
Command Line
Signatures
Darkcomet
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe
"C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4992-0-0x0000000002D40000-0x0000000002D41000-memory.dmp
memory/4992-1-0x0000000005B40000-0x0000000005B41000-memory.dmp
memory/4992-2-0x00000000065D0000-0x00000000065D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\config.ini
| MD5 | 3ba645b7459d0766c92f4a2e3236ebef |
| SHA1 | 7a34107e841a61fff7f104758289cb8b6822a771 |
| SHA256 | a8a243827e142e12507ddf325f88855b193dac1bebb6f77e07c9bcdf45fac762 |
| SHA512 | 1cdedd08189be4bc64b2250660bc1a395fb7c74055a04e2a4e16aca27f96b348dedfd9d3177bbb2d44186b5ed5558d2e8417a007bd1009a076508c85211110a1 |
memory/4992-40-0x0000000000400000-0x0000000000F66000-memory.dmp
memory/4992-42-0x0000000002D40000-0x0000000002D41000-memory.dmp
memory/4992-43-0x0000000005B40000-0x0000000005B41000-memory.dmp
memory/4992-44-0x00000000065D0000-0x00000000065D1000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-20 03:56
Reported
2024-05-20 03:58
Platform
win7-20240221-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\JZ5U绿色下载站.url
Network
Files
memory/2612-0-0x0000000000430000-0x0000000000431000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-20 03:56
Reported
2024-05-20 03:58
Platform
win7-20231129-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\使用必读.url
Network
Files
memory/2216-0-0x00000000003A0000-0x00000000003A1000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-20 03:56
Reported
2024-05-20 03:58
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
102s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\使用必读.url
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 03:56
Reported
2024-05-20 03:58
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\Celesty Binder\最火软件站.url"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-20 03:56
Reported
2024-05-20 03:58
Platform
win7-20240221-en
Max time kernel
140s
Max time network
121s
Command Line
Signatures
Darkcomet
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe
"C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\DarkComet汉化.exe"
Network
Files
memory/2836-0-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2836-1-0x00000000049F0000-0x00000000049F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\config.ini
| MD5 | 3ba645b7459d0766c92f4a2e3236ebef |
| SHA1 | 7a34107e841a61fff7f104758289cb8b6822a771 |
| SHA256 | a8a243827e142e12507ddf325f88855b193dac1bebb6f77e07c9bcdf45fac762 |
| SHA512 | 1cdedd08189be4bc64b2250660bc1a395fb7c74055a04e2a4e16aca27f96b348dedfd9d3177bbb2d44186b5ed5558d2e8417a007bd1009a076508c85211110a1 |
memory/2836-39-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2836-40-0x00000000049F0000-0x00000000049F1000-memory.dmp
memory/2836-41-0x0000000000400000-0x0000000000F66000-memory.dmp
memory/2836-42-0x0000000000400000-0x0000000000F66000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-20 03:56
Reported
2024-05-20 03:58
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\JZ5U绿色下载站.url
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-20 03:56
Reported
2024-05-20 03:58
Platform
win7-20240508-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\sqlite3.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\sqlite3.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 220
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-20 03:56
Reported
2024-05-20 03:58
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
132s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3704 wrote to memory of 2432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3704 wrote to memory of 2432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3704 wrote to memory of 2432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\sqlite3.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DarkComet_jz5u.com\sqlite3.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2432 -ip 2432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 600
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4292,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=1280 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |