darkcomet | c177580c83b028f90e30f1cf1bfb99ff3d6a250d0b8fe007464363eb0ed922b1

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8098b7be7136d88021b5f4df28e1de54_JaffaCakes118.exe
Size

4.2MB
MD5

8098b7be7136d88021b5f4df28e1de54
SHA1

2696649d6ace83daf71b3a130dd557831c3ec2f8
SHA256

c177580c83b028f90e30f1cf1bfb99ff3d6a250d0b8fe007464363eb0ed922b1
SHA512

4a0b675b71f787d27efe6942c23c694e07e874797b93f37322117a83510695b87fb503ceee91c7cb04229fefefcfea73c945d0aa4e3f7c01d0f882794facf9ab
SSDEEP

98304:bd1URGq6q96vM5GofcmjtLhbHPSyb+qSCPrcYxXMdmvkv1:bPURGqxWofcStLh2yllzp4+O1

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

apezdl.ddns.net:1604

134.249.155.93:1604

Mutex

DC_MUTEX-S6FES0G

Attributes

InstallPath
MSDCSC\syst�m.exe
gencode
QgVopMeDi7ws
install
true
offline_keylogger
true
persistence
false
reg_key
syst�m

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\syståm.exe"	Checker.exe

Nirsoft 1 IoCs

resource	yara_rule
behavioral1/memory/2868-103-0x00000000074A0000-0x0000000007852000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

pid	Process
2704	Checkers.exe
2868	RustCheatCheck.exe
2460	Checker.exe
2852	syståm.exe

Loads dropped DLL 13 IoCs

pid	Process
2612	cmd.exe
2704	Checkers.exe
2704	Checkers.exe
2704	Checkers.exe
2704	Checkers.exe
2704	Checkers.exe
2704	Checkers.exe
2704	Checkers.exe
2704	Checkers.exe
2704	Checkers.exe
2460	Checker.exe
2460	Checker.exe
2868	RustCheatCheck.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0010000000015a2d-39.dat	upx
behavioral1/memory/2704-41-0x00000000033B0000-0x0000000003467000-memory.dmp	upx
behavioral1/memory/2460-57-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2852-100-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2460-102-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2852-111-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2852-113-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2852-115-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2852-118-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2852-120-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2852-123-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\syståm = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\syståm.exe"	Checker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	RustCheatCheck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	RustCheatCheck.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2460	Checker.exe
Token: SeSecurityPrivilege	2460	Checker.exe
Token: SeTakeOwnershipPrivilege	2460	Checker.exe
Token: SeLoadDriverPrivilege	2460	Checker.exe
Token: SeSystemProfilePrivilege	2460	Checker.exe
Token: SeSystemtimePrivilege	2460	Checker.exe
Token: SeProfSingleProcessPrivilege	2460	Checker.exe
Token: SeIncBasePriorityPrivilege	2460	Checker.exe
Token: SeCreatePagefilePrivilege	2460	Checker.exe
Token: SeBackupPrivilege	2460	Checker.exe
Token: SeRestorePrivilege	2460	Checker.exe
Token: SeShutdownPrivilege	2460	Checker.exe
Token: SeDebugPrivilege	2460	Checker.exe
Token: SeSystemEnvironmentPrivilege	2460	Checker.exe
Token: SeChangeNotifyPrivilege	2460	Checker.exe
Token: SeRemoteShutdownPrivilege	2460	Checker.exe
Token: SeUndockPrivilege	2460	Checker.exe
Token: SeManageVolumePrivilege	2460	Checker.exe
Token: SeImpersonatePrivilege	2460	Checker.exe
Token: SeCreateGlobalPrivilege	2460	Checker.exe
Token: 33	2460	Checker.exe
Token: 34	2460	Checker.exe
Token: 35	2460	Checker.exe
Token: SeIncreaseQuotaPrivilege	2852	syståm.exe
Token: SeSecurityPrivilege	2852	syståm.exe
Token: SeTakeOwnershipPrivilege	2852	syståm.exe
Token: SeLoadDriverPrivilege	2852	syståm.exe
Token: SeSystemProfilePrivilege	2852	syståm.exe
Token: SeSystemtimePrivilege	2852	syståm.exe
Token: SeProfSingleProcessPrivilege	2852	syståm.exe
Token: SeIncBasePriorityPrivilege	2852	syståm.exe
Token: SeCreatePagefilePrivilege	2852	syståm.exe
Token: SeBackupPrivilege	2852	syståm.exe
Token: SeRestorePrivilege	2852	syståm.exe
Token: SeShutdownPrivilege	2852	syståm.exe
Token: SeDebugPrivilege	2852	syståm.exe
Token: SeSystemEnvironmentPrivilege	2852	syståm.exe
Token: SeChangeNotifyPrivilege	2852	syståm.exe
Token: SeRemoteShutdownPrivilege	2852	syståm.exe
Token: SeUndockPrivilege	2852	syståm.exe
Token: SeManageVolumePrivilege	2852	syståm.exe
Token: SeImpersonatePrivilege	2852	syståm.exe
Token: SeCreateGlobalPrivilege	2852	syståm.exe
Token: 33	2852	syståm.exe
Token: 34	2852	syståm.exe
Token: 35	2852	syståm.exe
Token: SeDebugPrivilege	2868	RustCheatCheck.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2852	syståm.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2612	3036	8098b7be7136d88021b5f4df28e1de54_JaffaCakes118.exe	28
PID 3036 wrote to memory of 2612	3036	8098b7be7136d88021b5f4df28e1de54_JaffaCakes118.exe	28
PID 3036 wrote to memory of 2612	3036	8098b7be7136d88021b5f4df28e1de54_JaffaCakes118.exe	28
PID 3036 wrote to memory of 2612	3036	8098b7be7136d88021b5f4df28e1de54_JaffaCakes118.exe	28
PID 2612 wrote to memory of 2704	2612	cmd.exe	30
PID 2612 wrote to memory of 2704	2612	cmd.exe	30
PID 2612 wrote to memory of 2704	2612	cmd.exe	30
PID 2612 wrote to memory of 2704	2612	cmd.exe	30
PID 2704 wrote to memory of 2868	2704	Checkers.exe	31
PID 2704 wrote to memory of 2868	2704	Checkers.exe	31
PID 2704 wrote to memory of 2868	2704	Checkers.exe	31
PID 2704 wrote to memory of 2868	2704	Checkers.exe	31
PID 2704 wrote to memory of 2460	2704	Checkers.exe	32
PID 2704 wrote to memory of 2460	2704	Checkers.exe	32
PID 2704 wrote to memory of 2460	2704	Checkers.exe	32
PID 2704 wrote to memory of 2460	2704	Checkers.exe	32
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 676	2460	Checker.exe	33
PID 2460 wrote to memory of 2852	2460	Checker.exe	34
PID 2460 wrote to memory of 2852	2460	Checker.exe	34
PID 2460 wrote to memory of 2852	2460	Checker.exe	34
PID 2460 wrote to memory of 2852	2460	Checker.exe	34

C:\Users\Admin\AppData\Local\Temp\8098b7be7136d88021b5f4df28e1de54_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8098b7be7136d88021b5f4df28e1de54_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\start.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\Checkers.exe
    Checkers.exe -p2304 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\RustCheatCheck.exe
      "C:\Users\Admin\AppData\Local\Temp\RustCheatCheck.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\Checker.exe
      "C:\Users\Admin\AppData\Local\Temp\Checker.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:676
    - - C:\Users\Admin\AppData\Roaming\MSDCSC\syståm.exe
        
        "C:\Users\Admin\AppData\Roaming\MSDCSC\syståm.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Checkers.exe

Filesize
3.9MB

MD5
1aec3664575f8944613fbc39e633a9e0

SHA1
8b715ca3a55496be301ea096ef251e1972fc7d47

SHA256
1979d69ff23bb3b09e25387868b5602dcfc4249c15a07c78268eef499792f8d3

SHA512
8a4c1eed719d90aff448beea4415bbea2975d3e12a57d0aed5aa0adacfe399da25f92cd7a4440ad1f5247f4f4bd8be6eb82feb40bdec41f2540c3d44b98f237e

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.bat

Filesize
28B

MD5
eec0d5da8eee9cfb291191b5ab61e6cb

SHA1
e97f0a32ac9a9c328c0f9ac0a673e7c66da73f30

SHA256
6df4b6763b250da0898e71e12e718ea1c528c4e0a0c253392736b8e2f294ba89

SHA512
49f8dc4e4a43080898882c6c2e981e236e67e7987cde899b1aa5e3c85054687add8c11587ea80542f6cc3910f1c6d10ccfb70c578b23545032ed73ed5d022031

Download Submit
\Users\Admin\AppData\Local\Temp\Checker.exe

Filesize
251KB

MD5
13af63254be96f53efbb21bb2336994f

SHA1
16a7eea855ad7f0d5745f5dc31292838f99e1a86

SHA256
eadf57d5dfb32e8d6ba6d4635dbb2672935ba9828c928fe16d4241e07b7bdfe7

SHA512
cc120106ba6aabffd60f53ca441c93152960ad4ec0d0dbb57a8653fecf4daca1790188c5dfa12b0dbd6f57a2c7a493f470b4f0725622fd7bdb5b4dfcb256f933

Download Submit
\Users\Admin\AppData\Local\Temp\RustCheatCheck.exe

Filesize
7.2MB

MD5
3536e9a81789fdc058afc0b872f01718

SHA1
59dfd736bf3b0f2fd817d0fc20cb2538c74ed63a

SHA256
d3c8edf1f32e848e196ed406c999661c6ab2be42665c727567a66590a6bcd116

SHA512
084115da8b0777b13914bb73cf3b5e4f054cdae65c586cecd9c28a92dcb1b20ef48f4c0dbe771389c191f167b09b0463ae1f0032a3a29285472df4f23d0b57f9

Download Submit
\Users\Admin\AppData\Local\Temp\steam_api.dll

Filesize
219KB

MD5
fe8e00c889a156836d57919ca23cde50

SHA1
7aba06d474175bd0d7f672e101b0a05104580bb1

SHA256
af17df745250d1814eaa274fff7b0faeb43381e6762e026267e5859778477abd

SHA512
bdd89b54381da6faf50c9e18d9941f68b8d300d952bea84bd785ca00d617eef6dbdf7d9589adfb14e1dcbe6d836bb2d7785ccc9529e781a64f3125bfc4ce091c

Download Submit
memory/676-89-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/676-61-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2460-102-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2460-57-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2460-99-0x0000000003950000-0x0000000003A07000-memory.dmp

Filesize
732KB

Download
memory/2704-41-0x00000000033B0000-0x0000000003467000-memory.dmp

Filesize
732KB

Download
memory/2704-55-0x00000000033B0000-0x0000000003467000-memory.dmp

Filesize
732KB

Download
memory/2852-100-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2852-111-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2852-113-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2852-115-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2852-118-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2852-120-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2852-123-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2868-103-0x00000000074A0000-0x0000000007852000-memory.dmp

Filesize
3.7MB

Download
memory/2868-90-0x00000000010E0000-0x000000000181C000-memory.dmp

Filesize
7.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads