darkcomet | c177580c83b028f90e30f1cf1bfb99ff3d6a250d0b8fe007464363eb0ed922b1

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8098b7be7136d88021b5f4df28e1de54_JaffaCakes118.exe
Size

4.2MB
MD5

8098b7be7136d88021b5f4df28e1de54
SHA1

2696649d6ace83daf71b3a130dd557831c3ec2f8
SHA256

c177580c83b028f90e30f1cf1bfb99ff3d6a250d0b8fe007464363eb0ed922b1
SHA512

4a0b675b71f787d27efe6942c23c694e07e874797b93f37322117a83510695b87fb503ceee91c7cb04229fefefcfea73c945d0aa4e3f7c01d0f882794facf9ab
SSDEEP

98304:bd1URGq6q96vM5GofcmjtLhbHPSyb+qSCPrcYxXMdmvkv1:bPURGqxWofcStLh2yllzp4+O1

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

apezdl.ddns.net:1604

134.249.155.93:1604

Mutex

DC_MUTEX-S6FES0G

Attributes

InstallPath
MSDCSC\syst�m.exe
gencode
QgVopMeDi7ws
install
true
offline_keylogger
true
persistence
false
reg_key
syst�m

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\syståm.exe"	Checker.exe

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/memory/4752-97-0x0000000007C30000-0x0000000007FE2000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	8098b7be7136d88021b5f4df28e1de54_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Checkers.exe

Executes dropped EXE 4 IoCs

pid	Process
232	Checkers.exe
4752	RustCheatCheck.exe
4540	Checker.exe
4816	syståm.exe

Loads dropped DLL 1 IoCs

pid	Process
4752	RustCheatCheck.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023261-25.dat	upx
behavioral2/memory/4540-33-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4540-99-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4816-111-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4816-113-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4816-114-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4816-116-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4816-118-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4816-120-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4816-122-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4816-124-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syståm = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\syståm.exe"	Checker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Checker.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4540	Checker.exe
Token: SeSecurityPrivilege	4540	Checker.exe
Token: SeTakeOwnershipPrivilege	4540	Checker.exe
Token: SeLoadDriverPrivilege	4540	Checker.exe
Token: SeSystemProfilePrivilege	4540	Checker.exe
Token: SeSystemtimePrivilege	4540	Checker.exe
Token: SeProfSingleProcessPrivilege	4540	Checker.exe
Token: SeIncBasePriorityPrivilege	4540	Checker.exe
Token: SeCreatePagefilePrivilege	4540	Checker.exe
Token: SeBackupPrivilege	4540	Checker.exe
Token: SeRestorePrivilege	4540	Checker.exe
Token: SeShutdownPrivilege	4540	Checker.exe
Token: SeDebugPrivilege	4540	Checker.exe
Token: SeSystemEnvironmentPrivilege	4540	Checker.exe
Token: SeChangeNotifyPrivilege	4540	Checker.exe
Token: SeRemoteShutdownPrivilege	4540	Checker.exe
Token: SeUndockPrivilege	4540	Checker.exe
Token: SeManageVolumePrivilege	4540	Checker.exe
Token: SeImpersonatePrivilege	4540	Checker.exe
Token: SeCreateGlobalPrivilege	4540	Checker.exe
Token: 33	4540	Checker.exe
Token: 34	4540	Checker.exe
Token: 35	4540	Checker.exe
Token: 36	4540	Checker.exe
Token: SeIncreaseQuotaPrivilege	4816	syståm.exe
Token: SeSecurityPrivilege	4816	syståm.exe
Token: SeTakeOwnershipPrivilege	4816	syståm.exe
Token: SeLoadDriverPrivilege	4816	syståm.exe
Token: SeSystemProfilePrivilege	4816	syståm.exe
Token: SeSystemtimePrivilege	4816	syståm.exe
Token: SeProfSingleProcessPrivilege	4816	syståm.exe
Token: SeIncBasePriorityPrivilege	4816	syståm.exe
Token: SeCreatePagefilePrivilege	4816	syståm.exe
Token: SeBackupPrivilege	4816	syståm.exe
Token: SeRestorePrivilege	4816	syståm.exe
Token: SeShutdownPrivilege	4816	syståm.exe
Token: SeDebugPrivilege	4816	syståm.exe
Token: SeSystemEnvironmentPrivilege	4816	syståm.exe
Token: SeChangeNotifyPrivilege	4816	syståm.exe
Token: SeRemoteShutdownPrivilege	4816	syståm.exe
Token: SeUndockPrivilege	4816	syståm.exe
Token: SeManageVolumePrivilege	4816	syståm.exe
Token: SeImpersonatePrivilege	4816	syståm.exe
Token: SeCreateGlobalPrivilege	4816	syståm.exe
Token: 33	4816	syståm.exe
Token: 34	4816	syståm.exe
Token: 35	4816	syståm.exe
Token: 36	4816	syståm.exe
Token: SeDebugPrivilege	4752	RustCheatCheck.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4816	syståm.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 1820	3248	8098b7be7136d88021b5f4df28e1de54_JaffaCakes118.exe	91
PID 3248 wrote to memory of 1820	3248	8098b7be7136d88021b5f4df28e1de54_JaffaCakes118.exe	91
PID 3248 wrote to memory of 1820	3248	8098b7be7136d88021b5f4df28e1de54_JaffaCakes118.exe	91
PID 1820 wrote to memory of 232	1820	cmd.exe	94
PID 1820 wrote to memory of 232	1820	cmd.exe	94
PID 1820 wrote to memory of 232	1820	cmd.exe	94
PID 232 wrote to memory of 4752	232	Checkers.exe	95
PID 232 wrote to memory of 4752	232	Checkers.exe	95
PID 232 wrote to memory of 4752	232	Checkers.exe	95
PID 232 wrote to memory of 4540	232	Checkers.exe	96
PID 232 wrote to memory of 4540	232	Checkers.exe	96
PID 232 wrote to memory of 4540	232	Checkers.exe	96
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 748	4540	Checker.exe	97
PID 4540 wrote to memory of 4816	4540	Checker.exe	98
PID 4540 wrote to memory of 4816	4540	Checker.exe	98
PID 4540 wrote to memory of 4816	4540	Checker.exe	98

C:\Users\Admin\AppData\Local\Temp\8098b7be7136d88021b5f4df28e1de54_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8098b7be7136d88021b5f4df28e1de54_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\Checkers.exe
    Checkers.exe -p2304 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\RustCheatCheck.exe
      "C:\Users\Admin\AppData\Local\Temp\RustCheatCheck.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\Checker.exe
      "C:\Users\Admin\AppData\Local\Temp\Checker.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:748
    - - C:\Users\Admin\AppData\Roaming\MSDCSC\syståm.exe
        
        "C:\Users\Admin\AppData\Roaming\MSDCSC\syståm.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Checker.exe

Filesize
251KB

MD5
13af63254be96f53efbb21bb2336994f

SHA1
16a7eea855ad7f0d5745f5dc31292838f99e1a86

SHA256
eadf57d5dfb32e8d6ba6d4635dbb2672935ba9828c928fe16d4241e07b7bdfe7

SHA512
cc120106ba6aabffd60f53ca441c93152960ad4ec0d0dbb57a8653fecf4daca1790188c5dfa12b0dbd6f57a2c7a493f470b4f0725622fd7bdb5b4dfcb256f933

Download Submit
C:\Users\Admin\AppData\Local\Temp\Checkers.exe

Filesize
3.9MB

MD5
1aec3664575f8944613fbc39e633a9e0

SHA1
8b715ca3a55496be301ea096ef251e1972fc7d47

SHA256
1979d69ff23bb3b09e25387868b5602dcfc4249c15a07c78268eef499792f8d3

SHA512
8a4c1eed719d90aff448beea4415bbea2975d3e12a57d0aed5aa0adacfe399da25f92cd7a4440ad1f5247f4f4bd8be6eb82feb40bdec41f2540c3d44b98f237e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RustCheatCheck.exe

Filesize
7.2MB

MD5
3536e9a81789fdc058afc0b872f01718

SHA1
59dfd736bf3b0f2fd817d0fc20cb2538c74ed63a

SHA256
d3c8edf1f32e848e196ed406c999661c6ab2be42665c727567a66590a6bcd116

SHA512
084115da8b0777b13914bb73cf3b5e4f054cdae65c586cecd9c28a92dcb1b20ef48f4c0dbe771389c191f167b09b0463ae1f0032a3a29285472df4f23d0b57f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.bat

Filesize
28B

MD5
eec0d5da8eee9cfb291191b5ab61e6cb

SHA1
e97f0a32ac9a9c328c0f9ac0a673e7c66da73f30

SHA256
6df4b6763b250da0898e71e12e718ea1c528c4e0a0c253392736b8e2f294ba89

SHA512
49f8dc4e4a43080898882c6c2e981e236e67e7987cde899b1aa5e3c85054687add8c11587ea80542f6cc3910f1c6d10ccfb70c578b23545032ed73ed5d022031

Download Submit
C:\Users\Admin\AppData\Local\Temp\steam_api.dll

Filesize
219KB

MD5
fe8e00c889a156836d57919ca23cde50

SHA1
7aba06d474175bd0d7f672e101b0a05104580bb1

SHA256
af17df745250d1814eaa274fff7b0faeb43381e6762e026267e5859778477abd

SHA512
bdd89b54381da6faf50c9e18d9941f68b8d300d952bea84bd785ca00d617eef6dbdf7d9589adfb14e1dcbe6d836bb2d7785ccc9529e781a64f3125bfc4ce091c

Download Submit
memory/748-37-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/4540-99-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4540-33-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4752-102-0x000000000B080000-0x000000000B112000-memory.dmp

Filesize
584KB

Download
memory/4752-101-0x000000000B590000-0x000000000BB34000-memory.dmp

Filesize
5.6MB

Download
memory/4752-97-0x0000000007C30000-0x0000000007FE2000-memory.dmp

Filesize
3.7MB

Download
memory/4752-103-0x000000000AFF0000-0x000000000AFFA000-memory.dmp

Filesize
40KB

Download
memory/4752-86-0x0000000000680000-0x0000000000DBC000-memory.dmp

Filesize
7.2MB

Download
memory/4816-111-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4816-113-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4816-114-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4816-116-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4816-118-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4816-120-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4816-122-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4816-124-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads