Malware Analysis Report

2024-08-06 18:57

Sample ID 240620-dg1mlazbnn
Target 023cf4c511af8ae12a26b53296980582_JaffaCakes118
SHA256 ccba7d679ceef6c80500e953871430da4f88d4c08a756ebbeae5fb8d2e3e09a0
Tags
darkcomet slave persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ccba7d679ceef6c80500e953871430da4f88d4c08a756ebbeae5fb8d2e3e09a0

Threat Level: Known bad

The file 023cf4c511af8ae12a26b53296980582_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet slave persistence rat trojan upx

Darkcomet

Uses the VBS compiler for execution

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-20 02:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 02:59

Reported

2024-06-20 03:02

Platform

win7-20240611-en

Max time kernel

141s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe"

Signatures

Darkcomet

trojan rat darkcomet

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmpnetk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmpnet32.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2180 set thread context of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 set thread context of 2660 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.rmskin C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.rmskin\ = "rmskin_auto_file" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\rmskin_auto_file\shell\Read C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\rmskin_auto_file\shell C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\rmskin_auto_file\shell\Read\command C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\rmskin_auto_file C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\rmskin_auto_file\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\rmskin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\SysWOW64\rundll32.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\svchost.exe:ZONE.identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\SysWOW64\rundll32.exe
PID 2180 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\SysWOW64\rundll32.exe
PID 2180 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\SysWOW64\rundll32.exe
PID 2180 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\SysWOW64\rundll32.exe
PID 2180 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\SysWOW64\rundll32.exe
PID 2180 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\SysWOW64\rundll32.exe
PID 2180 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\SysWOW64\rundll32.exe
PID 2180 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2692 wrote to memory of 3052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2692 wrote to memory of 3052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2692 wrote to memory of 3052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2692 wrote to memory of 3052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe

"C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\black_beauty_by_mic831-d4thkf0.rmskin

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\black_beauty_by_mic831-d4thkf0.rmskin"

Network

Country Destination Domain Proto
US 8.8.8.8:53 haaadukit.no-ip.biz udp
SG 78.159.141.204:3365 haaadukit.no-ip.biz tcp
SG 78.159.141.204:3365 haaadukit.no-ip.biz tcp
SG 78.159.141.204:3365 haaadukit.no-ip.biz tcp
US 8.8.8.8:53 haaadukit.no-ip.biz udp
SG 78.159.141.204:3365 haaadukit.no-ip.biz tcp
SG 78.159.141.204:3365 haaadukit.no-ip.biz tcp
SG 78.159.141.204:3365 haaadukit.no-ip.biz tcp
US 8.8.8.8:53 haaadukit.no-ip.biz udp
SG 78.159.141.204:3365 haaadukit.no-ip.biz tcp

Files

memory/2180-0-0x0000000074B61000-0x0000000074B62000-memory.dmp

memory/2180-1-0x0000000074B60000-0x000000007510B000-memory.dmp

memory/2180-2-0x0000000074B60000-0x000000007510B000-memory.dmp

memory/2724-7-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2724-11-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2724-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2724-6-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2724-4-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2724-13-0x0000000000400000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fp.txt

MD5 d1d57811ea8479eb76ba617b25c1bf91
SHA1 979ac8b7365725a96ebcee80a2a2ae2622c7afa9
SHA256 d84715b33fdd79464ea60a82cffcc86eccbbd55ed42b948894d13df0e14316cd
SHA512 a08401d6443a144c1016676706961b5a62f5ca5a6f82f257ec8bee49a007f28de9532a311309b46b7d8355b000e92018d7d84c36018481aa6471522912803db0

memory/2724-19-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2660-22-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2660-30-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2660-29-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2660-31-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2660-26-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2660-24-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2660-32-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2180-33-0x0000000074B60000-0x000000007510B000-memory.dmp

memory/2660-35-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2660-36-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2660-34-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2660-38-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2660-37-0x0000000000400000-0x00000000004BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\black_beauty_by_mic831-d4thkf0.rmskin

MD5 a1f4029acd9802c948cc770c24d488b6
SHA1 8907f81f4d5226c860ec47e0067e1606f35d484a
SHA256 b60d4947c4dafc66f0c6ab83b7ea9594dc03508151b07508527612c5f0b5c3c1
SHA512 2e449338913968cfebc85a2b92f812e18f894bb7c042f03a7f463a20bcf2f857017a82b689c0615adaa912c1b798e3f3e014728a7638320901999e49b170aac0

memory/2660-40-0x0000000000400000-0x00000000004BB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 2eb76e8477f28331a3fb1010167385cb
SHA1 cfa0f15e04850a9cf91aebc999cc60e8dc2e7d46
SHA256 839d39a39e1841bfa0edd76d192d48f0c788d109a5b881f4de921ebcab7d7a12
SHA512 3f7fe881fc4b4c1230bd8758289a96409bf4bb8343ae4a1709c2422706e195957bbda21c7d94bc45c927afe92299e0cbde14ae248f3a5c289dde9416bb46b111

memory/2660-59-0x0000000000400000-0x00000000004BB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 02:59

Reported

2024-06-20 03:02

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe"

Signatures

Darkcomet

trojan rat darkcomet

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmpnetk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmpnet32.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4068 set thread context of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 set thread context of 1124 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\svchost.exe:ZONE.identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 36 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe

"C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 haaadukit.no-ip.biz udp
SG 78.159.141.204:3365 haaadukit.no-ip.biz tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
SG 78.159.141.204:3365 haaadukit.no-ip.biz tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
SG 78.159.141.204:3365 haaadukit.no-ip.biz tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 haaadukit.no-ip.biz udp
SG 78.159.141.204:3365 haaadukit.no-ip.biz tcp
SG 78.159.141.204:3365 haaadukit.no-ip.biz tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
SG 78.159.141.204:3365 haaadukit.no-ip.biz tcp
US 8.8.8.8:53 haaadukit.no-ip.biz udp
SG 78.159.141.204:3365 haaadukit.no-ip.biz tcp
US 8.8.8.8:53 udp

Files

memory/4068-0-0x0000000075292000-0x0000000075293000-memory.dmp

memory/4068-1-0x0000000075290000-0x0000000075841000-memory.dmp

memory/4068-2-0x0000000075290000-0x0000000075841000-memory.dmp

memory/4136-4-0x0000000000400000-0x0000000000405000-memory.dmp

memory/4136-6-0x0000000000400000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fp.txt

MD5 d1d57811ea8479eb76ba617b25c1bf91
SHA1 979ac8b7365725a96ebcee80a2a2ae2622c7afa9
SHA256 d84715b33fdd79464ea60a82cffcc86eccbbd55ed42b948894d13df0e14316cd
SHA512 a08401d6443a144c1016676706961b5a62f5ca5a6f82f257ec8bee49a007f28de9532a311309b46b7d8355b000e92018d7d84c36018481aa6471522912803db0

memory/4136-12-0x0000000000400000-0x0000000000405000-memory.dmp

memory/1124-16-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1124-17-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4068-19-0x0000000075290000-0x0000000075841000-memory.dmp

memory/1124-20-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1124-22-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1124-21-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1124-24-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1124-23-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1124-25-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1124-27-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1124-29-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1124-31-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1124-33-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1124-35-0x0000000000400000-0x00000000004BB000-memory.dmp