darkcomet | 5c495dec2604e46e7da19c7a566ea49eb099b1b48903a5468604a80b950a1b7d

Analysis

max time kernel
116s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe
Size

1.2MB
MD5

0a17438f99aab65485edb0026685d14d
SHA1

9aaf0a58b141faa896eeca157ac552b53020d92a
SHA256

5c495dec2604e46e7da19c7a566ea49eb099b1b48903a5468604a80b950a1b7d
SHA512

2b32cf8486f51fe7fe09f5f53302bdd1b377f8897d331c32e190e9b655b6c5306e86c3c556081799fe60c45e295ab915d9a3ef67bde0a618646ac3229af25966
SSDEEP

12288:4d8G1EBDI/XVfZBFnj8hCws+1BldShOEI0GiBNNVqaNipha5agNPtIi/wrQgxu3D:ozwBVCA6nP3iSwZrd0z1bWhQXak3

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe

Executes dropped EXE 3 IoCs

pid	Process
2936	vbc.exe
2912	msdcsc.exe
2784	vbc.exe

Loads dropped DLL 4 IoCs

pid	Process
2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe
2936	vbc.exe
2936	vbc.exe
2912	msdcsc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2352 set thread context of 2936	2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe	28
PID 2912 set thread context of 2784	2912	msdcsc.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2936	vbc.exe
Token: SeSecurityPrivilege	2936	vbc.exe
Token: SeTakeOwnershipPrivilege	2936	vbc.exe
Token: SeLoadDriverPrivilege	2936	vbc.exe
Token: SeSystemProfilePrivilege	2936	vbc.exe
Token: SeSystemtimePrivilege	2936	vbc.exe
Token: SeProfSingleProcessPrivilege	2936	vbc.exe
Token: SeIncBasePriorityPrivilege	2936	vbc.exe
Token: SeCreatePagefilePrivilege	2936	vbc.exe
Token: SeBackupPrivilege	2936	vbc.exe
Token: SeRestorePrivilege	2936	vbc.exe
Token: SeShutdownPrivilege	2936	vbc.exe
Token: SeDebugPrivilege	2936	vbc.exe
Token: SeSystemEnvironmentPrivilege	2936	vbc.exe
Token: SeChangeNotifyPrivilege	2936	vbc.exe
Token: SeRemoteShutdownPrivilege	2936	vbc.exe
Token: SeUndockPrivilege	2936	vbc.exe
Token: SeManageVolumePrivilege	2936	vbc.exe
Token: SeImpersonatePrivilege	2936	vbc.exe
Token: SeCreateGlobalPrivilege	2936	vbc.exe
Token: 33	2936	vbc.exe
Token: 34	2936	vbc.exe
Token: 35	2936	vbc.exe
Token: SeIncreaseQuotaPrivilege	2784	vbc.exe
Token: SeSecurityPrivilege	2784	vbc.exe
Token: SeTakeOwnershipPrivilege	2784	vbc.exe
Token: SeLoadDriverPrivilege	2784	vbc.exe
Token: SeSystemProfilePrivilege	2784	vbc.exe
Token: SeSystemtimePrivilege	2784	vbc.exe
Token: SeProfSingleProcessPrivilege	2784	vbc.exe
Token: SeIncBasePriorityPrivilege	2784	vbc.exe
Token: SeCreatePagefilePrivilege	2784	vbc.exe
Token: SeBackupPrivilege	2784	vbc.exe
Token: SeRestorePrivilege	2784	vbc.exe
Token: SeShutdownPrivilege	2784	vbc.exe
Token: SeDebugPrivilege	2784	vbc.exe
Token: SeSystemEnvironmentPrivilege	2784	vbc.exe
Token: SeChangeNotifyPrivilege	2784	vbc.exe
Token: SeRemoteShutdownPrivilege	2784	vbc.exe
Token: SeUndockPrivilege	2784	vbc.exe
Token: SeManageVolumePrivilege	2784	vbc.exe
Token: SeImpersonatePrivilege	2784	vbc.exe
Token: SeCreateGlobalPrivilege	2784	vbc.exe
Token: 33	2784	vbc.exe
Token: 34	2784	vbc.exe
Token: 35	2784	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2784	vbc.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2936	2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2936	2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2936	2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2936	2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2936	2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2936	2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2936	2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2936	2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2936	2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2936	2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2936	2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2936	2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2936	2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2936	2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2936	2352	0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe	28
PID 2936 wrote to memory of 2912	2936	vbc.exe	29
PID 2936 wrote to memory of 2912	2936	vbc.exe	29
PID 2936 wrote to memory of 2912	2936	vbc.exe	29
PID 2936 wrote to memory of 2912	2936	vbc.exe	29
PID 2912 wrote to memory of 2784	2912	msdcsc.exe	30
PID 2912 wrote to memory of 2784	2912	msdcsc.exe	30
PID 2912 wrote to memory of 2784	2912	msdcsc.exe	30
PID 2912 wrote to memory of 2784	2912	msdcsc.exe	30
PID 2912 wrote to memory of 2784	2912	msdcsc.exe	30
PID 2912 wrote to memory of 2784	2912	msdcsc.exe	30
PID 2912 wrote to memory of 2784	2912	msdcsc.exe	30
PID 2912 wrote to memory of 2784	2912	msdcsc.exe	30
PID 2912 wrote to memory of 2784	2912	msdcsc.exe	30
PID 2912 wrote to memory of 2784	2912	msdcsc.exe	30
PID 2912 wrote to memory of 2784	2912	msdcsc.exe	30
PID 2912 wrote to memory of 2784	2912	msdcsc.exe	30
PID 2912 wrote to memory of 2784	2912	msdcsc.exe	30
PID 2912 wrote to memory of 2784	2912	msdcsc.exe	30
PID 2912 wrote to memory of 2784	2912	msdcsc.exe	30

C:\Users\Admin\AppData\Local\Temp\0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a17438f99aab65485edb0026685d14d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\vbc.exe
      C:\Users\Admin\AppData\Local\Temp\vbc.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.2MB

MD5
0a17438f99aab65485edb0026685d14d

SHA1
9aaf0a58b141faa896eeca157ac552b53020d92a

SHA256
5c495dec2604e46e7da19c7a566ea49eb099b1b48903a5468604a80b950a1b7d

SHA512
2b32cf8486f51fe7fe09f5f53302bdd1b377f8897d331c32e190e9b655b6c5306e86c3c556081799fe60c45e295ab915d9a3ef67bde0a618646ac3229af25966

Download Submit
memory/2352-26-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2352-1-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2352-2-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2352-0-0x0000000074CB1000-0x0000000074CB2000-memory.dmp

Filesize
4KB

Download
memory/2784-73-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2784-74-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2784-83-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2784-82-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2784-81-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2784-80-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2784-79-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2784-78-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2784-77-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2784-76-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2784-75-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2784-72-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2784-71-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2784-68-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2784-69-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2784-64-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2784-70-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2936-24-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2936-12-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2936-23-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2936-25-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2936-7-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2936-20-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/2936-11-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2936-8-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2936-37-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2936-9-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2936-10-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2936-13-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2936-14-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2936-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-18-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads