darkcomet | 93b9d433512b9a535b305b795465d913bd59f53571980bef3454ac86673e40b2

Analysis

max time kernel
133s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

274e75565111307a03101990176bad09_JaffaCakes118.exe
Size

2.0MB
MD5

274e75565111307a03101990176bad09
SHA1

057ee1cf7e8dec7d385725c48a417f0a35487db0
SHA256

93b9d433512b9a535b305b795465d913bd59f53571980bef3454ac86673e40b2
SHA512

8eec86ea9afd47634bb3642ded38745ad5fa338a0fb5680ce9dd1225cd5008c8f9f53ba91a7efd908ed83d9bcb3c531fa368a57dc24e12fa74efd3324166de77
SSDEEP

49152:oamdZdcBYjkT3TwNGM1T89AFyaRYZCq38+ct:oaoCYAk8+89GyaGJN

Score

10^/10

darkcomet discovery evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\winUpdate.exe"	274e75565111307a03101990176bad09_JaffaCakes118.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winUpdate.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winUpdate.exe

Executes dropped EXE 3 IoCs

pid	Process
2340	INSTALL.EXE
2148	MJQ.exe
2976	winUpdate.exe

Loads dropped DLL 10 IoCs

pid	Process
3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
2340	INSTALL.EXE
2148	MJQ.exe
3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
2976	winUpdate.exe
2976	winUpdate.exe
2976	winUpdate.exe
2976	winUpdate.exe
2148	MJQ.exe
2148	MJQ.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winUpdate.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MJQ Start = "C:\\Windows\\SysWOW64\\VLALXP\\MJQ.exe"	MJQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\winUpdate = "C:\\Windows\\MSDCSC\\winUpdate.exe"	winUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\winUpdate = "C:\\Windows\\MSDCSC\\winUpdate.exe"	274e75565111307a03101990176bad09_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\VLALXP\MJQ.008	MJQ.exe
File created	C:\Windows\SysWOW64\VLALXP\MJQ.004	INSTALL.EXE
File created	C:\Windows\SysWOW64\VLALXP\MJQ.001	INSTALL.EXE
File created	C:\Windows\SysWOW64\VLALXP\MJQ.002	INSTALL.EXE
File created	C:\Windows\SysWOW64\VLALXP\AKV.exe	INSTALL.EXE
File created	C:\Windows\SysWOW64\VLALXP\MJQ.exe	INSTALL.EXE
File opened for modification	C:\Windows\SysWOW64\VLALXP\	MJQ.exe
File created	C:\Windows\SysWOW64\VLALXP\MJQ.008	MJQ.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\MSDCSC\winUpdate.exe	274e75565111307a03101990176bad09_JaffaCakes118.exe
File opened for modification	C:\Windows\MSDCSC\winUpdate.exe	274e75565111307a03101990176bad09_JaffaCakes118.exe
File opened for modification	C:\Windows\MSDCSC\	274e75565111307a03101990176bad09_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2148	MJQ.exe
2148	MJQ.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeSecurityPrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeBackupPrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeRestorePrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeShutdownPrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeDebugPrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeUndockPrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: 33	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: 34	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: 35	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe
Token: 33	2148	MJQ.exe
Token: SeIncBasePriorityPrivilege	2148	MJQ.exe
Token: SeIncreaseQuotaPrivilege	2976	winUpdate.exe
Token: SeSecurityPrivilege	2976	winUpdate.exe
Token: SeTakeOwnershipPrivilege	2976	winUpdate.exe
Token: SeLoadDriverPrivilege	2976	winUpdate.exe
Token: SeSystemProfilePrivilege	2976	winUpdate.exe
Token: SeSystemtimePrivilege	2976	winUpdate.exe
Token: SeProfSingleProcessPrivilege	2976	winUpdate.exe
Token: SeIncBasePriorityPrivilege	2976	winUpdate.exe
Token: SeCreatePagefilePrivilege	2976	winUpdate.exe
Token: SeBackupPrivilege	2976	winUpdate.exe
Token: SeRestorePrivilege	2976	winUpdate.exe
Token: SeShutdownPrivilege	2976	winUpdate.exe
Token: SeDebugPrivilege	2976	winUpdate.exe
Token: SeSystemEnvironmentPrivilege	2976	winUpdate.exe
Token: SeChangeNotifyPrivilege	2976	winUpdate.exe
Token: SeRemoteShutdownPrivilege	2976	winUpdate.exe
Token: SeUndockPrivilege	2976	winUpdate.exe
Token: SeManageVolumePrivilege	2976	winUpdate.exe
Token: SeImpersonatePrivilege	2976	winUpdate.exe
Token: SeCreateGlobalPrivilege	2976	winUpdate.exe
Token: 33	2976	winUpdate.exe
Token: 34	2976	winUpdate.exe
Token: 35	2976	winUpdate.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2148	MJQ.exe
2148	MJQ.exe
2148	MJQ.exe
2148	MJQ.exe
2976	winUpdate.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2340	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2340	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2340	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2340	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2340	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2340	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2340	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe	30
PID 2340 wrote to memory of 2148	2340	INSTALL.EXE	31
PID 2340 wrote to memory of 2148	2340	INSTALL.EXE	31
PID 2340 wrote to memory of 2148	2340	INSTALL.EXE	31
PID 2340 wrote to memory of 2148	2340	INSTALL.EXE	31
PID 3068 wrote to memory of 2976	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe	32
PID 3068 wrote to memory of 2976	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe	32
PID 3068 wrote to memory of 2976	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe	32
PID 3068 wrote to memory of 2976	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe	32
PID 3068 wrote to memory of 2976	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe	32
PID 3068 wrote to memory of 2976	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe	32
PID 3068 wrote to memory of 2976	3068	274e75565111307a03101990176bad09_JaffaCakes118.exe	32
PID 2976 wrote to memory of 2676	2976	winUpdate.exe	33
PID 2976 wrote to memory of 2676	2976	winUpdate.exe	33
PID 2976 wrote to memory of 2676	2976	winUpdate.exe	33
PID 2976 wrote to memory of 2676	2976	winUpdate.exe	33
PID 2976 wrote to memory of 2676	2976	winUpdate.exe	33
PID 2976 wrote to memory of 2676	2976	winUpdate.exe	33
PID 2976 wrote to memory of 2676	2976	winUpdate.exe	33
PID 2976 wrote to memory of 1824	2976	winUpdate.exe	34
PID 2976 wrote to memory of 1824	2976	winUpdate.exe	34
PID 2976 wrote to memory of 1824	2976	winUpdate.exe	34
PID 2976 wrote to memory of 1824	2976	winUpdate.exe	34

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	winUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	winUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	winUpdate.exe

C:\Users\Admin\AppData\Local\Temp\274e75565111307a03101990176bad09_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\274e75565111307a03101990176bad09_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE
  "C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\VLALXP\MJQ.exe
    "C:\Windows\system32\VLALXP\MJQ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2148
- C:\Windows\MSDCSC\winUpdate.exe
  "C:\Windows\MSDCSC\winUpdate.exe"
  2⤵
  - Modifies security service
  - Windows security bypass
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2976
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2676
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\VLALXP\AKV.exe

Filesize
500KB

MD5
5a45ea24cce078dcf28664856734565d

SHA1
7e38e0649eae4b0f382c182d0483d9e4c0be26fa

SHA256
385f990c5fb25dc42a5f5a1128c8d20b9956a0790461c62c56607600c8ba7d5a

SHA512
7c466effc080db3c082a3a81cd22a1ee039104ebc9588921124490ceab84b2d5c1b1f4f82dfba95114661311276448297946296b2c4ad9d55cee2e3b710c12e5

Download Submit
C:\Windows\SysWOW64\VLALXP\MJQ.001

Filesize
69KB

MD5
c7fbfdd2d7ded71b4b6281efa26eeede

SHA1
f2f31ff2fab0c96ce978543ec741c6c82dfb7dbc

SHA256
f06fc708de125585f9bfb0c768e1d76f24b6e888875aafdc8c2b670663492737

SHA512
768cd3f899c7d68b426a5bcb5befd4570032ded9a40ceb0cbde618c23016c59e32b03b6b6963b207f7e58621fca2e3ea6d144c1457f69a0b9ef94ed03e83d041

Download Submit
C:\Windows\SysWOW64\VLALXP\MJQ.002

Filesize
54KB

MD5
e7879e2f301a885bb46ec1782a6d6278

SHA1
1aa00ac15c7748432b448be0f8a0d760222024bd

SHA256
9a65b644da2a50ebebaab51c46e8748587d08aaad64102c3df19d996d12dfcef

SHA512
7aa02f3bc0e87ea1afb0b42664891e5198b38796b3fac0deaeff0e92c59892b8a5b985e5d834c713868818a1be6f82cebabab1ac79a286f88c1d57452143a8ed

Download Submit
C:\Windows\SysWOW64\VLALXP\MJQ.004

Filesize
1KB

MD5
e5fc382a5a0605f680fd4be378250bad

SHA1
f2dbea40e9704676e88ba68faa02f29e3be5ac60

SHA256
9c483fb45841945b16b6638657b6c153303c19c190c41015b3defdb22befa02c

SHA512
7753c84366087caf9eb64212ad262e6a1827008724cbc6e753c6c722ffded5ae19c7f6a23634e5b3ace8407b3bcb32e05f9b73ceecc392c180d90299281140f1

Download Submit
C:\Windows\SysWOW64\VLALXP\MJQ.008

Filesize
273B

MD5
7baf64323cb18a9b9142361a3dfce810

SHA1
517a28b0e0d96f370bdace097e0e0bb7c0786510

SHA256
42472bd1cecc6c89d23a27963152dda6e7e5fc2d885d8a8f22579dc668865bed

SHA512
a43b57997f9cd7de7465fac93357c2bb988c929e818ab44b1e27bafc5b49c06427e81499cee204e5371b922ea560f2f7ca4074b134aca88d77505d9c0390ed2a

Download Submit
\Users\Admin\AppData\Local\Temp\INSTALL.EXE

Filesize
1.2MB

MD5
5cdbe0811ded709233391ab63ffe0435

SHA1
d64848e02744ce0929ba481efb1f812d3d18a57c

SHA256
2df405daea506d00b60c0e24913b813901525b73d48785f0930f9c103d0b1bb4

SHA512
4dcfa3bee7a9cb55930ff82b5e8564237ef11d7f9a2899a419b0f7cd0b82cc39bf10e29ebe6c6510e9da745f01ea3355d43fc03c93193d0c6d5c8fa425b90f73

Download Submit
\Windows\MSDCSC\winUpdate.exe

Filesize
2.0MB

MD5
274e75565111307a03101990176bad09

SHA1
057ee1cf7e8dec7d385725c48a417f0a35487db0

SHA256
93b9d433512b9a535b305b795465d913bd59f53571980bef3454ac86673e40b2

SHA512
8eec86ea9afd47634bb3642ded38745ad5fa338a0fb5680ce9dd1225cd5008c8f9f53ba91a7efd908ed83d9bcb3c531fa368a57dc24e12fa74efd3324166de77

Download Submit
\Windows\SysWOW64\VLALXP\MJQ.exe

Filesize
1.7MB

MD5
e4bb483573e6bc82f09578f0b48324a5

SHA1
9a60cf20d832af49fb8ae6c484d0f39028d93d04

SHA256
30b3f04eb8b0820b33c8bc50c159ade06a4a29e4361f917b13bdd9323f4a3127

SHA512
8461aefddde57e467601928789f301c0c5bc42e7c7e4aaaf2dcb7ac6a2aea0d5be51db3daf6c9b11f1d78304de72ae8cf71dd8697d636db4f1767a8f8c6ab35b

Download Submit
memory/2148-45-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2148-24-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2976-50-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2976-52-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2976-59-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2976-46-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2976-47-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2976-48-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2976-44-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2976-43-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2976-51-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2976-58-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2976-53-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2976-54-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2976-55-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2976-57-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/3068-31-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/3068-0-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download