darkcomet | fb7f5f1814dbf4782ec77c8ecf5b135c7b65a3a96c74851a6aa9392a3cd6bedc

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe
Size

1.6MB
MD5

29e83185591ddaca9c4a69f03d658177
SHA1

c1618cc383486637a318adaaa12c9760eb7e14b1
SHA256

fb7f5f1814dbf4782ec77c8ecf5b135c7b65a3a96c74851a6aa9392a3cd6bedc
SHA512

7178fabfa97b18914056a48d3e74c98aabdb580830e639ecf7033c99118bbdec7ad687e4bc02c28ea7218ba2d2c0adce29534134ce03368218c1d005f0662362
SSDEEP

24576:voaLBLoMBWjDWARABr9Zkyv4mkvEUYtQS6Os5ueI9AUgFO4xibgi8/81UWow8QAU:voavUOOM8EUYtZ6OYI9DaiQJWoQx

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

cheeseman64.no-ip.org:1604

Mutex

DC_MUTEX-M2LA0SQ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
CtVmu4KfgZq1
install
true
offline_keylogger
true
password
soccer98
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4208	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
4704	msdcsc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3760 set thread context of 3224	3760	29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe	85

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	attrib.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vbc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3224	vbc.exe
Token: SeSecurityPrivilege	3224	vbc.exe
Token: SeTakeOwnershipPrivilege	3224	vbc.exe
Token: SeLoadDriverPrivilege	3224	vbc.exe
Token: SeSystemProfilePrivilege	3224	vbc.exe
Token: SeSystemtimePrivilege	3224	vbc.exe
Token: SeProfSingleProcessPrivilege	3224	vbc.exe
Token: SeIncBasePriorityPrivilege	3224	vbc.exe
Token: SeCreatePagefilePrivilege	3224	vbc.exe
Token: SeBackupPrivilege	3224	vbc.exe
Token: SeRestorePrivilege	3224	vbc.exe
Token: SeShutdownPrivilege	3224	vbc.exe
Token: SeDebugPrivilege	3224	vbc.exe
Token: SeSystemEnvironmentPrivilege	3224	vbc.exe
Token: SeChangeNotifyPrivilege	3224	vbc.exe
Token: SeRemoteShutdownPrivilege	3224	vbc.exe
Token: SeUndockPrivilege	3224	vbc.exe
Token: SeManageVolumePrivilege	3224	vbc.exe
Token: SeImpersonatePrivilege	3224	vbc.exe
Token: SeCreateGlobalPrivilege	3224	vbc.exe
Token: 33	3224	vbc.exe
Token: 34	3224	vbc.exe
Token: 35	3224	vbc.exe
Token: 36	3224	vbc.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 3224	3760	29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe	85
PID 3760 wrote to memory of 3224	3760	29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe	85
PID 3760 wrote to memory of 3224	3760	29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe	85
PID 3760 wrote to memory of 3224	3760	29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe	85
PID 3760 wrote to memory of 3224	3760	29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe	85
PID 3760 wrote to memory of 3224	3760	29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe	85
PID 3760 wrote to memory of 3224	3760	29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe	85
PID 3760 wrote to memory of 3224	3760	29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe	85
PID 3760 wrote to memory of 3224	3760	29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe	85
PID 3760 wrote to memory of 3224	3760	29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe	85
PID 3760 wrote to memory of 3224	3760	29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe	85
PID 3760 wrote to memory of 3224	3760	29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe	85
PID 3760 wrote to memory of 3224	3760	29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe	85
PID 3760 wrote to memory of 3224	3760	29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe	85
PID 3224 wrote to memory of 4076	3224	vbc.exe	86
PID 3224 wrote to memory of 4076	3224	vbc.exe	86
PID 3224 wrote to memory of 4076	3224	vbc.exe	86
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 3224 wrote to memory of 4940	3224	vbc.exe	87
PID 4076 wrote to memory of 4208	4076	cmd.exe	89
PID 4076 wrote to memory of 4208	4076	cmd.exe	89
PID 4076 wrote to memory of 4208	4076	cmd.exe	89
PID 3224 wrote to memory of 4704	3224	vbc.exe	90
PID 3224 wrote to memory of 4704	3224	vbc.exe	90
PID 3224 wrote to memory of 4704	3224	vbc.exe	90

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4208	attrib.exe

C:\Users\Admin\AppData\Local\Temp\29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29e83185591ddaca9c4a69f03d658177_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:4208
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:4940
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/3224-4-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3224-3-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3224-6-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3224-7-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3224-9-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3224-73-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3760-0-0x0000000074D52000-0x0000000074D53000-memory.dmp

Filesize
4KB

Download
memory/3760-1-0x0000000074D50000-0x0000000075301000-memory.dmp

Filesize
5.7MB

Download
memory/3760-2-0x0000000074D50000-0x0000000075301000-memory.dmp

Filesize
5.7MB

Download
memory/3760-8-0x0000000074D50000-0x0000000075301000-memory.dmp

Filesize
5.7MB

Download
memory/4940-13-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads