darkcomet | 43b05ba8653943e98321f3708dc7f24c6652eee6138725f6a41145d45679995c

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Size

744KB
MD5

5e8acf5ec31ff19535059327079314d7
SHA1

783e71eec65d29ead303e8f647918fb20675d354
SHA256

43b05ba8653943e98321f3708dc7f24c6652eee6138725f6a41145d45679995c
SHA512

4f168e4bae2edfa732f90d93c04931dbb0fe4a3fa7484c075906cd243489c9bd84c15eab2bd032a192c51e684f028e5171c972935c8160b545a6f72a50a7c0c2
SSDEEP

12288:T8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORixib:wUKoN0bUxgGa/pfBHDb+y1HgZo

Score

10^/10

darkcomet evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\svchost.exe"	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	iexplore.exe

Executes dropped EXE 1 IoCs

pid	Process
3064	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\svchost.exe"	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3064 set thread context of 2880	3064	svchost.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeSecurityPrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeSystemtimePrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeBackupPrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeRestorePrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeShutdownPrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeDebugPrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeUndockPrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeManageVolumePrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeImpersonatePrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: 33	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: 34	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: 35	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3064	svchost.exe
Token: SeSecurityPrivilege	3064	svchost.exe
Token: SeTakeOwnershipPrivilege	3064	svchost.exe
Token: SeLoadDriverPrivilege	3064	svchost.exe
Token: SeSystemProfilePrivilege	3064	svchost.exe
Token: SeSystemtimePrivilege	3064	svchost.exe
Token: SeProfSingleProcessPrivilege	3064	svchost.exe
Token: SeIncBasePriorityPrivilege	3064	svchost.exe
Token: SeCreatePagefilePrivilege	3064	svchost.exe
Token: SeBackupPrivilege	3064	svchost.exe
Token: SeRestorePrivilege	3064	svchost.exe
Token: SeShutdownPrivilege	3064	svchost.exe
Token: SeDebugPrivilege	3064	svchost.exe
Token: SeSystemEnvironmentPrivilege	3064	svchost.exe
Token: SeChangeNotifyPrivilege	3064	svchost.exe
Token: SeRemoteShutdownPrivilege	3064	svchost.exe
Token: SeUndockPrivilege	3064	svchost.exe
Token: SeManageVolumePrivilege	3064	svchost.exe
Token: SeImpersonatePrivilege	3064	svchost.exe
Token: SeCreateGlobalPrivilege	3064	svchost.exe
Token: 33	3064	svchost.exe
Token: 34	3064	svchost.exe
Token: 35	3064	svchost.exe
Token: SeIncreaseQuotaPrivilege	2880	iexplore.exe
Token: SeSecurityPrivilege	2880	iexplore.exe
Token: SeTakeOwnershipPrivilege	2880	iexplore.exe
Token: SeLoadDriverPrivilege	2880	iexplore.exe
Token: SeSystemProfilePrivilege	2880	iexplore.exe
Token: SeSystemtimePrivilege	2880	iexplore.exe
Token: SeProfSingleProcessPrivilege	2880	iexplore.exe
Token: SeIncBasePriorityPrivilege	2880	iexplore.exe
Token: SeCreatePagefilePrivilege	2880	iexplore.exe
Token: SeBackupPrivilege	2880	iexplore.exe
Token: SeRestorePrivilege	2880	iexplore.exe
Token: SeShutdownPrivilege	2880	iexplore.exe
Token: SeDebugPrivilege	2880	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2880	iexplore.exe
Token: SeChangeNotifyPrivilege	2880	iexplore.exe
Token: SeRemoteShutdownPrivilege	2880	iexplore.exe
Token: SeUndockPrivilege	2880	iexplore.exe
Token: SeManageVolumePrivilege	2880	iexplore.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 3064	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe	31
PID 696 wrote to memory of 3064	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe	31
PID 696 wrote to memory of 3064	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe	31
PID 696 wrote to memory of 3064	696	5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe	31
PID 3064 wrote to memory of 2880	3064	svchost.exe	32
PID 3064 wrote to memory of 2880	3064	svchost.exe	32
PID 3064 wrote to memory of 2880	3064	svchost.exe	32
PID 3064 wrote to memory of 2880	3064	svchost.exe	32
PID 3064 wrote to memory of 2880	3064	svchost.exe	32
PID 3064 wrote to memory of 2880	3064	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e8acf5ec31ff19535059327079314d7_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696
- C:\Users\Admin\AppData\Roaming\MSDCSC\svchost.exe
  "C:\Users\Admin\AppData\Roaming\MSDCSC\svchost.exe"
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Windows security bypass
    - Suspicious use of AdjustPrivilegeToken
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\MSDCSC\svchost.exe

Filesize
744KB

MD5
5e8acf5ec31ff19535059327079314d7

SHA1
783e71eec65d29ead303e8f647918fb20675d354

SHA256
43b05ba8653943e98321f3708dc7f24c6652eee6138725f6a41145d45679995c

SHA512
4f168e4bae2edfa732f90d93c04931dbb0fe4a3fa7484c075906cd243489c9bd84c15eab2bd032a192c51e684f028e5171c972935c8160b545a6f72a50a7c0c2

Download Submit
memory/696-0-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/696-11-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2880-13-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3064-14-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads