darkcomet | 2c4ec961cbfbd97190b73e8825c3326f343f0efcfea615fb88f7de48ff693b7f

Analysis

max time kernel
129s
max time network
21s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe
Size

960KB
MD5

633ea3f02e5af0b944e262579a0bd104
SHA1

f026dab6d57a0c91fc50426ad6eb302df3ade9cf
SHA256

2c4ec961cbfbd97190b73e8825c3326f343f0efcfea615fb88f7de48ff693b7f
SHA512

e81bbf4cf79a4d01dcb98d43e9c3ca20b118eda23d5b2567017df1f95302c92cef12ff133ef580418a9196a881321fa1cca68990b0da19521f0e2647b8793a04
SSDEEP

24576:QnHwA5D5D+iR6zhgqEgPjpdsUowULHGiYKm8:KV7LkCUoNHc8

Score

10^/10

darkcomet bootkit persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 3 IoCs

pid	Process
2836	eNdw3.exe
2600	eNdw3.exe
2540	eNdw3.exe

Loads dropped DLL 4 IoCs

pid	Process
2292	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe
2292	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe
2836	eNdw3.exe
2600	eNdw3.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	eNdw3.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 2292	1668	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe	30
PID 2836 set thread context of 2600	2836	eNdw3.exe	33
PID 2600 set thread context of 2540	2600	eNdw3.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2540	eNdw3.exe
Token: SeSecurityPrivilege	2540	eNdw3.exe
Token: SeTakeOwnershipPrivilege	2540	eNdw3.exe
Token: SeLoadDriverPrivilege	2540	eNdw3.exe
Token: SeSystemProfilePrivilege	2540	eNdw3.exe
Token: SeSystemtimePrivilege	2540	eNdw3.exe
Token: SeProfSingleProcessPrivilege	2540	eNdw3.exe
Token: SeIncBasePriorityPrivilege	2540	eNdw3.exe
Token: SeCreatePagefilePrivilege	2540	eNdw3.exe
Token: SeBackupPrivilege	2540	eNdw3.exe
Token: SeRestorePrivilege	2540	eNdw3.exe
Token: SeShutdownPrivilege	2540	eNdw3.exe
Token: SeDebugPrivilege	2540	eNdw3.exe
Token: SeSystemEnvironmentPrivilege	2540	eNdw3.exe
Token: SeChangeNotifyPrivilege	2540	eNdw3.exe
Token: SeRemoteShutdownPrivilege	2540	eNdw3.exe
Token: SeUndockPrivilege	2540	eNdw3.exe
Token: SeManageVolumePrivilege	2540	eNdw3.exe
Token: SeImpersonatePrivilege	2540	eNdw3.exe
Token: SeCreateGlobalPrivilege	2540	eNdw3.exe
Token: 33	2540	eNdw3.exe
Token: 34	2540	eNdw3.exe
Token: 35	2540	eNdw3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2788	DllHost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1668	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe
2292	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe
2836	eNdw3.exe
2600	eNdw3.exe
2540	eNdw3.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2292	1668	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe	30
PID 1668 wrote to memory of 2292	1668	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe	30
PID 1668 wrote to memory of 2292	1668	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe	30
PID 1668 wrote to memory of 2292	1668	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe	30
PID 1668 wrote to memory of 2292	1668	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe	30
PID 1668 wrote to memory of 2292	1668	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe	30
PID 1668 wrote to memory of 2292	1668	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe	30
PID 1668 wrote to memory of 2292	1668	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe	30
PID 1668 wrote to memory of 2292	1668	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2836	2292	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2836	2292	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2836	2292	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2836	2292	633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe	32
PID 2836 wrote to memory of 2600	2836	eNdw3.exe	33
PID 2836 wrote to memory of 2600	2836	eNdw3.exe	33
PID 2836 wrote to memory of 2600	2836	eNdw3.exe	33
PID 2836 wrote to memory of 2600	2836	eNdw3.exe	33
PID 2836 wrote to memory of 2600	2836	eNdw3.exe	33
PID 2836 wrote to memory of 2600	2836	eNdw3.exe	33
PID 2836 wrote to memory of 2600	2836	eNdw3.exe	33
PID 2836 wrote to memory of 2600	2836	eNdw3.exe	33
PID 2836 wrote to memory of 2600	2836	eNdw3.exe	33
PID 2600 wrote to memory of 2540	2600	eNdw3.exe	34
PID 2600 wrote to memory of 2540	2600	eNdw3.exe	34
PID 2600 wrote to memory of 2540	2600	eNdw3.exe	34
PID 2600 wrote to memory of 2540	2600	eNdw3.exe	34
PID 2600 wrote to memory of 2540	2600	eNdw3.exe	34
PID 2600 wrote to memory of 2540	2600	eNdw3.exe	34
PID 2600 wrote to memory of 2540	2600	eNdw3.exe	34
PID 2600 wrote to memory of 2540	2600	eNdw3.exe	34
PID 2600 wrote to memory of 2540	2600	eNdw3.exe	34
PID 2600 wrote to memory of 2540	2600	eNdw3.exe	34
PID 2600 wrote to memory of 2540	2600	eNdw3.exe	34
PID 2600 wrote to memory of 2540	2600	eNdw3.exe	34
PID 2600 wrote to memory of 2540	2600	eNdw3.exe	34

C:\Users\Admin\AppData\Local\Temp\633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\633ea3f02e5af0b944e262579a0bd104_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\eNdw3.exe
    "C:\Users\Admin\AppData\Local\Temp\eNdw3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\eNdw3.exe
      "C:\Users\Admin\AppData\Local\Temp\eNdw3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Users\Admin\AppData\Local\Temp\eNdw3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\eNdw3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2540

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sozinha2.jpg

Filesize
5KB

MD5
48fc8dc92ba0932d635619651ce15cab

SHA1
3fd2fc289fd81fd3f36a15bebbe05b02827b37de

SHA256
4b8bfc4abe08fe2b32345d8ee359cbb419dc595b061d952f44af66dafd177219

SHA512
be1bc0a815514b7eff5cffcb5042f51c37478c13ba4337cc5107fc2f3bf4a24c3181812b70cfcf6db31353a738617527835f77d7d3a473ccdb584dd79775b553

Download Submit
\Users\Admin\AppData\Local\Temp\eNdw3.exe

Filesize
800KB

MD5
bb8b36678d1c3c353815b399ee3421cf

SHA1
cb69c3f98fb30b9a16dd39d73f35c62da617ea23

SHA256
ed699c425584c12306c5673e96f769698504cf05d733696bdcee2964a4ad9b57

SHA512
3e595c116f341046ebb03520b159fcba7c0f8a5f72f3e341a35ea1380b86c6ae5ca0f41fa9741ef70f87b68b99e5c2468206fa12f675aec5b828ce6a8d2409dd

Download Submit
memory/2292-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2292-17-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2292-6-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2292-4-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2292-2-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2292-19-0x0000000002500000-0x0000000002502000-memory.dmp

Filesize
8KB

Download
memory/2292-12-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2292-30-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2540-69-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-66-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-88-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-86-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-84-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-82-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-52-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-56-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-80-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-64-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-62-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-58-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-54-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-78-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-60-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-71-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-74-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-73-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-72-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2540-76-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2600-75-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2600-37-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2600-46-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2600-41-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2600-48-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2600-39-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2788-20-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads