darkcomet | 893f8462440e7a4a257a413dd41241f9ba271ab1a0721c50fc33bbba9a7ba2d4

Analysis

max time kernel
22s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/08/2024, 22:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Size

723KB
MD5

94efb68649abfd41831a66e2f33c3566
SHA1

f188fee5ea23710629fe0c53cf0509f67218ccc6
SHA256

893f8462440e7a4a257a413dd41241f9ba271ab1a0721c50fc33bbba9a7ba2d4
SHA512

90cfaf85e8e41dd4876d534109c11cb8a4db231b30f07c8acdc2cb9f57255fc61e423196776784ae47c9a90a21e902a7dfbae8bfd0e698c0b0c0788e2a8479c6
SSDEEP

12288:AFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJN:w3nbWmJVJFwSddIXvfhqbiaxvRxq9T

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdcsc.exe"	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2616	msdcsc.exe

Loads dropped DLL 2 IoCs

pid	Process
2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe"	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2616 set thread context of 2296	2616	msdcsc.exe	31

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MSDCSC\msdcsc.exe	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
File opened for modification	C:\Windows\MSDCSC\	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
File created	C:\Windows\MSDCSC\msdcsc.exe	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeSecurityPrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeBackupPrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeRestorePrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeShutdownPrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeDebugPrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeUndockPrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: 33	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: 34	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: 35	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2616	msdcsc.exe
Token: SeSecurityPrivilege	2616	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2616	msdcsc.exe
Token: SeLoadDriverPrivilege	2616	msdcsc.exe
Token: SeSystemProfilePrivilege	2616	msdcsc.exe
Token: SeSystemtimePrivilege	2616	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2616	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2616	msdcsc.exe
Token: SeCreatePagefilePrivilege	2616	msdcsc.exe
Token: SeBackupPrivilege	2616	msdcsc.exe
Token: SeRestorePrivilege	2616	msdcsc.exe
Token: SeShutdownPrivilege	2616	msdcsc.exe
Token: SeDebugPrivilege	2616	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2616	msdcsc.exe
Token: SeChangeNotifyPrivilege	2616	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2616	msdcsc.exe
Token: SeUndockPrivilege	2616	msdcsc.exe
Token: SeManageVolumePrivilege	2616	msdcsc.exe
Token: SeImpersonatePrivilege	2616	msdcsc.exe
Token: SeCreateGlobalPrivilege	2616	msdcsc.exe
Token: 33	2616	msdcsc.exe
Token: 34	2616	msdcsc.exe
Token: 35	2616	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2296	iexplore.exe
Token: SeSecurityPrivilege	2296	iexplore.exe
Token: SeTakeOwnershipPrivilege	2296	iexplore.exe
Token: SeLoadDriverPrivilege	2296	iexplore.exe
Token: SeSystemProfilePrivilege	2296	iexplore.exe
Token: SeSystemtimePrivilege	2296	iexplore.exe
Token: SeProfSingleProcessPrivilege	2296	iexplore.exe
Token: SeIncBasePriorityPrivilege	2296	iexplore.exe
Token: SeCreatePagefilePrivilege	2296	iexplore.exe
Token: SeBackupPrivilege	2296	iexplore.exe
Token: SeRestorePrivilege	2296	iexplore.exe
Token: SeShutdownPrivilege	2296	iexplore.exe
Token: SeDebugPrivilege	2296	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2296	iexplore.exe
Token: SeChangeNotifyPrivilege	2296	iexplore.exe
Token: SeRemoteShutdownPrivilege	2296	iexplore.exe
Token: SeUndockPrivilege	2296	iexplore.exe
Token: SeManageVolumePrivilege	2296	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2296	iexplore.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2616	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe	30
PID 2928 wrote to memory of 2616	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe	30
PID 2928 wrote to memory of 2616	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe	30
PID 2928 wrote to memory of 2616	2928	94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2296	2616	msdcsc.exe	31
PID 2616 wrote to memory of 2296	2616	msdcsc.exe	31
PID 2616 wrote to memory of 2296	2616	msdcsc.exe	31
PID 2616 wrote to memory of 2296	2616	msdcsc.exe	31
PID 2616 wrote to memory of 2296	2616	msdcsc.exe	31
PID 2616 wrote to memory of 2296	2616	msdcsc.exe	31

C:\Users\Admin\AppData\Local\Temp\94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94efb68649abfd41831a66e2f33c3566_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\MSDCSC\msdcsc.exe
  "C:\Windows\MSDCSC\msdcsc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\MSDCSC\msdcsc.exe

Filesize
723KB

MD5
94efb68649abfd41831a66e2f33c3566

SHA1
f188fee5ea23710629fe0c53cf0509f67218ccc6

SHA256
893f8462440e7a4a257a413dd41241f9ba271ab1a0721c50fc33bbba9a7ba2d4

SHA512
90cfaf85e8e41dd4876d534109c11cb8a4db231b30f07c8acdc2cb9f57255fc61e423196776784ae47c9a90a21e902a7dfbae8bfd0e698c0b0c0788e2a8479c6

Download Submit
memory/2296-14-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2616-12-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2616-15-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2928-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2928-11-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads