darkcomet | a8acba9d91c15bd4d86f38631c59a9b1bfb6e679203e7bd0ae334d6445e7fb9c

Analysis

max time kernel
149s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 10:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe
Size

794KB
MD5

aed48a1bff7b09c7a37cd0d49695db28
SHA1

2cc7e919c06f0d351753b13b6ee346217780d0f8
SHA256

a8acba9d91c15bd4d86f38631c59a9b1bfb6e679203e7bd0ae334d6445e7fb9c
SHA512

5bc82ab8312ba52e89605280ade96e21e3ce158d80bbada1f411ae21cba889d135a6538c27d30315ed8e5e6862214423bdf99e507f9479279ea8ed577d5cc16f
SSDEEP

12288:xvRRy90KMRv26TA7Qh6vWjPjkDQoyazsfDiVZlbTIAwil5EiVWRZATzC3G:dyURu8A8PjGwLiVZpIA97EMWRaTmW

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	DOFUSB~1.EXE

Executes dropped EXE 2 IoCs

pid	Process
2036	Dofus Bot 2012 Working.exe
2836	DOFUSB~1.EXE

Loads dropped DLL 4 IoCs

pid	Process
2380	aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe
2036	Dofus Bot 2012 Working.exe
2036	Dofus Bot 2012 Working.exe
2836	DOFUSB~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Dofus Bot 2012 Working.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dofus Bot 2012 Working.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOFUSB~1.EXE

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DOFUSB~1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	DOFUSB~1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	DOFUSB~1.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DOFUSB~1.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	DOFUSB~1.EXE

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: 33	2380	aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2380	aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe
Token: 33	2380	aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2380	aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe
Token: 33	2380	aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2380	aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe
Token: 33	2036	Dofus Bot 2012 Working.exe
Token: SeIncBasePriorityPrivilege	2036	Dofus Bot 2012 Working.exe
Token: SeIncreaseQuotaPrivilege	2836	DOFUSB~1.EXE
Token: SeSecurityPrivilege	2836	DOFUSB~1.EXE
Token: SeTakeOwnershipPrivilege	2836	DOFUSB~1.EXE
Token: SeLoadDriverPrivilege	2836	DOFUSB~1.EXE
Token: SeSystemProfilePrivilege	2836	DOFUSB~1.EXE
Token: SeSystemtimePrivilege	2836	DOFUSB~1.EXE
Token: SeProfSingleProcessPrivilege	2836	DOFUSB~1.EXE
Token: SeIncBasePriorityPrivilege	2836	DOFUSB~1.EXE
Token: SeCreatePagefilePrivilege	2836	DOFUSB~1.EXE
Token: SeBackupPrivilege	2836	DOFUSB~1.EXE
Token: SeRestorePrivilege	2836	DOFUSB~1.EXE
Token: SeShutdownPrivilege	2836	DOFUSB~1.EXE
Token: SeDebugPrivilege	2836	DOFUSB~1.EXE
Token: SeSystemEnvironmentPrivilege	2836	DOFUSB~1.EXE
Token: SeChangeNotifyPrivilege	2836	DOFUSB~1.EXE
Token: SeRemoteShutdownPrivilege	2836	DOFUSB~1.EXE
Token: SeUndockPrivilege	2836	DOFUSB~1.EXE
Token: SeManageVolumePrivilege	2836	DOFUSB~1.EXE
Token: SeImpersonatePrivilege	2836	DOFUSB~1.EXE
Token: SeCreateGlobalPrivilege	2836	DOFUSB~1.EXE
Token: 33	2836	DOFUSB~1.EXE
Token: 34	2836	DOFUSB~1.EXE
Token: 35	2836	DOFUSB~1.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2036	2380	aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2036	2380	aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2036	2380	aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2036	2380	aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2036	2380	aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2036	2380	aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2036	2380	aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe	30
PID 2036 wrote to memory of 2836	2036	Dofus Bot 2012 Working.exe	31
PID 2036 wrote to memory of 2836	2036	Dofus Bot 2012 Working.exe	31
PID 2036 wrote to memory of 2836	2036	Dofus Bot 2012 Working.exe	31
PID 2036 wrote to memory of 2836	2036	Dofus Bot 2012 Working.exe	31
PID 2036 wrote to memory of 2836	2036	Dofus Bot 2012 Working.exe	31
PID 2036 wrote to memory of 2836	2036	Dofus Bot 2012 Working.exe	31
PID 2036 wrote to memory of 2836	2036	Dofus Bot 2012 Working.exe	31

C:\Users\Admin\AppData\Local\Temp\aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aed48a1bff7b09c7a37cd0d49695db28_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\Hack\1.1.0.0\2012.05.08T18.54\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\Dofus Bot 2012 Working.exe
  "C:\Users\Admin\AppData\Local\Temp\Dofus Bot 2012 Working.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\Hack\1.1.0.0\2012.05.08T18.54\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\DOFUSB~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DOFUSB~1.EXE
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DOFUSB~1.EXE

Filesize
635KB

MD5
9639165db47d5266e16db97ba7a0defd

SHA1
db7da04508aa95cedad4fdbba25caceb4d84fd2a

SHA256
8dec89138a3c126a250f623eab2e8ce3d7f4ffba527fd7da9b998aaf62c53161

SHA512
604ac84abe8282a28815b02718d7dd720128faaa53f9a60f8b1ca01013521068042ee030478ab426d6f10c1352b5a3f281337b5f77848dd22a3c0e64ef6c1027

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\Hack\1.1.0.0\2012.05.08T18.54\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\DOFUSB~1.EXE

Filesize
17KB

MD5
dc107046ed191636de68c65db28b1b52

SHA1
763429303e5e84a81581bb2ed165c6192fc63b90

SHA256
883e046b44ef22a17f11fe7b452b2a6bb1dac7a7782b63bbcc06bf70152e688e

SHA512
ee926dbf81fb9e57acd822dd0efa786f98a7e880bbbccae2aebc36ea1868373f1dcccb4c2f98988df622fcdb708f90434d0c8e00e2cb1f781eb223d1ac669f8d

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\Hack\1.1.0.0\2012.05.08T18.54\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\Dofus Bot 2012 Working.exe

Filesize
17KB

MD5
d78eb03d051147fb663b13eebc1ae6ba

SHA1
8aa96eb51856cb18134e4b605c2ca6ef51e8be64

SHA256
2a5bfa047499c5bff123fac062f78f32a970fbd035997b306cb4e11e02df6ef9

SHA512
281bac20ca0e7aa20532f1b485a5a04ec159c53f00cde6a248467a4bbaefd17e672d54f91f61b8cc93c7bdd2aafe49b811509ea0b7b6a7e0454274b7d04ef1b0

Download Submit
memory/2036-20-0x0000000001000000-0x000000000106B000-memory.dmp

Filesize
428KB

Download
memory/2036-14-0x0000000001000000-0x000000000106B000-memory.dmp

Filesize
428KB

Download
memory/2036-16-0x0000000001000000-0x000000000106B000-memory.dmp

Filesize
428KB

Download
memory/2036-21-0x0000000001000000-0x000000000106B000-memory.dmp

Filesize
428KB

Download
memory/2036-22-0x0000000001000000-0x000000000106B000-memory.dmp

Filesize
428KB

Download
memory/2036-17-0x0000000001000000-0x000000000106B000-memory.dmp

Filesize
428KB

Download
memory/2036-18-0x0000000001000000-0x000000000106B000-memory.dmp

Filesize
428KB

Download
memory/2036-19-0x0000000001000000-0x000000000106B000-memory.dmp

Filesize
428KB

Download
memory/2380-0-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2380-1-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2380-2-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2380-4-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2380-5-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2380-8-0x0000000000780000-0x00000000007F2000-memory.dmp

Filesize
456KB

Download
memory/2380-10-0x0000000003A80000-0x0000000003AEB000-memory.dmp

Filesize
428KB

Download
memory/2380-12-0x0000000003A80000-0x0000000003AEB000-memory.dmp

Filesize
428KB

Download
memory/2380-11-0x0000000003A80000-0x0000000003AEB000-memory.dmp

Filesize
428KB

Download
memory/2380-23-0x0000000000780000-0x00000000007F2000-memory.dmp

Filesize
456KB

Download
memory/2380-7-0x0000000000780000-0x00000000007F2000-memory.dmp

Filesize
456KB

Download
memory/2380-3-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2836-56-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-75-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-50-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-40-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-39-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-60-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-59-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-58-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-57-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-41-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-66-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-65-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-72-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-71-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-77-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-79-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-82-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-81-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-80-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-78-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-76-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-42-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-74-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-73-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-70-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-69-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-68-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-67-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-64-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-63-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-62-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-55-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-54-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-53-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-52-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-51-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-49-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-48-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-47-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-46-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-45-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-44-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2836-43-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads