darkcomet | 619ccf5b3f6fe85d1887645e84ff4d480c7f53a0903a00fee2b6a4a3cd46a458

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 08:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dc1c009149df32f04373b3519dfdbc8b_JaffaCakes118.exe
Size

1.1MB
MD5

dc1c009149df32f04373b3519dfdbc8b
SHA1

aef5fd7a3cd4351d96c53f4bece6a0cdf7835029
SHA256

619ccf5b3f6fe85d1887645e84ff4d480c7f53a0903a00fee2b6a4a3cd46a458
SHA512

1ec3919720658c495ead64f44f1eda2f666216f664cbad60890be18746b1426b242691d726ee51de6b48142e61945d148c21334453b23646ead33b2a482828d0
SSDEEP

12288:DaWzgMg7v3qnCiMErQohh0F4CCJ8lnyC8idoH8DVqlXueHrvNI8qNHiUXdWTJAAT:maHMv6CorjqnyC8klDuHbNInHRC2WhZ

Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

darktestsh123.no-ip.info:1604

Mutex

DC_MUTEX-XCY52F9

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
7U95T83DNYtl
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	uncrypted.exe

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	iexplore.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	iexplore.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	iexplore.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msdcsc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iexplore.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	uncrypted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	dc1c009149df32f04373b3519dfdbc8b_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3368	uncrypted.exe
3124	msdcsc.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	uncrypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	iexplore.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4192-0-0x0000000000400000-0x00000000004D5000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	uncrypted.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	uncrypted.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	uncrypted.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3124 set thread context of 2668	3124	msdcsc.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc1c009149df32f04373b3519dfdbc8b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uncrypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	uncrypted.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3368	uncrypted.exe
Token: SeSecurityPrivilege	3368	uncrypted.exe
Token: SeTakeOwnershipPrivilege	3368	uncrypted.exe
Token: SeLoadDriverPrivilege	3368	uncrypted.exe
Token: SeSystemProfilePrivilege	3368	uncrypted.exe
Token: SeSystemtimePrivilege	3368	uncrypted.exe
Token: SeProfSingleProcessPrivilege	3368	uncrypted.exe
Token: SeIncBasePriorityPrivilege	3368	uncrypted.exe
Token: SeCreatePagefilePrivilege	3368	uncrypted.exe
Token: SeBackupPrivilege	3368	uncrypted.exe
Token: SeRestorePrivilege	3368	uncrypted.exe
Token: SeShutdownPrivilege	3368	uncrypted.exe
Token: SeDebugPrivilege	3368	uncrypted.exe
Token: SeSystemEnvironmentPrivilege	3368	uncrypted.exe
Token: SeChangeNotifyPrivilege	3368	uncrypted.exe
Token: SeRemoteShutdownPrivilege	3368	uncrypted.exe
Token: SeUndockPrivilege	3368	uncrypted.exe
Token: SeManageVolumePrivilege	3368	uncrypted.exe
Token: SeImpersonatePrivilege	3368	uncrypted.exe
Token: SeCreateGlobalPrivilege	3368	uncrypted.exe
Token: 33	3368	uncrypted.exe
Token: 34	3368	uncrypted.exe
Token: 35	3368	uncrypted.exe
Token: 36	3368	uncrypted.exe
Token: SeIncreaseQuotaPrivilege	3124	msdcsc.exe
Token: SeSecurityPrivilege	3124	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3124	msdcsc.exe
Token: SeLoadDriverPrivilege	3124	msdcsc.exe
Token: SeSystemProfilePrivilege	3124	msdcsc.exe
Token: SeSystemtimePrivilege	3124	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3124	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3124	msdcsc.exe
Token: SeCreatePagefilePrivilege	3124	msdcsc.exe
Token: SeBackupPrivilege	3124	msdcsc.exe
Token: SeRestorePrivilege	3124	msdcsc.exe
Token: SeShutdownPrivilege	3124	msdcsc.exe
Token: SeDebugPrivilege	3124	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3124	msdcsc.exe
Token: SeChangeNotifyPrivilege	3124	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3124	msdcsc.exe
Token: SeUndockPrivilege	3124	msdcsc.exe
Token: SeManageVolumePrivilege	3124	msdcsc.exe
Token: SeImpersonatePrivilege	3124	msdcsc.exe
Token: SeCreateGlobalPrivilege	3124	msdcsc.exe
Token: 33	3124	msdcsc.exe
Token: 34	3124	msdcsc.exe
Token: 35	3124	msdcsc.exe
Token: 36	3124	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2668	iexplore.exe
Token: SeSecurityPrivilege	2668	iexplore.exe
Token: SeTakeOwnershipPrivilege	2668	iexplore.exe
Token: SeLoadDriverPrivilege	2668	iexplore.exe
Token: SeSystemProfilePrivilege	2668	iexplore.exe
Token: SeSystemtimePrivilege	2668	iexplore.exe
Token: SeProfSingleProcessPrivilege	2668	iexplore.exe
Token: SeIncBasePriorityPrivilege	2668	iexplore.exe
Token: SeCreatePagefilePrivilege	2668	iexplore.exe
Token: SeBackupPrivilege	2668	iexplore.exe
Token: SeRestorePrivilege	2668	iexplore.exe
Token: SeShutdownPrivilege	2668	iexplore.exe
Token: SeDebugPrivilege	2668	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2668	iexplore.exe
Token: SeChangeNotifyPrivilege	2668	iexplore.exe
Token: SeRemoteShutdownPrivilege	2668	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2668	iexplore.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 3368	4192	dc1c009149df32f04373b3519dfdbc8b_JaffaCakes118.exe	91
PID 4192 wrote to memory of 3368	4192	dc1c009149df32f04373b3519dfdbc8b_JaffaCakes118.exe	91
PID 4192 wrote to memory of 3368	4192	dc1c009149df32f04373b3519dfdbc8b_JaffaCakes118.exe	91
PID 3368 wrote to memory of 3124	3368	uncrypted.exe	102
PID 3368 wrote to memory of 3124	3368	uncrypted.exe	102
PID 3368 wrote to memory of 3124	3368	uncrypted.exe	102
PID 3124 wrote to memory of 2668	3124	msdcsc.exe	103
PID 3124 wrote to memory of 2668	3124	msdcsc.exe	103
PID 3124 wrote to memory of 2668	3124	msdcsc.exe	103
PID 3124 wrote to memory of 2668	3124	msdcsc.exe	103
PID 3124 wrote to memory of 2668	3124	msdcsc.exe	103

C:\Users\Admin\AppData\Local\Temp\dc1c009149df32f04373b3519dfdbc8b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc1c009149df32f04373b3519dfdbc8b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\uncrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\uncrypted.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
    "C:\Windows\system32\MSDCSC\msdcsc.exe"
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Modifies firewall policy service
      Modifies security service
      Windows security bypass
      Disables RegEdit via registry modification
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4404,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:8
1⤵
PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut126A.tmp

Filesize
332KB

MD5
9b826fe60458bdfe801f3807d2f4219f

SHA1
b490ede17dd208a9f41fe767d61f7656060f5508

SHA256
e59fa9838cdde40d5845d0ac89e5bdb51ad3b3c74d9c27d5fbc8fa14d57384ff

SHA512
07d80533c7b588a2861aa7f77d87d78b488c9bb73837b0c36e1f25caad3bac0a51c1e29bd7ebbf5ba5b11989fb410a4c0a7c15845f358f116ff68083a932f32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uncrypted.exe

Filesize
332KB

MD5
f5b507d793a1f07b1735f57118943ec0

SHA1
27cba0b7895c3e8a1f22fa4954b526885e47e205

SHA256
49ed71b6c346046d05b4a636539118456e3a07f2beaa645d418ffe71db590a23

SHA512
e2d1e881a9f4fd4a1092ff75646de3c1c87bdfb2f75a2e0246f058d855dcedf378018b2e1535e523841f594209de73a98bfb7a1ff74d4b696e9a0db0ebc10672

Download Submit
memory/3124-84-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3368-20-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3368-21-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/3368-85-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4192-0-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads