darkcomet | d606f82a6f0d3c831cbe557bc5ecc578d12e76c419596dac936dbc9954adf9e9

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe
Size

406KB
MD5

f41ab658351a04d98a8801b5ab4e98d9
SHA1

e431926631829cbea065d53028a707bf477a5c49
SHA256

d606f82a6f0d3c831cbe557bc5ecc578d12e76c419596dac936dbc9954adf9e9
SHA512

764b857080b0d17c0eac836dd1ed70eb587286242e0a287cad0e33112c0dc9eb143bbab8dfdf022e1aa6e388efad0d4879e14b27ca7e4def89ea9507bbf847f3
SSDEEP

12288:opuvWBF7oLNS3NibJHcZJ+mrtuV41kfgjdkA:gu+HQCibJ8D+mZ+gjT

Score

10^/10

darkcomet hawkeye discovery keylogger persistence rat spyware stealer trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	nvxdsinc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2952	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\nvxdsinc.exe"	nvxdsinc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 2664	2952	explorer.exe	83
PID 1468 set thread context of 1208	1468	nwtray.exe	86

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2664-21-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/2664-22-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/2664-23-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/2664-24-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/2664-25-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/2664-28-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/2664-27-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/2664-26-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvxdsinc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwtray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe
5056	nvxdsinc.exe
1468	nwtray.exe
2952	explorer.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	5088	f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe
Token: SeDebugPrivilege	2952	explorer.exe
Token: SeIncreaseQuotaPrivilege	2664	AppLaunch.exe
Token: SeSecurityPrivilege	2664	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	2664	AppLaunch.exe
Token: SeLoadDriverPrivilege	2664	AppLaunch.exe
Token: SeSystemProfilePrivilege	2664	AppLaunch.exe
Token: SeSystemtimePrivilege	2664	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	2664	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	2664	AppLaunch.exe
Token: SeCreatePagefilePrivilege	2664	AppLaunch.exe
Token: SeBackupPrivilege	2664	AppLaunch.exe
Token: SeRestorePrivilege	2664	AppLaunch.exe
Token: SeShutdownPrivilege	2664	AppLaunch.exe
Token: SeDebugPrivilege	2664	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	2664	AppLaunch.exe
Token: SeChangeNotifyPrivilege	2664	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	2664	AppLaunch.exe
Token: SeUndockPrivilege	2664	AppLaunch.exe
Token: SeManageVolumePrivilege	2664	AppLaunch.exe
Token: SeImpersonatePrivilege	2664	AppLaunch.exe
Token: SeCreateGlobalPrivilege	2664	AppLaunch.exe
Token: 33	2664	AppLaunch.exe
Token: 34	2664	AppLaunch.exe
Token: 35	2664	AppLaunch.exe
Token: 36	2664	AppLaunch.exe
Token: SeDebugPrivilege	5056	nvxdsinc.exe
Token: SeDebugPrivilege	1468	nwtray.exe
Token: SeIncreaseQuotaPrivilege	1208	AppLaunch.exe
Token: SeSecurityPrivilege	1208	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	1208	AppLaunch.exe
Token: SeLoadDriverPrivilege	1208	AppLaunch.exe
Token: SeSystemProfilePrivilege	1208	AppLaunch.exe
Token: SeSystemtimePrivilege	1208	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	1208	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	1208	AppLaunch.exe
Token: SeCreatePagefilePrivilege	1208	AppLaunch.exe
Token: SeBackupPrivilege	1208	AppLaunch.exe
Token: SeRestorePrivilege	1208	AppLaunch.exe
Token: SeShutdownPrivilege	1208	AppLaunch.exe
Token: SeDebugPrivilege	1208	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	1208	AppLaunch.exe
Token: SeChangeNotifyPrivilege	1208	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	1208	AppLaunch.exe
Token: SeUndockPrivilege	1208	AppLaunch.exe
Token: SeManageVolumePrivilege	1208	AppLaunch.exe
Token: SeImpersonatePrivilege	1208	AppLaunch.exe
Token: SeCreateGlobalPrivilege	1208	AppLaunch.exe
Token: 33	1208	AppLaunch.exe
Token: 34	1208	AppLaunch.exe
Token: 35	1208	AppLaunch.exe
Token: 36	1208	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2664	AppLaunch.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 2952	5088	f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe	82
PID 5088 wrote to memory of 2952	5088	f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe	82
PID 5088 wrote to memory of 2952	5088	f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe	82
PID 2952 wrote to memory of 2664	2952	explorer.exe	83
PID 2952 wrote to memory of 2664	2952	explorer.exe	83
PID 2952 wrote to memory of 2664	2952	explorer.exe	83
PID 2952 wrote to memory of 2664	2952	explorer.exe	83
PID 2952 wrote to memory of 2664	2952	explorer.exe	83
PID 2952 wrote to memory of 2664	2952	explorer.exe	83
PID 2952 wrote to memory of 2664	2952	explorer.exe	83
PID 2952 wrote to memory of 2664	2952	explorer.exe	83
PID 2952 wrote to memory of 5056	2952	explorer.exe	84
PID 2952 wrote to memory of 5056	2952	explorer.exe	84
PID 2952 wrote to memory of 5056	2952	explorer.exe	84
PID 5056 wrote to memory of 1468	5056	nvxdsinc.exe	85
PID 5056 wrote to memory of 1468	5056	nvxdsinc.exe	85
PID 5056 wrote to memory of 1468	5056	nvxdsinc.exe	85
PID 1468 wrote to memory of 1208	1468	nwtray.exe	86
PID 1468 wrote to memory of 1208	1468	nwtray.exe	86
PID 1468 wrote to memory of 1208	1468	nwtray.exe	86
PID 1468 wrote to memory of 1208	1468	nwtray.exe	86
PID 1468 wrote to memory of 1208	1468	nwtray.exe	86
PID 1468 wrote to memory of 1208	1468	nwtray.exe	86
PID 1468 wrote to memory of 1208	1468	nwtray.exe	86
PID 1468 wrote to memory of 1208	1468	nwtray.exe	86

C:\Users\Admin\AppData\Local\Temp\f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2664
- - C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe
    "C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe
      "C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
ab636fd14155666b8d2d9a9f28299d18

SHA1
d1fe07feb89d33e9d2cb485424fb18b053aab59d

SHA256
fa6e1c8a49cc3bee6164ef4d9dc9dc29c7c77344061ee5278183733196fa7bf2

SHA512
4321edced81f70bb406ada4c6e3a33d0114075e8d49211165b3dd231a9afa5cf57207bef1a31557a5d750e47d8b95a8e76f7e0f45e438e3b8fb31f69c9b2bcff

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe

Filesize
39KB

MD5
38abcaec6ee62213f90b1717d830a1bb

SHA1
d8f5849d0d3f4ccc0dfb66a9a4a0442ac66a31b9

SHA256
6fee9a2c70b2cc48b0812f7cb2e09497c9c90941976f430a8f8279ad3c787768

SHA512
77eaabcbc6f7a3835b6220d72c4b1cae82d2125ea971907e33b15ceeede7e4da0741c6e63e988bd782ed6eb72ad3cbcba10ea83919eafd9b95d612c43a735274

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
406KB

MD5
f41ab658351a04d98a8801b5ab4e98d9

SHA1
e431926631829cbea065d53028a707bf477a5c49

SHA256
d606f82a6f0d3c831cbe557bc5ecc578d12e76c419596dac936dbc9954adf9e9

SHA512
764b857080b0d17c0eac836dd1ed70eb587286242e0a287cad0e33112c0dc9eb143bbab8dfdf022e1aa6e388efad0d4879e14b27ca7e4def89ea9507bbf847f3

Download Submit
memory/2664-25-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2664-28-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2664-26-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2664-27-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2664-29-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2664-21-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2664-22-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2664-23-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2664-24-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2952-15-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2952-14-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2952-48-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/5088-0-0x0000000074932000-0x0000000074933000-memory.dmp

Filesize
4KB

Download
memory/5088-13-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/5088-2-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/5088-1-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download