darkcomet | 16e9f95080e6f35658f782bfb345b38c96b9024d199e2f5d8f3bb64c1f92132b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Size

350KB
MD5

f812781d21e870d00e5e4fc7df650d84
SHA1

d4db4e81beab1b328f1a8056afc047102795e6f6
SHA256

16e9f95080e6f35658f782bfb345b38c96b9024d199e2f5d8f3bb64c1f92132b
SHA512

5ee6296e66e43ab2452ab0b49c96ab1adda6552cb50b4c54b20d7c00bbab0915e6ad72ad80d071ffa64d6f319e9bf876f2619f76bedebb3eb29031dbd3b491df
SSDEEP

6144:FMI/jlS4kCwHL76nz9Q3uR5LTYYBIsHHlZsDLDv:FMQlS9Cwr79uLLTvBIYFZKvv

Score

10^/10

darkcomet rat discovery evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

RAT

shobolozaur.zapto.org:1604

Mutex

DC_MUTEX-F9SDENS

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
8ldVUuvAZfED
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2832	attrib.exe
2632	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
2176	msdcsc.exe

Loads dropped DLL 2 IoCs

pid	Process
2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2176 set thread context of 2696	2176	msdcsc.exe	37

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2624-0-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral1/files/0x00080000000164b1-5.dat	upx
behavioral1/memory/2624-13-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral1/memory/2624-12-0x0000000003800000-0x00000000038EA000-memory.dmp	upx
behavioral1/memory/2176-19-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral1/memory/2696-17-0x0000000000400000-0x00000000004EA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeSecurityPrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeBackupPrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeRestorePrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeShutdownPrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeDebugPrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeUndockPrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: 33	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: 34	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: 35	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2176	msdcsc.exe
Token: SeSecurityPrivilege	2176	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2176	msdcsc.exe
Token: SeLoadDriverPrivilege	2176	msdcsc.exe
Token: SeSystemProfilePrivilege	2176	msdcsc.exe
Token: SeSystemtimePrivilege	2176	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2176	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2176	msdcsc.exe
Token: SeCreatePagefilePrivilege	2176	msdcsc.exe
Token: SeBackupPrivilege	2176	msdcsc.exe
Token: SeRestorePrivilege	2176	msdcsc.exe
Token: SeShutdownPrivilege	2176	msdcsc.exe
Token: SeDebugPrivilege	2176	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2176	msdcsc.exe
Token: SeChangeNotifyPrivilege	2176	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2176	msdcsc.exe
Token: SeUndockPrivilege	2176	msdcsc.exe
Token: SeManageVolumePrivilege	2176	msdcsc.exe
Token: SeImpersonatePrivilege	2176	msdcsc.exe
Token: SeCreateGlobalPrivilege	2176	msdcsc.exe
Token: 33	2176	msdcsc.exe
Token: 34	2176	msdcsc.exe
Token: 35	2176	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2696	iexplore.exe
Token: SeSecurityPrivilege	2696	iexplore.exe
Token: SeTakeOwnershipPrivilege	2696	iexplore.exe
Token: SeLoadDriverPrivilege	2696	iexplore.exe
Token: SeSystemProfilePrivilege	2696	iexplore.exe
Token: SeSystemtimePrivilege	2696	iexplore.exe
Token: SeProfSingleProcessPrivilege	2696	iexplore.exe
Token: SeIncBasePriorityPrivilege	2696	iexplore.exe
Token: SeCreatePagefilePrivilege	2696	iexplore.exe
Token: SeBackupPrivilege	2696	iexplore.exe
Token: SeRestorePrivilege	2696	iexplore.exe
Token: SeShutdownPrivilege	2696	iexplore.exe
Token: SeDebugPrivilege	2696	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2696	iexplore.exe
Token: SeChangeNotifyPrivilege	2696	iexplore.exe
Token: SeRemoteShutdownPrivilege	2696	iexplore.exe
Token: SeUndockPrivilege	2696	iexplore.exe
Token: SeManageVolumePrivilege	2696	iexplore.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2792	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2792	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2792	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2792	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2768	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe	32
PID 2624 wrote to memory of 2768	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe	32
PID 2624 wrote to memory of 2768	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe	32
PID 2624 wrote to memory of 2768	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe	32
PID 2624 wrote to memory of 2176	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe	34
PID 2624 wrote to memory of 2176	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe	34
PID 2624 wrote to memory of 2176	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe	34
PID 2624 wrote to memory of 2176	2624	f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe	34
PID 2768 wrote to memory of 2632	2768	cmd.exe	35
PID 2768 wrote to memory of 2632	2768	cmd.exe	35
PID 2768 wrote to memory of 2632	2768	cmd.exe	35
PID 2768 wrote to memory of 2632	2768	cmd.exe	35
PID 2792 wrote to memory of 2832	2792	cmd.exe	36
PID 2792 wrote to memory of 2832	2792	cmd.exe	36
PID 2792 wrote to memory of 2832	2792	cmd.exe	36
PID 2792 wrote to memory of 2832	2792	cmd.exe	36
PID 2176 wrote to memory of 2696	2176	msdcsc.exe	37
PID 2176 wrote to memory of 2696	2176	msdcsc.exe	37
PID 2176 wrote to memory of 2696	2176	msdcsc.exe	37
PID 2176 wrote to memory of 2696	2176	msdcsc.exe	37
PID 2176 wrote to memory of 2696	2176	msdcsc.exe	37
PID 2176 wrote to memory of 2696	2176	msdcsc.exe	37

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2832	attrib.exe
2632	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2632
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
350KB

MD5
f812781d21e870d00e5e4fc7df650d84

SHA1
d4db4e81beab1b328f1a8056afc047102795e6f6

SHA256
16e9f95080e6f35658f782bfb345b38c96b9024d199e2f5d8f3bb64c1f92132b

SHA512
5ee6296e66e43ab2452ab0b49c96ab1adda6552cb50b4c54b20d7c00bbab0915e6ad72ad80d071ffa64d6f319e9bf876f2619f76bedebb3eb29031dbd3b491df

Download Submit
memory/2176-15-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2176-19-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2624-0-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2624-1-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2624-13-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2624-12-0x0000000003800000-0x00000000038EA000-memory.dmp

Filesize
936KB

Download
memory/2696-17-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads