darkcomet | 8728e662f0d64c3f93ce0e58d5828ebae0dbd909de1a4f28894f2fee30b72f21

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/10/2024, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe
Size

473KB
MD5

25551cee9ff2bdf1dac8e1055dd032a9
SHA1

9d70aed23a2433ffe75da99901773e9b8e4c21d8
SHA256

8728e662f0d64c3f93ce0e58d5828ebae0dbd909de1a4f28894f2fee30b72f21
SHA512

137771d652bb8a4b402253f76c8a3721e919904bb79b771af58bd2af9dd7321236e6987a92d7309a3f616c4d5762f179c02be612b32452a6367cb8df4845570c
SSDEEP

12288:YxJUrEfN7kCrIDiTtmW3V6Cjuhiat2h1vDSNqCNQ7/:iJgE17Satm8AKUiLhdDSpe7/

Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

127.0.0.1:1604

192.168.1.38:1604

Mutex

DC_MUTEX-RJ267FP

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
BU2uq8phh1yH
install
true
offline_keylogger
true
persistence
false
reg_key
skype.exe

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	svv.exe

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2644	attrib.exe
2704	attrib.exe

Executes dropped EXE 2 IoCs

pid	Process
2292	svv.exe
472	msdcsc.exe

Loads dropped DLL 4 IoCs

pid	Process
2952	25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe
2952	25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe
2292	svv.exe
2292	svv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\skype.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	svv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
472	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2292	svv.exe
Token: SeSecurityPrivilege	2292	svv.exe
Token: SeTakeOwnershipPrivilege	2292	svv.exe
Token: SeLoadDriverPrivilege	2292	svv.exe
Token: SeSystemProfilePrivilege	2292	svv.exe
Token: SeSystemtimePrivilege	2292	svv.exe
Token: SeProfSingleProcessPrivilege	2292	svv.exe
Token: SeIncBasePriorityPrivilege	2292	svv.exe
Token: SeCreatePagefilePrivilege	2292	svv.exe
Token: SeBackupPrivilege	2292	svv.exe
Token: SeRestorePrivilege	2292	svv.exe
Token: SeShutdownPrivilege	2292	svv.exe
Token: SeDebugPrivilege	2292	svv.exe
Token: SeSystemEnvironmentPrivilege	2292	svv.exe
Token: SeChangeNotifyPrivilege	2292	svv.exe
Token: SeRemoteShutdownPrivilege	2292	svv.exe
Token: SeUndockPrivilege	2292	svv.exe
Token: SeManageVolumePrivilege	2292	svv.exe
Token: SeImpersonatePrivilege	2292	svv.exe
Token: SeCreateGlobalPrivilege	2292	svv.exe
Token: 33	2292	svv.exe
Token: 34	2292	svv.exe
Token: 35	2292	svv.exe
Token: SeIncreaseQuotaPrivilege	472	msdcsc.exe
Token: SeSecurityPrivilege	472	msdcsc.exe
Token: SeTakeOwnershipPrivilege	472	msdcsc.exe
Token: SeLoadDriverPrivilege	472	msdcsc.exe
Token: SeSystemProfilePrivilege	472	msdcsc.exe
Token: SeSystemtimePrivilege	472	msdcsc.exe
Token: SeProfSingleProcessPrivilege	472	msdcsc.exe
Token: SeIncBasePriorityPrivilege	472	msdcsc.exe
Token: SeCreatePagefilePrivilege	472	msdcsc.exe
Token: SeBackupPrivilege	472	msdcsc.exe
Token: SeRestorePrivilege	472	msdcsc.exe
Token: SeShutdownPrivilege	472	msdcsc.exe
Token: SeDebugPrivilege	472	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	472	msdcsc.exe
Token: SeChangeNotifyPrivilege	472	msdcsc.exe
Token: SeRemoteShutdownPrivilege	472	msdcsc.exe
Token: SeUndockPrivilege	472	msdcsc.exe
Token: SeManageVolumePrivilege	472	msdcsc.exe
Token: SeImpersonatePrivilege	472	msdcsc.exe
Token: SeCreateGlobalPrivilege	472	msdcsc.exe
Token: 33	472	msdcsc.exe
Token: 34	472	msdcsc.exe
Token: 35	472	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
472	msdcsc.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2292	2952	25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe	29
PID 2952 wrote to memory of 2292	2952	25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe	29
PID 2952 wrote to memory of 2292	2952	25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe	29
PID 2952 wrote to memory of 2292	2952	25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe	29
PID 2292 wrote to memory of 2880	2292	svv.exe	30
PID 2292 wrote to memory of 2880	2292	svv.exe	30
PID 2292 wrote to memory of 2880	2292	svv.exe	30
PID 2292 wrote to memory of 2880	2292	svv.exe	30
PID 2292 wrote to memory of 3032	2292	svv.exe	31
PID 2292 wrote to memory of 3032	2292	svv.exe	31
PID 2292 wrote to memory of 3032	2292	svv.exe	31
PID 2292 wrote to memory of 3032	2292	svv.exe	31
PID 2880 wrote to memory of 2644	2880	cmd.exe	34
PID 2880 wrote to memory of 2644	2880	cmd.exe	34
PID 2880 wrote to memory of 2644	2880	cmd.exe	34
PID 2880 wrote to memory of 2644	2880	cmd.exe	34
PID 3032 wrote to memory of 2704	3032	cmd.exe	35
PID 3032 wrote to memory of 2704	3032	cmd.exe	35
PID 3032 wrote to memory of 2704	3032	cmd.exe	35
PID 3032 wrote to memory of 2704	3032	cmd.exe	35
PID 2292 wrote to memory of 472	2292	svv.exe	36
PID 2292 wrote to memory of 472	2292	svv.exe	36
PID 2292 wrote to memory of 472	2292	svv.exe	36
PID 2292 wrote to memory of 472	2292	svv.exe	36
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37
PID 472 wrote to memory of 2680	472	msdcsc.exe	37

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2644	attrib.exe
2704	attrib.exe

C:\Users\Admin\AppData\Local\Temp\25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\svv.exe
  "C:\Users\Admin\AppData\Local\Temp\svv.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\svv.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\svv.exe" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2704
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Modifies firewall policy service
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\svv.exe

Filesize
658KB

MD5
d5a6aa6ca3acfbcb1848c01593e7b9b6

SHA1
50918013232fd7a310af7582dde86bf3b94118f8

SHA256
c6da2cb743f869bb5a120761b43ad7560d46fc1a79bb1817f9ee39dcaf9b0020

SHA512
27f0d13a880b7d5954dc80e234fa26f134b0ecdf90a403b25b76a1d0dc796c2f8f20aba76d3bc998138f837cd6e17f465ea9da8c45201e6631b2d0831892bb43

Download Submit
memory/472-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/472-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/472-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/472-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2292-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2292-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2680-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2680-23-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads