darkcomet | 8728e662f0d64c3f93ce0e58d5828ebae0dbd909de1a4f28894f2fee30b72f21

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe
Size

473KB
MD5

25551cee9ff2bdf1dac8e1055dd032a9
SHA1

9d70aed23a2433ffe75da99901773e9b8e4c21d8
SHA256

8728e662f0d64c3f93ce0e58d5828ebae0dbd909de1a4f28894f2fee30b72f21
SHA512

137771d652bb8a4b402253f76c8a3721e919904bb79b771af58bd2af9dd7321236e6987a92d7309a3f616c4d5762f179c02be612b32452a6367cb8df4845570c
SSDEEP

12288:YxJUrEfN7kCrIDiTtmW3V6Cjuhiat2h1vDSNqCNQ7/:iJgE17Satm8AKUiLhdDSpe7/

Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

127.0.0.1:1604

192.168.1.38:1604

Mutex

DC_MUTEX-RJ267FP

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
BU2uq8phh1yH
install
true
offline_keylogger
true
persistence
false
reg_key
skype.exe

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	svv.exe

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2352	attrib.exe
4712	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	svv.exe

Executes dropped EXE 2 IoCs

pid	Process
4000	svv.exe
960	msdcsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\skype.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	svv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
960	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4000	svv.exe
Token: SeSecurityPrivilege	4000	svv.exe
Token: SeTakeOwnershipPrivilege	4000	svv.exe
Token: SeLoadDriverPrivilege	4000	svv.exe
Token: SeSystemProfilePrivilege	4000	svv.exe
Token: SeSystemtimePrivilege	4000	svv.exe
Token: SeProfSingleProcessPrivilege	4000	svv.exe
Token: SeIncBasePriorityPrivilege	4000	svv.exe
Token: SeCreatePagefilePrivilege	4000	svv.exe
Token: SeBackupPrivilege	4000	svv.exe
Token: SeRestorePrivilege	4000	svv.exe
Token: SeShutdownPrivilege	4000	svv.exe
Token: SeDebugPrivilege	4000	svv.exe
Token: SeSystemEnvironmentPrivilege	4000	svv.exe
Token: SeChangeNotifyPrivilege	4000	svv.exe
Token: SeRemoteShutdownPrivilege	4000	svv.exe
Token: SeUndockPrivilege	4000	svv.exe
Token: SeManageVolumePrivilege	4000	svv.exe
Token: SeImpersonatePrivilege	4000	svv.exe
Token: SeCreateGlobalPrivilege	4000	svv.exe
Token: 33	4000	svv.exe
Token: 34	4000	svv.exe
Token: 35	4000	svv.exe
Token: 36	4000	svv.exe
Token: SeIncreaseQuotaPrivilege	960	msdcsc.exe
Token: SeSecurityPrivilege	960	msdcsc.exe
Token: SeTakeOwnershipPrivilege	960	msdcsc.exe
Token: SeLoadDriverPrivilege	960	msdcsc.exe
Token: SeSystemProfilePrivilege	960	msdcsc.exe
Token: SeSystemtimePrivilege	960	msdcsc.exe
Token: SeProfSingleProcessPrivilege	960	msdcsc.exe
Token: SeIncBasePriorityPrivilege	960	msdcsc.exe
Token: SeCreatePagefilePrivilege	960	msdcsc.exe
Token: SeBackupPrivilege	960	msdcsc.exe
Token: SeRestorePrivilege	960	msdcsc.exe
Token: SeShutdownPrivilege	960	msdcsc.exe
Token: SeDebugPrivilege	960	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	960	msdcsc.exe
Token: SeChangeNotifyPrivilege	960	msdcsc.exe
Token: SeRemoteShutdownPrivilege	960	msdcsc.exe
Token: SeUndockPrivilege	960	msdcsc.exe
Token: SeManageVolumePrivilege	960	msdcsc.exe
Token: SeImpersonatePrivilege	960	msdcsc.exe
Token: SeCreateGlobalPrivilege	960	msdcsc.exe
Token: 33	960	msdcsc.exe
Token: 34	960	msdcsc.exe
Token: 35	960	msdcsc.exe
Token: 36	960	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
960	msdcsc.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4000	4740	25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe	85
PID 4740 wrote to memory of 4000	4740	25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe	85
PID 4740 wrote to memory of 4000	4740	25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe	85
PID 4000 wrote to memory of 1444	4000	svv.exe	86
PID 4000 wrote to memory of 1444	4000	svv.exe	86
PID 4000 wrote to memory of 1444	4000	svv.exe	86
PID 4000 wrote to memory of 1504	4000	svv.exe	87
PID 4000 wrote to memory of 1504	4000	svv.exe	87
PID 4000 wrote to memory of 1504	4000	svv.exe	87
PID 1444 wrote to memory of 4712	1444	cmd.exe	91
PID 1444 wrote to memory of 4712	1444	cmd.exe	91
PID 1444 wrote to memory of 4712	1444	cmd.exe	91
PID 1504 wrote to memory of 2352	1504	cmd.exe	92
PID 1504 wrote to memory of 2352	1504	cmd.exe	92
PID 1504 wrote to memory of 2352	1504	cmd.exe	92
PID 4000 wrote to memory of 960	4000	svv.exe	93
PID 4000 wrote to memory of 960	4000	svv.exe	93
PID 4000 wrote to memory of 960	4000	svv.exe	93
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94
PID 960 wrote to memory of 432	960	msdcsc.exe	94

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2352	attrib.exe
4712	attrib.exe

C:\Users\Admin\AppData\Local\Temp\25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\svv.exe
  "C:\Users\Admin\AppData\Local\Temp\svv.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\svv.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\svv.exe" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2352
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Modifies firewall policy service
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svv.exe

Filesize
658KB

MD5
d5a6aa6ca3acfbcb1848c01593e7b9b6

SHA1
50918013232fd7a310af7582dde86bf3b94118f8

SHA256
c6da2cb743f869bb5a120761b43ad7560d46fc1a79bb1817f9ee39dcaf9b0020

SHA512
27f0d13a880b7d5954dc80e234fa26f134b0ecdf90a403b25b76a1d0dc796c2f8f20aba76d3bc998138f837cd6e17f465ea9da8c45201e6631b2d0831892bb43

Download Submit
memory/432-73-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/960-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4000-12-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4000-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads