darkcomet | 95554e8e6edc65860feed3b2976ac5e6d6e71ef28034449df8e536e775f10ca5

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

363ccdf350127f4e09240812b7f8a4aa_JaffaCakes118.exe
Size

734KB
MD5

363ccdf350127f4e09240812b7f8a4aa
SHA1

c8f6ba9604fefb453e16bf3a696c306c3c420f2d
SHA256

95554e8e6edc65860feed3b2976ac5e6d6e71ef28034449df8e536e775f10ca5
SHA512

643dfd3f1af1936980c4595ea11ceae5eba2bb4ab604c504aead7b446b03b6203f99f05df1f999980120247008db91cbc3194dfdd31e2a669db6b2e1fc44e2b1
SSDEEP

12288:JaXTluCLVHtas59KjOGquDN6cDrdUdSZbcrqSeV5J9otAEPL:4XxbJN39KaGt9DxU0ZbcWj9oiA

Score

10^/10

darkcomet hawkeye discovery keylogger persistence rat spyware stealer trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Deletes itself 1 IoCs

pid	Process
1668	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
1668	explorer.exe
2812	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
2636	UccApi.exe

Loads dropped DLL 7 IoCs

pid	Process
2640	363ccdf350127f4e09240812b7f8a4aa_JaffaCakes118.exe
2640	363ccdf350127f4e09240812b7f8a4aa_JaffaCakes118.exe
1668	explorer.exe
1668	explorer.exe
2848	ntvdmd.exe
2848	ntvdmd.exe
2556	UccApi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\© Microsoft Real Time Media Stack = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\ntvdmd.exe"	ntvdmd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 2812	1668	explorer.exe	31
PID 2556 set thread context of 2636	2556	UccApi.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	363ccdf350127f4e09240812b7f8a4aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntvdmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UccApi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UccApi.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe
2848	ntvdmd.exe
2556	UccApi.exe
1668	explorer.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	363ccdf350127f4e09240812b7f8a4aa_JaffaCakes118.exe
Token: SeDebugPrivilege	1668	explorer.exe
Token: SeIncreaseQuotaPrivilege	2812	explorer.exe
Token: SeSecurityPrivilege	2812	explorer.exe
Token: SeTakeOwnershipPrivilege	2812	explorer.exe
Token: SeLoadDriverPrivilege	2812	explorer.exe
Token: SeSystemProfilePrivilege	2812	explorer.exe
Token: SeSystemtimePrivilege	2812	explorer.exe
Token: SeProfSingleProcessPrivilege	2812	explorer.exe
Token: SeIncBasePriorityPrivilege	2812	explorer.exe
Token: SeCreatePagefilePrivilege	2812	explorer.exe
Token: SeBackupPrivilege	2812	explorer.exe
Token: SeRestorePrivilege	2812	explorer.exe
Token: SeShutdownPrivilege	2812	explorer.exe
Token: SeDebugPrivilege	2812	explorer.exe
Token: SeSystemEnvironmentPrivilege	2812	explorer.exe
Token: SeChangeNotifyPrivilege	2812	explorer.exe
Token: SeRemoteShutdownPrivilege	2812	explorer.exe
Token: SeUndockPrivilege	2812	explorer.exe
Token: SeManageVolumePrivilege	2812	explorer.exe
Token: SeImpersonatePrivilege	2812	explorer.exe
Token: SeCreateGlobalPrivilege	2812	explorer.exe
Token: 33	2812	explorer.exe
Token: 34	2812	explorer.exe
Token: 35	2812	explorer.exe
Token: SeDebugPrivilege	2848	ntvdmd.exe
Token: SeDebugPrivilege	2556	UccApi.exe
Token: SeIncreaseQuotaPrivilege	2636	UccApi.exe
Token: SeSecurityPrivilege	2636	UccApi.exe
Token: SeTakeOwnershipPrivilege	2636	UccApi.exe
Token: SeLoadDriverPrivilege	2636	UccApi.exe
Token: SeSystemProfilePrivilege	2636	UccApi.exe
Token: SeSystemtimePrivilege	2636	UccApi.exe
Token: SeProfSingleProcessPrivilege	2636	UccApi.exe
Token: SeIncBasePriorityPrivilege	2636	UccApi.exe
Token: SeCreatePagefilePrivilege	2636	UccApi.exe
Token: SeBackupPrivilege	2636	UccApi.exe
Token: SeRestorePrivilege	2636	UccApi.exe
Token: SeShutdownPrivilege	2636	UccApi.exe
Token: SeDebugPrivilege	2636	UccApi.exe
Token: SeSystemEnvironmentPrivilege	2636	UccApi.exe
Token: SeChangeNotifyPrivilege	2636	UccApi.exe
Token: SeRemoteShutdownPrivilege	2636	UccApi.exe
Token: SeUndockPrivilege	2636	UccApi.exe
Token: SeManageVolumePrivilege	2636	UccApi.exe
Token: SeImpersonatePrivilege	2636	UccApi.exe
Token: SeCreateGlobalPrivilege	2636	UccApi.exe
Token: 33	2636	UccApi.exe
Token: 34	2636	UccApi.exe
Token: 35	2636	UccApi.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2812	explorer.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 1668	2640	363ccdf350127f4e09240812b7f8a4aa_JaffaCakes118.exe	30
PID 2640 wrote to memory of 1668	2640	363ccdf350127f4e09240812b7f8a4aa_JaffaCakes118.exe	30
PID 2640 wrote to memory of 1668	2640	363ccdf350127f4e09240812b7f8a4aa_JaffaCakes118.exe	30
PID 2640 wrote to memory of 1668	2640	363ccdf350127f4e09240812b7f8a4aa_JaffaCakes118.exe	30
PID 1668 wrote to memory of 2812	1668	explorer.exe	31
PID 1668 wrote to memory of 2812	1668	explorer.exe	31
PID 1668 wrote to memory of 2812	1668	explorer.exe	31
PID 1668 wrote to memory of 2812	1668	explorer.exe	31
PID 1668 wrote to memory of 2812	1668	explorer.exe	31
PID 1668 wrote to memory of 2812	1668	explorer.exe	31
PID 1668 wrote to memory of 2812	1668	explorer.exe	31
PID 1668 wrote to memory of 2812	1668	explorer.exe	31
PID 1668 wrote to memory of 2812	1668	explorer.exe	31
PID 1668 wrote to memory of 2812	1668	explorer.exe	31
PID 1668 wrote to memory of 2812	1668	explorer.exe	31
PID 1668 wrote to memory of 2812	1668	explorer.exe	31
PID 1668 wrote to memory of 2812	1668	explorer.exe	31
PID 1668 wrote to memory of 2848	1668	explorer.exe	32
PID 1668 wrote to memory of 2848	1668	explorer.exe	32
PID 1668 wrote to memory of 2848	1668	explorer.exe	32
PID 1668 wrote to memory of 2848	1668	explorer.exe	32
PID 2848 wrote to memory of 2556	2848	ntvdmd.exe	33
PID 2848 wrote to memory of 2556	2848	ntvdmd.exe	33
PID 2848 wrote to memory of 2556	2848	ntvdmd.exe	33
PID 2848 wrote to memory of 2556	2848	ntvdmd.exe	33
PID 2556 wrote to memory of 2636	2556	UccApi.exe	34
PID 2556 wrote to memory of 2636	2556	UccApi.exe	34
PID 2556 wrote to memory of 2636	2556	UccApi.exe	34
PID 2556 wrote to memory of 2636	2556	UccApi.exe	34
PID 2556 wrote to memory of 2636	2556	UccApi.exe	34
PID 2556 wrote to memory of 2636	2556	UccApi.exe	34
PID 2556 wrote to memory of 2636	2556	UccApi.exe	34
PID 2556 wrote to memory of 2636	2556	UccApi.exe	34
PID 2556 wrote to memory of 2636	2556	UccApi.exe	34
PID 2556 wrote to memory of 2636	2556	UccApi.exe	34
PID 2556 wrote to memory of 2636	2556	UccApi.exe	34
PID 2556 wrote to memory of 2636	2556	UccApi.exe	34
PID 2556 wrote to memory of 2636	2556	UccApi.exe	34

C:\Users\Admin\AppData\Local\Temp\363ccdf350127f4e09240812b7f8a4aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\363ccdf350127f4e09240812b7f8a4aa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2812
- - C:\Users\Admin\AppData\Local\Temp\System\ntvdmd.exe
    "C:\Users\Admin\AppData\Local\Temp\System\ntvdmd.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\System\UccApi.exe
      "C:\Users\Admin\AppData\Local\Temp\System\UccApi.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Users\Admin\AppData\Local\Temp\System\UccApi.exe
        
        C:\Users\Admin\AppData\Local\Temp\System\UccApi.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
e7bd582f7edd2dded3c46333d4275b1b

SHA1
7a4c047e681369daf5fb69025b9188395d1919c2

SHA256
a97342051711cec6738b0463308532d034daa23a93988c97d057d9e2ada73937

SHA512
073474901d54516dcd37beab669f9756632166e7501131f482883cd32f1a1a758443b1c6fbb5dce11a65e1188d5947a5fcb2b4f9e082a81c3067c666beccdd4a

Download Submit
\Users\Admin\AppData\Local\Temp\System\ntvdmd.exe

Filesize
47KB

MD5
03c886af821f78c72b9f31a5ee9523bf

SHA1
00eb6757b298c1dbfd815672c4d66d88078f489f

SHA256
225e869ca14f2ce166871f218c9ff7161ebd25b8ea521a563194d40729318247

SHA512
d6d915b160019545ad77f62bf8aa25945fb142c105c2a0535c34139f83f2874412706d6be2e6d982a0a8f54caba2e4debf4446ede134c6c766510dbe942377f0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
734KB

MD5
363ccdf350127f4e09240812b7f8a4aa

SHA1
c8f6ba9604fefb453e16bf3a696c306c3c420f2d

SHA256
95554e8e6edc65860feed3b2976ac5e6d6e71ef28034449df8e536e775f10ca5

SHA512
643dfd3f1af1936980c4595ea11ceae5eba2bb4ab604c504aead7b446b03b6203f99f05df1f999980120247008db91cbc3194dfdd31e2a669db6b2e1fc44e2b1

Download Submit
memory/1668-14-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1668-15-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1668-70-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2636-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-0-0x0000000074631000-0x0000000074632000-memory.dmp

Filesize
4KB

Download
memory/2640-16-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2640-1-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2640-2-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2812-71-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2812-31-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2812-38-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2812-22-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2812-28-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2812-44-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2812-43-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2812-34-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2812-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2812-37-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2812-30-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2812-42-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2812-26-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2812-24-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2812-29-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2812-27-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2812-36-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download