darkcomet | fa70c72f7416519343cb4735a521991c0e724f49fb81c252502213b4f5f21f45

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe
Size

1.3MB
MD5

3f3beb09e8db0b865e34d3bf4479819f
SHA1

a1b3d9ba90d8c62b2ce49d09ef31bcf496508139
SHA256

fa70c72f7416519343cb4735a521991c0e724f49fb81c252502213b4f5f21f45
SHA512

1373781d3aebc9ce843f62da4779f2b5b0aab1d0737cc873378dbbd54dce0d14db5f315d872ff2e4909dece0e8505d21de2d6f1f0977e3cd879c40bf5739d8b7
SSDEEP

24576:8RrAMRunfFDvZK982TYA77hLrJ7NBNrcZYkhCuRwTszBwbr:wrAMRutbZK9XRPlNwnPRwwC

Score

10^/10

darkcomet guest16 discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

smart-bot.no-ip.org:1604

Mutex

DC_MUTEX-HECGC7P

Attributes

gencode
navSR3J1K6J8
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes1181.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes1181.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes1181.exe

Loads dropped DLL 2 IoCs

pid	Process
1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe
1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 1192	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	30
PID 1192 set thread context of 2864	1192	vbc.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes1181.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1192	vbc.exe
Token: SeSecurityPrivilege	1192	vbc.exe
Token: SeTakeOwnershipPrivilege	1192	vbc.exe
Token: SeLoadDriverPrivilege	1192	vbc.exe
Token: SeSystemProfilePrivilege	1192	vbc.exe
Token: SeSystemtimePrivilege	1192	vbc.exe
Token: SeProfSingleProcessPrivilege	1192	vbc.exe
Token: SeIncBasePriorityPrivilege	1192	vbc.exe
Token: SeCreatePagefilePrivilege	1192	vbc.exe
Token: SeBackupPrivilege	1192	vbc.exe
Token: SeRestorePrivilege	1192	vbc.exe
Token: SeShutdownPrivilege	1192	vbc.exe
Token: SeDebugPrivilege	1192	vbc.exe
Token: SeSystemEnvironmentPrivilege	1192	vbc.exe
Token: SeChangeNotifyPrivilege	1192	vbc.exe
Token: SeRemoteShutdownPrivilege	1192	vbc.exe
Token: SeUndockPrivilege	1192	vbc.exe
Token: SeManageVolumePrivilege	1192	vbc.exe
Token: SeImpersonatePrivilege	1192	vbc.exe
Token: SeCreateGlobalPrivilege	1192	vbc.exe
Token: 33	1192	vbc.exe
Token: 34	1192	vbc.exe
Token: 35	1192	vbc.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1192	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1192	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1192	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1192	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1192	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1192	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1192	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1192	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1192	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1192	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1192	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1192	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1192	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2440	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	31
PID 1984 wrote to memory of 2440	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	31
PID 1984 wrote to memory of 2440	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	31
PID 1984 wrote to memory of 2440	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	31
PID 1192 wrote to memory of 2864	1192	vbc.exe	33
PID 1192 wrote to memory of 2864	1192	vbc.exe	33
PID 1192 wrote to memory of 2864	1192	vbc.exe	33
PID 1192 wrote to memory of 2864	1192	vbc.exe	33
PID 1192 wrote to memory of 2864	1192	vbc.exe	33
PID 1192 wrote to memory of 2864	1192	vbc.exe	33
PID 2440 wrote to memory of 2332	2440	vbc.exe	35
PID 2440 wrote to memory of 2332	2440	vbc.exe	35
PID 2440 wrote to memory of 2332	2440	vbc.exe	35
PID 2440 wrote to memory of 2332	2440	vbc.exe	35
PID 1984 wrote to memory of 2708	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	36
PID 1984 wrote to memory of 2708	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	36
PID 1984 wrote to memory of 2708	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	36
PID 1984 wrote to memory of 2708	1984	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2864
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\izvmn5eg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A94.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A93.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332
- C:\Users\Admin\AppData\Roaming\3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes1181.exe
  "C:\Users\Admin\AppData\Roaming\3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes1181.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8A94.tmp

Filesize
1KB

MD5
98841872dd80bcc4e35dfbee69e2a4b5

SHA1
331c47469e7d76e0af708c0b963fea0e8d044d4d

SHA256
c42d350242b4f736da1e833d47e9316fd23a6e503d19563677f22e8d5018fa1c

SHA512
4aa2d88ad77c9ca0d827415326a7efd8cce5503863e651e3e9e2e6b1e007d8c88dbb99c84f38f1566e814d68bb82044fb36a65ba9add04c0afdaa8b94a6cb0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\izvmn5eg.0.vb

Filesize
381B

MD5
c4ecab712b39b17bb897697f43cbe224

SHA1
5ecf2cb7db821c7f1afe2d3abc8b02a5368cde9e

SHA256
6498e7af362715201d9164fc64f38081dddb453a9b2e0524d2d0b95461cd4845

SHA512
e2ba5a81880a54ca1b9d8f074490a775ae132c96d16d06ff140cc3b29ca95bb9222c282b36879386d56f40af42bec5fde0b57ccfd8c329d2e4a66fbd0cd4a3bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\izvmn5eg.cmdline

Filesize
235B

MD5
a58d7b220409c3bec4d6450ccbb2ef27

SHA1
ea57c536f69078f2adb739cec046d92ce51f3d0c

SHA256
97680ee9b944228a0244abc666a2bb9fff30fef5a06fba508ee95edf45409c33

SHA512
99778fbc6edd026b71ff1bedaa1ac5df687f9dee6db4c3e95cf12df7fd6c88c96b92836f6296d87120c296c9ec9a054663b02fcaf43b9d60371e9c74cbdc793f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8A93.tmp

Filesize
804B

MD5
645e14b44dbcd043ab93807510715b2c

SHA1
1f05de6451249e5d15d41dbefddac26349cebb5a

SHA256
312314733dce53abbb79ab0ef1ce0e2bced88acedc2d821400a412ccf8cee6c0

SHA512
d51d08ca1d02a7bced2b82d9db45d6185170f80fdfaec2772acb5e6d97f1cae75c84789daf0f946426ef53cfccb6710a7c51ff5070c32ac47ff0367073adae4a

Download Submit
C:\Users\Admin\AppData\Roaming\3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe

Filesize
1.3MB

MD5
3f3beb09e8db0b865e34d3bf4479819f

SHA1
a1b3d9ba90d8c62b2ce49d09ef31bcf496508139

SHA256
fa70c72f7416519343cb4735a521991c0e724f49fb81c252502213b4f5f21f45

SHA512
1373781d3aebc9ce843f62da4779f2b5b0aab1d0737cc873378dbbd54dce0d14db5f315d872ff2e4909dece0e8505d21de2d6f1f0977e3cd879c40bf5739d8b7

Download Submit
C:\Users\Admin\AppData\Roaming\3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes1181.exe

Filesize
6KB

MD5
f3724b146f2da8e34803e69239cb87e3

SHA1
d1d089c4c53224a67d877a46c0d31398f09f787e

SHA256
39b5fce06d0c97d3939f97ad6d8928c568d8fe1e5e4c1c39541a0f4e9608decc

SHA512
9eaa1d3c106255383296345f99ae4c2163b442c2ab36fa128a92d5e36ee7fba8dc381d2b09d22a862d1254c915f03508e72456cd68cd06f13a47dd9a032fe5ad

Download Submit
memory/1192-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1192-21-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1192-16-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1192-24-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1192-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1192-14-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1192-20-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1192-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1192-10-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1192-34-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1192-3-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1192-23-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1192-7-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1192-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1192-5-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1984-0-0x0000000074F11000-0x0000000074F12000-memory.dmp

Filesize
4KB

Download
memory/1984-2-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-1-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-51-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-30-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2440-43-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2864-31-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download