darkcomet | fa70c72f7416519343cb4735a521991c0e724f49fb81c252502213b4f5f21f45

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe
Size

1.3MB
MD5

3f3beb09e8db0b865e34d3bf4479819f
SHA1

a1b3d9ba90d8c62b2ce49d09ef31bcf496508139
SHA256

fa70c72f7416519343cb4735a521991c0e724f49fb81c252502213b4f5f21f45
SHA512

1373781d3aebc9ce843f62da4779f2b5b0aab1d0737cc873378dbbd54dce0d14db5f315d872ff2e4909dece0e8505d21de2d6f1f0977e3cd879c40bf5739d8b7
SSDEEP

24576:8RrAMRunfFDvZK982TYA77hLrJ7NBNrcZYkhCuRwTszBwbr:wrAMRutbZK9XRPlNwnPRwwC

Score

10^/10

darkcomet guest16 discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

smart-bot.no-ip.org:1604

Mutex

DC_MUTEX-HECGC7P

Attributes

gencode
navSR3J1K6J8
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes1181.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes1181.exe

Executes dropped EXE 1 IoCs

pid	Process
4128	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes1181.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3256 set thread context of 3936	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes1181.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3936	vbc.exe
Token: SeSecurityPrivilege	3936	vbc.exe
Token: SeTakeOwnershipPrivilege	3936	vbc.exe
Token: SeLoadDriverPrivilege	3936	vbc.exe
Token: SeSystemProfilePrivilege	3936	vbc.exe
Token: SeSystemtimePrivilege	3936	vbc.exe
Token: SeProfSingleProcessPrivilege	3936	vbc.exe
Token: SeIncBasePriorityPrivilege	3936	vbc.exe
Token: SeCreatePagefilePrivilege	3936	vbc.exe
Token: SeBackupPrivilege	3936	vbc.exe
Token: SeRestorePrivilege	3936	vbc.exe
Token: SeShutdownPrivilege	3936	vbc.exe
Token: SeDebugPrivilege	3936	vbc.exe
Token: SeSystemEnvironmentPrivilege	3936	vbc.exe
Token: SeChangeNotifyPrivilege	3936	vbc.exe
Token: SeRemoteShutdownPrivilege	3936	vbc.exe
Token: SeUndockPrivilege	3936	vbc.exe
Token: SeManageVolumePrivilege	3936	vbc.exe
Token: SeImpersonatePrivilege	3936	vbc.exe
Token: SeCreateGlobalPrivilege	3936	vbc.exe
Token: 33	3936	vbc.exe
Token: 34	3936	vbc.exe
Token: 35	3936	vbc.exe
Token: 36	3936	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3936	vbc.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 3936	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	86
PID 3256 wrote to memory of 3936	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	86
PID 3256 wrote to memory of 3936	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	86
PID 3256 wrote to memory of 3936	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	86
PID 3256 wrote to memory of 3936	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	86
PID 3256 wrote to memory of 3936	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	86
PID 3256 wrote to memory of 3936	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	86
PID 3256 wrote to memory of 3936	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	86
PID 3256 wrote to memory of 3936	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	86
PID 3256 wrote to memory of 3936	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	86
PID 3256 wrote to memory of 3936	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	86
PID 3256 wrote to memory of 3936	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	86
PID 3256 wrote to memory of 3936	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	86
PID 3256 wrote to memory of 3936	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	86
PID 3256 wrote to memory of 3384	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	87
PID 3256 wrote to memory of 3384	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	87
PID 3256 wrote to memory of 3384	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	87
PID 3936 wrote to memory of 3968	3936	vbc.exe	89
PID 3936 wrote to memory of 3968	3936	vbc.exe	89
PID 3936 wrote to memory of 3968	3936	vbc.exe	89
PID 3936 wrote to memory of 3192	3936	vbc.exe	90
PID 3936 wrote to memory of 3192	3936	vbc.exe	90
PID 3384 wrote to memory of 4024	3384	vbc.exe	91
PID 3384 wrote to memory of 4024	3384	vbc.exe	91
PID 3384 wrote to memory of 4024	3384	vbc.exe	91
PID 3256 wrote to memory of 4128	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	92
PID 3256 wrote to memory of 4128	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	92
PID 3256 wrote to memory of 4128	3256	3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3968
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:3192
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\imudi--r.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E05.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc608DE55ADDC34392B6879AD13D85F42A.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4024
- C:\Users\Admin\AppData\Roaming\3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes1181.exe
  "C:\Users\Admin\AppData\Roaming\3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes1181.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9E05.tmp

Filesize
1KB

MD5
846636644f6ae3999687450c375fd533

SHA1
1d0f686f08d45f3ec9f27d0d89030405d164288d

SHA256
733ffeadf3a5c22902d39fdba8afe2c58f0dc298611d82a1908ec40182cf582f

SHA512
59f1daff95e340c35eb020cf51f2e83d5cbead4deb033e7bfbf136b03ffe511768c3bda3edba810c6310ab0f5c969df3d9531b294134cf028be1fab3876865c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\imudi--r.0.vb

Filesize
381B

MD5
c4ecab712b39b17bb897697f43cbe224

SHA1
5ecf2cb7db821c7f1afe2d3abc8b02a5368cde9e

SHA256
6498e7af362715201d9164fc64f38081dddb453a9b2e0524d2d0b95461cd4845

SHA512
e2ba5a81880a54ca1b9d8f074490a775ae132c96d16d06ff140cc3b29ca95bb9222c282b36879386d56f40af42bec5fde0b57ccfd8c329d2e4a66fbd0cd4a3bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\imudi--r.cmdline

Filesize
235B

MD5
c2e5b577b9010158054f553dfca2fff8

SHA1
a632565f831aad285320a6c2f905b3e4258335f4

SHA256
1e98043c38b35022cdf289ae8171ea4dd24d29a15381eb61001cd24096714667

SHA512
9eb5d4638f4f015919a87985f67b0858d465254314999e0679fa568e21f84d5668af10d211699d3a7150951e6c1efcf4c3921cb5e69d90a67819f53015b51d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc608DE55ADDC34392B6879AD13D85F42A.TMP

Filesize
804B

MD5
645e14b44dbcd043ab93807510715b2c

SHA1
1f05de6451249e5d15d41dbefddac26349cebb5a

SHA256
312314733dce53abbb79ab0ef1ce0e2bced88acedc2d821400a412ccf8cee6c0

SHA512
d51d08ca1d02a7bced2b82d9db45d6185170f80fdfaec2772acb5e6d97f1cae75c84789daf0f946426ef53cfccb6710a7c51ff5070c32ac47ff0367073adae4a

Download Submit
C:\Users\Admin\AppData\Roaming\3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes118.exe

Filesize
1.3MB

MD5
3f3beb09e8db0b865e34d3bf4479819f

SHA1
a1b3d9ba90d8c62b2ce49d09ef31bcf496508139

SHA256
fa70c72f7416519343cb4735a521991c0e724f49fb81c252502213b4f5f21f45

SHA512
1373781d3aebc9ce843f62da4779f2b5b0aab1d0737cc873378dbbd54dce0d14db5f315d872ff2e4909dece0e8505d21de2d6f1f0977e3cd879c40bf5739d8b7

Download Submit
C:\Users\Admin\AppData\Roaming\3f3beb09e8db0b865e34d3bf4479819f_JaffaCakes1181.exe

Filesize
6KB

MD5
d470fe29d3cbd891dc02fab5d1dc90af

SHA1
dd53fb1f602ee6cc8dc6683450949d7c7aa8d6e6

SHA256
9107dc9abd53d865442003b2bae9b7f3e07d885055717a6bb8c310299e825368

SHA512
f71eb5e5f9a26af3a2c7f7b5ac8defddec58c69d2e2731c1b113d0e46dbe2f3801c6b2e377885761702f36ed943e9452989261b555a726518dec87451b947f73

Download Submit
memory/3256-34-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/3256-31-0x0000000074F12000-0x0000000074F13000-memory.dmp

Filesize
4KB

Download
memory/3256-0-0x0000000074F12000-0x0000000074F13000-memory.dmp

Filesize
4KB

Download
memory/3256-32-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/3256-2-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/3256-1-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/3384-24-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/3384-15-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/3936-13-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-39-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-11-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-10-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-6-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-4-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-3-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-35-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-36-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-37-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-38-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-40-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-41-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-42-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-43-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-44-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-45-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-46-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-47-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-48-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-49-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3936-50-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download