darkcomet | b1918b150a03c15b853fa4f9a06159880db63594bd29e511640754dbb06f6cc7

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Size

672KB
MD5

40903a5dd274cb26b422b0f6dca20483
SHA1

c2f9580c5c7fc3f1ecccdf8cf4ef08a177b8cad0
SHA256

b1918b150a03c15b853fa4f9a06159880db63594bd29e511640754dbb06f6cc7
SHA512

56840260199a302f68c34c5f9f3fad5a40c7e61b75412ff51c30f5fa46a62a4c4f74bb831929afa220712442c9e4698e56be9755162ecaa32e461b0cb1017503
SSDEEP

12288:Y0BvNjLyeLTqN/B4AHMB6u2tmTw2OkPNE+1evDu+SPKUoOjM45W:b/LWN/CAsgugmkQS+87u+3CD8

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe"	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
272	winupdate.exe

Loads dropped DLL 6 IoCs

pid	Process
2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
272	winupdate.exe
272	winupdate.exe
272	winupdate.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Nvidia\\Svchost.exe"	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Nvidia\\Svchost.exe"	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2792 set thread context of 2716	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	31
PID 2716 set thread context of 2580	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeSecurityPrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeBackupPrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeRestorePrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeShutdownPrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeDebugPrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeUndockPrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: 33	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: 34	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Token: 35	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2564	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	28
PID 2792 wrote to memory of 2564	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	28
PID 2792 wrote to memory of 2564	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	28
PID 2792 wrote to memory of 2564	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	28
PID 2564 wrote to memory of 2780	2564	csc.exe	30
PID 2564 wrote to memory of 2780	2564	csc.exe	30
PID 2564 wrote to memory of 2780	2564	csc.exe	30
PID 2564 wrote to memory of 2780	2564	csc.exe	30
PID 2792 wrote to memory of 2716	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2716	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2716	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2716	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2716	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2716	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2716	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2716	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2716	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2716	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2716	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2716	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2716	2792	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	31
PID 2716 wrote to memory of 2580	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	32
PID 2716 wrote to memory of 2580	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	32
PID 2716 wrote to memory of 2580	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	32
PID 2716 wrote to memory of 2580	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	32
PID 2716 wrote to memory of 2580	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	32
PID 2716 wrote to memory of 2580	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	32
PID 2716 wrote to memory of 272	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	33
PID 2716 wrote to memory of 272	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	33
PID 2716 wrote to memory of 272	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	33
PID 2716 wrote to memory of 272	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	33
PID 2716 wrote to memory of 272	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	33
PID 2716 wrote to memory of 272	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	33
PID 2716 wrote to memory of 272	2716	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ucr2m_yr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5735.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5734.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- C:\Users\Admin\AppData\Roaming\40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
  C:\Users\Admin\AppData\Roaming\40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    PID:2580
- - C:\Windupdt\winupdate.exe
    "C:\Windupdt\winupdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5735.tmp

Filesize
1KB

MD5
54fc413632aae8c791002c5cafed32be

SHA1
3da0b51904b94c05e20543e88fd047229e577c8e

SHA256
9e2fe39bac8512056ccb97640bcaab827f8ac9d78db1e8828c3b18224d69e5f5

SHA512
b8ac90668205d098e0de1477ea90ee1eba96509ef2536dd19a1099592b5c91b02c9c2b6973afac97dc5644e236c6364efaff9c50e44c7e8012360089a5b6a958

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucr2m_yr.dll

Filesize
5KB

MD5
3de9cf4a15e85275312264400dab5999

SHA1
4d35f031a5c50561249edf4278d477c28658b78c

SHA256
f710cd817d14395604d68e7d8ee0485e1fb366116c0dd27dd42cff3cdb01d999

SHA512
3e03578b007c69e3d0d89230551a8198b889735102973c8dca4aae088877544e57b71a78abc4e8a42992f3bc7d0c42d49ef340cb51f32b627f0a7248ef2fb333

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5734.tmp

Filesize
652B

MD5
b1ecad6a7416f58a647b14672730e87c

SHA1
f04f85fbdc143fd5d9afd7681ef7ed84a73be20b

SHA256
5f07fa897355274ad77b34c3491520c153a61a08f5b2fedaf796bd9795abcb5f

SHA512
f2d6463de185a869b0f9274241595e676cd3a9b80a2a0e637db441aa0a2141679fa62982a599a119f75bd057505d5ff67a308c052b630d2d2db91d3f1de2025e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ucr2m_yr.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ucr2m_yr.cmdline

Filesize
206B

MD5
3444ae7dfc387463482a46ce8bb87231

SHA1
7b56fc3d8341f9571d02e69acd91e93437496eb0

SHA256
daccb7ae5ac5d05015b8030e265274eb238a78723e85a765bde84a9424f0e69f

SHA512
155b34fbdea17e47aea1cc7247a83c3d4d708629ef354b66975e00e8ca8a0817a9cb1aa526bb6cd0a1f92ba24ecafa2d02aaa9958e3ee08696e5248dd645ca3d

Download Submit
\Users\Admin\AppData\Roaming\40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
memory/272-70-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2564-10-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2564-17-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-57-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2580-54-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2580-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-56-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2716-40-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2716-45-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2716-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2716-62-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2716-37-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2716-36-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2716-33-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2716-29-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2716-28-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2716-27-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2716-47-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2716-48-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2716-49-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2716-43-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2716-31-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2792-46-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-2-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-0-0x0000000074FC1000-0x0000000074FC2000-memory.dmp

Filesize
4KB

Download
memory/2792-1-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads