darkcomet | 7b57f2c1e6199c2973acf6527a75a5f2c233e5f3c309a07737c230706eb411e0

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

475ed004da785a249ba1a537a5a91f46_JaffaCakes118.exe
Size

1.4MB
MD5

475ed004da785a249ba1a537a5a91f46
SHA1

1845ce0b33790401c02ae2bc4c921e4b67d62d92
SHA256

7b57f2c1e6199c2973acf6527a75a5f2c233e5f3c309a07737c230706eb411e0
SHA512

8a72b97ee212113ec9866880ca06f69b68cb490da87b460efc6606095058508a0e6bae6c9c46692c84b8dde9366cca7470602fb7cea78dfcf0ae4be7d349cd8e
SSDEEP

24576:Q/ZBumSO9V6T6gfa4+hqUM4/JibT5cbC:Q/rpgA/BJio

Score

10^/10

darkcomet discovery evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	vbc.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vbc.exe

Executes dropped EXE 2 IoCs

pid	Process
2308	dvpy2070MN1.exe
2836	dvpy2070MN2.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Testing = "C:\\ProgramData\\winautoupdt.exe"	dvpy2070MN2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2836 set thread context of 2128	2836	dvpy2070MN2.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvpy2070MN1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvpy2070MN2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	vbc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	vbc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2128	vbc.exe
Token: SeSecurityPrivilege	2128	vbc.exe
Token: SeTakeOwnershipPrivilege	2128	vbc.exe
Token: SeLoadDriverPrivilege	2128	vbc.exe
Token: SeSystemProfilePrivilege	2128	vbc.exe
Token: SeSystemtimePrivilege	2128	vbc.exe
Token: SeProfSingleProcessPrivilege	2128	vbc.exe
Token: SeIncBasePriorityPrivilege	2128	vbc.exe
Token: SeCreatePagefilePrivilege	2128	vbc.exe
Token: SeBackupPrivilege	2128	vbc.exe
Token: SeRestorePrivilege	2128	vbc.exe
Token: SeShutdownPrivilege	2128	vbc.exe
Token: SeDebugPrivilege	2128	vbc.exe
Token: SeSystemEnvironmentPrivilege	2128	vbc.exe
Token: SeChangeNotifyPrivilege	2128	vbc.exe
Token: SeRemoteShutdownPrivilege	2128	vbc.exe
Token: SeUndockPrivilege	2128	vbc.exe
Token: SeManageVolumePrivilege	2128	vbc.exe
Token: SeImpersonatePrivilege	2128	vbc.exe
Token: SeCreateGlobalPrivilege	2128	vbc.exe
Token: 33	2128	vbc.exe
Token: 34	2128	vbc.exe
Token: 35	2128	vbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2128	vbc.exe
2516	javaw.exe
2516	javaw.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2308	2356	475ed004da785a249ba1a537a5a91f46_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2308	2356	475ed004da785a249ba1a537a5a91f46_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2308	2356	475ed004da785a249ba1a537a5a91f46_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2308	2356	475ed004da785a249ba1a537a5a91f46_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2836	2356	475ed004da785a249ba1a537a5a91f46_JaffaCakes118.exe	31
PID 2356 wrote to memory of 2836	2356	475ed004da785a249ba1a537a5a91f46_JaffaCakes118.exe	31
PID 2356 wrote to memory of 2836	2356	475ed004da785a249ba1a537a5a91f46_JaffaCakes118.exe	31
PID 2356 wrote to memory of 2836	2356	475ed004da785a249ba1a537a5a91f46_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2516	2308	dvpy2070MN1.exe	32
PID 2308 wrote to memory of 2516	2308	dvpy2070MN1.exe	32
PID 2308 wrote to memory of 2516	2308	dvpy2070MN1.exe	32
PID 2308 wrote to memory of 2516	2308	dvpy2070MN1.exe	32
PID 2836 wrote to memory of 2128	2836	dvpy2070MN2.exe	33
PID 2836 wrote to memory of 2128	2836	dvpy2070MN2.exe	33
PID 2836 wrote to memory of 2128	2836	dvpy2070MN2.exe	33
PID 2836 wrote to memory of 2128	2836	dvpy2070MN2.exe	33
PID 2836 wrote to memory of 2128	2836	dvpy2070MN2.exe	33
PID 2836 wrote to memory of 2128	2836	dvpy2070MN2.exe	33
PID 2836 wrote to memory of 2128	2836	dvpy2070MN2.exe	33
PID 2836 wrote to memory of 2128	2836	dvpy2070MN2.exe	33
PID 2836 wrote to memory of 2128	2836	dvpy2070MN2.exe	33
PID 2836 wrote to memory of 2128	2836	dvpy2070MN2.exe	33
PID 2836 wrote to memory of 2128	2836	dvpy2070MN2.exe	33
PID 2836 wrote to memory of 2128	2836	dvpy2070MN2.exe	33
PID 2836 wrote to memory of 2128	2836	dvpy2070MN2.exe	33

C:\Users\Admin\AppData\Local\Temp\475ed004da785a249ba1a537a5a91f46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\475ed004da785a249ba1a537a5a91f46_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\dvpy2070MN1.exe
  "C:\Users\Admin\AppData\Local\Temp\dvpy2070MN1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -Xms512m -Xmx1024m -jar "C:\Users\Admin\AppData\Local\Temp\dvpy2070MN1.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2516
- C:\Users\Admin\AppData\Local\Temp\dvpy2070MN2.exe
  "C:\Users\Admin\AppData\Local\Temp\dvpy2070MN2.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Windows security bypass
    - Checks BIOS information in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dvpy2070MN1.exe

Filesize
263KB

MD5
0f1931e26c21219db1c90e90037f11f6

SHA1
74b65f7fb7fa197d413ba5bc45cf10304deb4ecc

SHA256
f4d54e35b857b5dfbca6fefcff5ab5599ce30b62eef7deded6594c5be93d25c3

SHA512
0c6a90034e5852915af61ccc091568cb636f583d4c4b5cca8bfc3f7f86bbf6a79f16c324d723c1d3968d7996071bb85a79cd6fde682bb4bfeedfd770b7b8e817

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvpy2070MN2.exe

Filesize
1.2MB

MD5
3abffb08abdb8505fa118ba1e5d2a391

SHA1
ca38019f831aa078cf5f607ca8ca136c58686f12

SHA256
bd6f1622e4f01420ac7bbf244931e54a7aab17d754c854c83af37c2d2ac400da

SHA512
03834b1ae65a5a5c128a7f1b8f64b9b715ddc016f9decbbc8bfe59168be2dfeb69087775afca763967c51d723f8d671608ee2b5bfff6a3a858891fd45abe8cf6

Download Submit
memory/2128-36-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-40-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-93-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-92-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-91-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-90-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-28-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-26-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-34-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-54-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-53-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-52-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-51-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-44-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-43-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2128-32-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-38-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-89-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-88-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-87-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-86-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-84-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-30-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-83-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-79-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-80-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-81-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2128-82-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2308-18-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2356-0-0x000007FEF5E6E000-0x000007FEF5E6F000-memory.dmp

Filesize
4KB

Download
memory/2356-3-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2356-21-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2356-1-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2356-2-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-78-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2516-60-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2516-61-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2516-76-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads