darkcomet | 19620bb62f73fa37f89054d0007aad524554e714c49ce69ebc890a6ac0a47bb2

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-10-2024 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4be3d9b5d37faa8dc625e4c2a025cffd_JaffaCakes118.exe
Size

277KB
MD5

4be3d9b5d37faa8dc625e4c2a025cffd
SHA1

6af3e68d38498007827e537801cd1a0fc7208a29
SHA256

19620bb62f73fa37f89054d0007aad524554e714c49ce69ebc890a6ac0a47bb2
SHA512

26e19493c4096f3eca6cc660bd162aad222d346441c1e1964e46e8f2991e17f22318a3c23dd4682fce6796525134349ad44830e09a8d78e54f153a50d4d14200
SSDEEP

6144:+S6Xzj+g85J74+GD0SzLTGwwCxHQ7Nva9A8X26vnQmPVfk3OAi:+SuBuReDL6nSwlS26PQmP5

Score

10^/10

darkcomet slave1 discovery evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Slave1

egyownsyou.no-ip.biz:200

Mutex

DC_MUTEX-WLKK6C0

Attributes

gencode
WMf3ikzBCSwG
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2548	attrib.exe
2796	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
2312	testserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	testserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2312	testserv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2312	testserv.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2312	testserv.exe
Token: SeSecurityPrivilege	2312	testserv.exe
Token: SeTakeOwnershipPrivilege	2312	testserv.exe
Token: SeLoadDriverPrivilege	2312	testserv.exe
Token: SeSystemProfilePrivilege	2312	testserv.exe
Token: SeSystemtimePrivilege	2312	testserv.exe
Token: SeProfSingleProcessPrivilege	2312	testserv.exe
Token: SeIncBasePriorityPrivilege	2312	testserv.exe
Token: SeCreatePagefilePrivilege	2312	testserv.exe
Token: SeBackupPrivilege	2312	testserv.exe
Token: SeRestorePrivilege	2312	testserv.exe
Token: SeShutdownPrivilege	2312	testserv.exe
Token: SeDebugPrivilege	2312	testserv.exe
Token: SeSystemEnvironmentPrivilege	2312	testserv.exe
Token: SeChangeNotifyPrivilege	2312	testserv.exe
Token: SeRemoteShutdownPrivilege	2312	testserv.exe
Token: SeUndockPrivilege	2312	testserv.exe
Token: SeManageVolumePrivilege	2312	testserv.exe
Token: SeImpersonatePrivilege	2312	testserv.exe
Token: SeCreateGlobalPrivilege	2312	testserv.exe
Token: 33	2312	testserv.exe
Token: 34	2312	testserv.exe
Token: 35	2312	testserv.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2312	testserv.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2308	2600	4be3d9b5d37faa8dc625e4c2a025cffd_JaffaCakes118.exe	30
PID 2600 wrote to memory of 2308	2600	4be3d9b5d37faa8dc625e4c2a025cffd_JaffaCakes118.exe	30
PID 2600 wrote to memory of 2308	2600	4be3d9b5d37faa8dc625e4c2a025cffd_JaffaCakes118.exe	30
PID 2308 wrote to memory of 2312	2308	cmd.exe	32
PID 2308 wrote to memory of 2312	2308	cmd.exe	32
PID 2308 wrote to memory of 2312	2308	cmd.exe	32
PID 2308 wrote to memory of 2312	2308	cmd.exe	32
PID 2312 wrote to memory of 2752	2312	testserv.exe	33
PID 2312 wrote to memory of 2752	2312	testserv.exe	33
PID 2312 wrote to memory of 2752	2312	testserv.exe	33
PID 2312 wrote to memory of 2752	2312	testserv.exe	33
PID 2312 wrote to memory of 2216	2312	testserv.exe	34
PID 2312 wrote to memory of 2216	2312	testserv.exe	34
PID 2312 wrote to memory of 2216	2312	testserv.exe	34
PID 2312 wrote to memory of 2216	2312	testserv.exe	34
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2312 wrote to memory of 2644	2312	testserv.exe	35
PID 2216 wrote to memory of 2796	2216	cmd.exe	38
PID 2216 wrote to memory of 2796	2216	cmd.exe	38
PID 2216 wrote to memory of 2796	2216	cmd.exe	38
PID 2216 wrote to memory of 2796	2216	cmd.exe	38
PID 2752 wrote to memory of 2548	2752	cmd.exe	39
PID 2752 wrote to memory of 2548	2752	cmd.exe	39
PID 2752 wrote to memory of 2548	2752	cmd.exe	39
PID 2752 wrote to memory of 2548	2752	cmd.exe	39

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2548	attrib.exe
2796	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4be3d9b5d37faa8dc625e4c2a025cffd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4be3d9b5d37faa8dc625e4c2a025cffd_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\AFEE.tmp\KeepThis.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\testserv.exe
    testserv.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\testserv.exe" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp\testserv.exe" +s +h
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2548
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2796
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AFEE.tmp\KeepThis.bat

Filesize
43B

MD5
77ea64193ae1c51193a55b57386ea623

SHA1
67d532e65dd7f135c11a13bd74330a7b0c2065bc

SHA256
7ae347de776930ceca3473f844612de9f434d295247b19bf0ba65d0bc1b71f23

SHA512
c0738a6aa2356f2ca2b7c5160a2544149978314a0f80112c08e319dde9a4bc608f46e7672be4e2fc48944fe431333a66268eac223b29f7e10f5eea2556eca348

Download Submit
C:\Users\Admin\AppData\Local\Temp\testserv.exe

Filesize
658KB

MD5
8c352c5702cfdfd4edefc57f712767c6

SHA1
5f0cc07bdebdd1dbff0afd172c37e1d4e2c42dff

SHA256
001e90fba6427cad65c15677c5fce2dd6e9918f17832404b4b6f01fd5f0394b1

SHA512
d4931f51c1036d8436fae3db8d4ec68d74bd0346d122feeecc5b9ec78cb06b2979bcc1cded9e923bf4697b04e8cd61089260bda69c0b99423a2ec78f51d93715

Download Submit
memory/2312-21-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2312-48-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2312-50-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2312-52-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2600-0-0x0000000140000000-0x00000001400BB000-memory.dmp

Filesize
748KB

Download
memory/2600-20-0x0000000140000000-0x00000001400BB000-memory.dmp

Filesize
748KB

Download
memory/2644-22-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2644-47-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads