darkcomet | 083880a74ce9330de51ef7e2b9f58bf767ba7b06d2b5b68434e3aab64a4d224e

Analysis

max time kernel
149s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe
Size

716KB
MD5

5cef115e34325cb1889be7fae0f84648
SHA1

d3a78f0665a26ec0a9562d28cb6b74abcbe34e58
SHA256

083880a74ce9330de51ef7e2b9f58bf767ba7b06d2b5b68434e3aab64a4d224e
SHA512

28f76ddb01dd56900dcdf4161f228957108a58c9c99e47ac9d210d2a6e754ef8640ac7d2393a95d18a071ebf5d576b6a8a1813d7ba1a76e4ca86e820c23da00c
SSDEEP

12288:U0dwaaITkyLFaFtJsKzLyVPbXks/rA82zOwu5jcqtHhG7jfoaU/taRixB1aln+zH:XnTkyBaDCPbX/ySjrtujuhn12+99

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

95.79.31.101:1604

Mutex

DC_MUTEX-E2ZGDTS

Attributes

InstallPath
MSDCSC\svchost.exe
gencode
rW8pc78Q0Uk7
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

2929.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\svchost.exe"	2929.exe

Executes dropped EXE 3 IoCs

Processes:

2929.exeflooder.exesvchost.exe

pid	Process
2524	2929.exe
2528	flooder.exe
2908	svchost.exe

Loads dropped DLL 6 IoCs

Processes:

5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe2929.exe

pid	Process
1704	5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe
1704	5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe
1704	5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe
1704	5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe
2524	2929.exe
2524	2929.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2929.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\svchost.exe"	2929.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2929.exenotepad.exesvchost.exe5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2929.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

2929.exesvchost.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2524	2929.exe
Token: SeSecurityPrivilege	2524	2929.exe
Token: SeTakeOwnershipPrivilege	2524	2929.exe
Token: SeLoadDriverPrivilege	2524	2929.exe
Token: SeSystemProfilePrivilege	2524	2929.exe
Token: SeSystemtimePrivilege	2524	2929.exe
Token: SeProfSingleProcessPrivilege	2524	2929.exe
Token: SeIncBasePriorityPrivilege	2524	2929.exe
Token: SeCreatePagefilePrivilege	2524	2929.exe
Token: SeBackupPrivilege	2524	2929.exe
Token: SeRestorePrivilege	2524	2929.exe
Token: SeShutdownPrivilege	2524	2929.exe
Token: SeDebugPrivilege	2524	2929.exe
Token: SeSystemEnvironmentPrivilege	2524	2929.exe
Token: SeChangeNotifyPrivilege	2524	2929.exe
Token: SeRemoteShutdownPrivilege	2524	2929.exe
Token: SeUndockPrivilege	2524	2929.exe
Token: SeManageVolumePrivilege	2524	2929.exe
Token: SeImpersonatePrivilege	2524	2929.exe
Token: SeCreateGlobalPrivilege	2524	2929.exe
Token: 33	2524	2929.exe
Token: 34	2524	2929.exe
Token: 35	2524	2929.exe
Token: SeIncreaseQuotaPrivilege	2908	svchost.exe
Token: SeSecurityPrivilege	2908	svchost.exe
Token: SeTakeOwnershipPrivilege	2908	svchost.exe
Token: SeLoadDriverPrivilege	2908	svchost.exe
Token: SeSystemProfilePrivilege	2908	svchost.exe
Token: SeSystemtimePrivilege	2908	svchost.exe
Token: SeProfSingleProcessPrivilege	2908	svchost.exe
Token: SeIncBasePriorityPrivilege	2908	svchost.exe
Token: SeCreatePagefilePrivilege	2908	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeRestorePrivilege	2908	svchost.exe
Token: SeShutdownPrivilege	2908	svchost.exe
Token: SeDebugPrivilege	2908	svchost.exe
Token: SeSystemEnvironmentPrivilege	2908	svchost.exe
Token: SeChangeNotifyPrivilege	2908	svchost.exe
Token: SeRemoteShutdownPrivilege	2908	svchost.exe
Token: SeUndockPrivilege	2908	svchost.exe
Token: SeManageVolumePrivilege	2908	svchost.exe
Token: SeImpersonatePrivilege	2908	svchost.exe
Token: SeCreateGlobalPrivilege	2908	svchost.exe
Token: 33	2908	svchost.exe
Token: 34	2908	svchost.exe
Token: 35	2908	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid	Process
2908	svchost.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe2929.exeflooder.exe

description	pid	Process	procid_target
PID 1704 wrote to memory of 2524	1704	5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2524	1704	5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2524	1704	5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2524	1704	5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2528	1704	5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe	31
PID 1704 wrote to memory of 2528	1704	5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe	31
PID 1704 wrote to memory of 2528	1704	5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe	31
PID 1704 wrote to memory of 2528	1704	5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2856	2524	2929.exe	32
PID 2524 wrote to memory of 2908	2524	2929.exe	33
PID 2524 wrote to memory of 2908	2524	2929.exe	33
PID 2524 wrote to memory of 2908	2524	2929.exe	33
PID 2524 wrote to memory of 2908	2524	2929.exe	33
PID 2528 wrote to memory of 2680	2528	flooder.exe	34
PID 2528 wrote to memory of 2680	2528	flooder.exe	34
PID 2528 wrote to memory of 2680	2528	flooder.exe	34

C:\Users\Admin\AppData\Local\Temp\5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5cef115e34325cb1889be7fae0f84648_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\2929.exe
  "C:\Users\Admin\AppData\Local\Temp\2929.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- - C:\Users\Admin\Documents\MSDCSC\svchost.exe
    "C:\Users\Admin\Documents\MSDCSC\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2908
- C:\Users\Admin\AppData\Local\Temp\flooder.exe
  "C:\Users\Admin\AppData\Local\Temp\flooder.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2528 -s 672
    3⤵
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\flooder.exe

Filesize
258KB

MD5
fc5f652289a2efd79f0bccb1656e664d

SHA1
bd8cf8572962a9bd70bd978b6bd7f3421f0e1df4

SHA256
6a5b078ab27b0e7e667c4d80ee8e9e3d85bb92021736762caef8919d5446d20a

SHA512
ac86cb254d0faf35e355013b7d483d580355ef3be4b4a454a8f53cdd0a64a3211b15775f63ed87a57155d4d4e68bd5f5ddd45193b9384b43bdcdab3737889e44

Download Submit
\Users\Admin\AppData\Local\Temp\2929.exe

Filesize
690KB

MD5
1c1e287690221213a5a450e099a57c38

SHA1
3406b8d85028fdd610a656e8bcc792b918576456

SHA256
4c4f37f35696c74f98a3eb4231f520f03a1b7d797ff2ef3751ad411f722ef593

SHA512
0f669c05d7857fbd68fac19bab740dce81904d7c74531e96f7ddb2ba5fb1d648649cc284fcc03a62a08b47054a0c2e94391fe8bac0e5ec9c592eb441c40441c4

Download Submit
memory/2524-64-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2528-20-0x0000000000BF0000-0x0000000000C38000-memory.dmp

Filesize
288KB

Download
memory/2528-53-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2528-62-0x0000000000260000-0x0000000000286000-memory.dmp

Filesize
152KB

Download
memory/2856-24-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2856-52-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2908-66-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2908-68-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download