darkcomet | d72a399bdf5600d7abcd008ed5d37cbf71b08046702cd885fac3a0d33adea2da

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/10/2024, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe
Size

1.3MB
MD5

5f71a28d2a13a4ae52e629cbc623c6e9
SHA1

4303496525deacda6a89228561615e9bf9c5d8f2
SHA256

d72a399bdf5600d7abcd008ed5d37cbf71b08046702cd885fac3a0d33adea2da
SHA512

2f60353c3071ab303f9986be77992ce372ecebba08c4c8f682a82fab389931c1640423d4f7ae8b2686bf828e3a130de442a5b5925a1697375e289acf2995653a
SSDEEP

24576:Lmv86/nmFmu9FujCXCedRp3UVqGwAZs1EJ+OcKiu:LRwn9pCSWfEVqGrJji

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	tmpB6C1.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
2304	tmpB6C1.tmp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 1584	2304	tmpB6C1.tmp.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB6C1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmpB6C1.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	tmpB6C1.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	tmpB6C1.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	tmpB6C1.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	tmpB6C1.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2304	tmpB6C1.tmp.exe
Token: SeSecurityPrivilege	2304	tmpB6C1.tmp.exe
Token: SeTakeOwnershipPrivilege	2304	tmpB6C1.tmp.exe
Token: SeLoadDriverPrivilege	2304	tmpB6C1.tmp.exe
Token: SeSystemProfilePrivilege	2304	tmpB6C1.tmp.exe
Token: SeSystemtimePrivilege	2304	tmpB6C1.tmp.exe
Token: SeProfSingleProcessPrivilege	2304	tmpB6C1.tmp.exe
Token: SeIncBasePriorityPrivilege	2304	tmpB6C1.tmp.exe
Token: SeCreatePagefilePrivilege	2304	tmpB6C1.tmp.exe
Token: SeBackupPrivilege	2304	tmpB6C1.tmp.exe
Token: SeRestorePrivilege	2304	tmpB6C1.tmp.exe
Token: SeShutdownPrivilege	2304	tmpB6C1.tmp.exe
Token: SeDebugPrivilege	2304	tmpB6C1.tmp.exe
Token: SeSystemEnvironmentPrivilege	2304	tmpB6C1.tmp.exe
Token: SeChangeNotifyPrivilege	2304	tmpB6C1.tmp.exe
Token: SeRemoteShutdownPrivilege	2304	tmpB6C1.tmp.exe
Token: SeUndockPrivilege	2304	tmpB6C1.tmp.exe
Token: SeManageVolumePrivilege	2304	tmpB6C1.tmp.exe
Token: SeImpersonatePrivilege	2304	tmpB6C1.tmp.exe
Token: SeCreateGlobalPrivilege	2304	tmpB6C1.tmp.exe
Token: 33	2304	tmpB6C1.tmp.exe
Token: 34	2304	tmpB6C1.tmp.exe
Token: 35	2304	tmpB6C1.tmp.exe
Token: SeIncreaseQuotaPrivilege	1584	explorer.exe
Token: SeSecurityPrivilege	1584	explorer.exe
Token: SeTakeOwnershipPrivilege	1584	explorer.exe
Token: SeLoadDriverPrivilege	1584	explorer.exe
Token: SeSystemProfilePrivilege	1584	explorer.exe
Token: SeSystemtimePrivilege	1584	explorer.exe
Token: SeProfSingleProcessPrivilege	1584	explorer.exe
Token: SeIncBasePriorityPrivilege	1584	explorer.exe
Token: SeCreatePagefilePrivilege	1584	explorer.exe
Token: SeBackupPrivilege	1584	explorer.exe
Token: SeRestorePrivilege	1584	explorer.exe
Token: SeShutdownPrivilege	1584	explorer.exe
Token: SeDebugPrivilege	1584	explorer.exe
Token: SeSystemEnvironmentPrivilege	1584	explorer.exe
Token: SeChangeNotifyPrivilege	1584	explorer.exe
Token: SeRemoteShutdownPrivilege	1584	explorer.exe
Token: SeUndockPrivilege	1584	explorer.exe
Token: SeManageVolumePrivilege	1584	explorer.exe
Token: SeImpersonatePrivilege	1584	explorer.exe
Token: SeCreateGlobalPrivilege	1584	explorer.exe
Token: 33	1584	explorer.exe
Token: 34	1584	explorer.exe
Token: 35	1584	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1584	explorer.exe
2456	javaw.exe
2164	javaw.exe
2164	javaw.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2304	2596	5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2304	2596	5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2304	2596	5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2304	2596	5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2456	2596	5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe	31
PID 2596 wrote to memory of 2456	2596	5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe	31
PID 2596 wrote to memory of 2456	2596	5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe	31
PID 2304 wrote to memory of 1584	2304	tmpB6C1.tmp.exe	32
PID 2304 wrote to memory of 1584	2304	tmpB6C1.tmp.exe	32
PID 2304 wrote to memory of 1584	2304	tmpB6C1.tmp.exe	32
PID 2304 wrote to memory of 1584	2304	tmpB6C1.tmp.exe	32
PID 2304 wrote to memory of 1584	2304	tmpB6C1.tmp.exe	32
PID 2304 wrote to memory of 1584	2304	tmpB6C1.tmp.exe	32
PID 2456 wrote to memory of 2164	2456	javaw.exe	33
PID 2456 wrote to memory of 2164	2456	javaw.exe	33
PID 2456 wrote to memory of 2164	2456	javaw.exe	33

C:\Users\Admin\AppData\Local\Temp\5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\tmpB6C1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB6C1.tmp.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1584
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\tmpB74F.tmp.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Program Files\Java\jre7\bin\javaw.exe
    javaw -Xmx512m -Dsun.java2d.d3d=false -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:+AggressiveOpts -XX:+UseBiasedLocking -classpath "/C:/Users/Admin/AppData/Local/Temp/tmpB74F.tmp.jar" org.rsbot.Application
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB6C1.tmp.exe

Filesize
690KB

MD5
1e650d93e3510239ae2508a8205d46e3

SHA1
d2c9b27067d65fa205d7e6bfb1129d98de6f49a5

SHA256
d62bd0905f026d62e7f63ebdd3b7cf2d7d36ee304dd14873bb29423b6bc6690f

SHA512
21774d97ff0388fa42324cc02495a5f3c4bac4f137079d052c9a80b53ac3b5dd926d33f0c215232eb6e6e164ff96cf2fce71177714bbd5951ef7286227886570

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB74F.tmp.jar

Filesize
586KB

MD5
472f18032670082617301fde3e5bcea6

SHA1
7c779c49af14b7f95dac48c7941d870d4d5e9637

SHA256
85b1fbb52fb45c3eaffd725010ea0e943ccb058cd218e61a46eb0e2a3a89ecaa

SHA512
c70ae50a82b1fdf47df1c783e89a2cf0fb641361432c80eac4f8363c51f93eee5e4e775d0fc65dbacc1389745f9e0ce8239f0ebaf7c098288454b4fe8d76eb22

Download Submit
C:\Users\Admin\Documents\RSBot\Settings\path.txt

Filesize
49B

MD5
5a8d77804e534dec73c8903f66dbb419

SHA1
842c9a349ecc10e00f04f8d5a9380bb4e5a4e03c

SHA256
9f9597ff3ee41914b1dc233aed0d8fefe11112abbd7dba54e27d02b993674c51

SHA512
1f5b7b31540a926512502e3d0ba67138df2e637013d12f2a1af7c6c74428f3d71a3de5a4774f649eed1c21f884f6170918df64f468512f22e942a04575922d40

Download Submit
memory/1584-20-0x0000000013140000-0x00000000131FE000-memory.dmp

Filesize
760KB

Download
memory/1584-26-0x0000000013140000-0x00000000131FE000-memory.dmp

Filesize
760KB

Download
memory/1584-268-0x0000000013140000-0x00000000131FE000-memory.dmp

Filesize
760KB

Download
memory/1584-21-0x0000000013140000-0x00000000131FE000-memory.dmp

Filesize
760KB

Download
memory/1584-23-0x0000000013140000-0x00000000131FE000-memory.dmp

Filesize
760KB

Download
memory/1584-25-0x0000000013140000-0x00000000131FE000-memory.dmp

Filesize
760KB

Download
memory/1584-24-0x0000000013140000-0x00000000131FE000-memory.dmp

Filesize
760KB

Download
memory/1584-19-0x0000000013140000-0x00000000131FE000-memory.dmp

Filesize
760KB

Download
memory/1584-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1584-14-0x0000000013140000-0x00000000131FE000-memory.dmp

Filesize
760KB

Download
memory/2164-64-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-84-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-72-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-80-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-55-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-94-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-95-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-60-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-65-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-71-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-70-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-77-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-76-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-98-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-86-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-82-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-107-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-103-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2164-100-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2304-22-0x0000000013140000-0x00000000131FE000-memory.dmp

Filesize
760KB

Download
memory/2304-12-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2596-0-0x000007FEF56EE000-0x000007FEF56EF000-memory.dmp

Filesize
4KB

Download
memory/2596-10-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-3-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-15-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads