darkcomet | d72a399bdf5600d7abcd008ed5d37cbf71b08046702cd885fac3a0d33adea2da

Analysis

max time kernel
147s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2024, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe
Size

1.3MB
MD5

5f71a28d2a13a4ae52e629cbc623c6e9
SHA1

4303496525deacda6a89228561615e9bf9c5d8f2
SHA256

d72a399bdf5600d7abcd008ed5d37cbf71b08046702cd885fac3a0d33adea2da
SHA512

2f60353c3071ab303f9986be77992ce372ecebba08c4c8f682a82fab389931c1640423d4f7ae8b2686bf828e3a130de442a5b5925a1697375e289acf2995653a
SSDEEP

24576:Lmv86/nmFmu9FujCXCedRp3UVqGwAZs1EJ+OcKiu:LRwn9pCSWfEVqGrJji

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	tmp8731.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1096	tmp8731.tmp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 2256	1096	tmp8731.tmp.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8731.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp8731.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	tmp8731.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	tmp8731.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	tmp8731.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	tmp8731.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	javaw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	javaw.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	5064	5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1096	tmp8731.tmp.exe
Token: SeSecurityPrivilege	1096	tmp8731.tmp.exe
Token: SeTakeOwnershipPrivilege	1096	tmp8731.tmp.exe
Token: SeLoadDriverPrivilege	1096	tmp8731.tmp.exe
Token: SeSystemProfilePrivilege	1096	tmp8731.tmp.exe
Token: SeSystemtimePrivilege	1096	tmp8731.tmp.exe
Token: SeProfSingleProcessPrivilege	1096	tmp8731.tmp.exe
Token: SeIncBasePriorityPrivilege	1096	tmp8731.tmp.exe
Token: SeCreatePagefilePrivilege	1096	tmp8731.tmp.exe
Token: SeBackupPrivilege	1096	tmp8731.tmp.exe
Token: SeRestorePrivilege	1096	tmp8731.tmp.exe
Token: SeShutdownPrivilege	1096	tmp8731.tmp.exe
Token: SeDebugPrivilege	1096	tmp8731.tmp.exe
Token: SeSystemEnvironmentPrivilege	1096	tmp8731.tmp.exe
Token: SeChangeNotifyPrivilege	1096	tmp8731.tmp.exe
Token: SeRemoteShutdownPrivilege	1096	tmp8731.tmp.exe
Token: SeUndockPrivilege	1096	tmp8731.tmp.exe
Token: SeManageVolumePrivilege	1096	tmp8731.tmp.exe
Token: SeImpersonatePrivilege	1096	tmp8731.tmp.exe
Token: SeCreateGlobalPrivilege	1096	tmp8731.tmp.exe
Token: 33	1096	tmp8731.tmp.exe
Token: 34	1096	tmp8731.tmp.exe
Token: 35	1096	tmp8731.tmp.exe
Token: 36	1096	tmp8731.tmp.exe
Token: SeIncreaseQuotaPrivilege	2256	explorer.exe
Token: SeSecurityPrivilege	2256	explorer.exe
Token: SeTakeOwnershipPrivilege	2256	explorer.exe
Token: SeLoadDriverPrivilege	2256	explorer.exe
Token: SeSystemProfilePrivilege	2256	explorer.exe
Token: SeSystemtimePrivilege	2256	explorer.exe
Token: SeProfSingleProcessPrivilege	2256	explorer.exe
Token: SeIncBasePriorityPrivilege	2256	explorer.exe
Token: SeCreatePagefilePrivilege	2256	explorer.exe
Token: SeBackupPrivilege	2256	explorer.exe
Token: SeRestorePrivilege	2256	explorer.exe
Token: SeShutdownPrivilege	2256	explorer.exe
Token: SeDebugPrivilege	2256	explorer.exe
Token: SeSystemEnvironmentPrivilege	2256	explorer.exe
Token: SeChangeNotifyPrivilege	2256	explorer.exe
Token: SeRemoteShutdownPrivilege	2256	explorer.exe
Token: SeUndockPrivilege	2256	explorer.exe
Token: SeManageVolumePrivilege	2256	explorer.exe
Token: SeImpersonatePrivilege	2256	explorer.exe
Token: SeCreateGlobalPrivilege	2256	explorer.exe
Token: 33	2256	explorer.exe
Token: 34	2256	explorer.exe
Token: 35	2256	explorer.exe
Token: 36	2256	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2256	explorer.exe
1544	javaw.exe
3684	javaw.exe
3684	javaw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 1096	5064	5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe	84
PID 5064 wrote to memory of 1096	5064	5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe	84
PID 5064 wrote to memory of 1096	5064	5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe	84
PID 5064 wrote to memory of 1544	5064	5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe	85
PID 5064 wrote to memory of 1544	5064	5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe	85
PID 1096 wrote to memory of 2256	1096	tmp8731.tmp.exe	87
PID 1096 wrote to memory of 2256	1096	tmp8731.tmp.exe	87
PID 1096 wrote to memory of 2256	1096	tmp8731.tmp.exe	87
PID 1096 wrote to memory of 2256	1096	tmp8731.tmp.exe	87
PID 1096 wrote to memory of 2256	1096	tmp8731.tmp.exe	87
PID 1544 wrote to memory of 3684	1544	javaw.exe	90
PID 1544 wrote to memory of 3684	1544	javaw.exe	90

C:\Users\Admin\AppData\Local\Temp\5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f71a28d2a13a4ae52e629cbc623c6e9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Local\Temp\tmp8731.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8731.tmp.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2256
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\tmp89A3.tmp.jar"
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    javaw -Xmx512m -Dsun.java2d.d3d=false -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:+AggressiveOpts -XX:+UseBiasedLocking -classpath "/C:/Users/Admin/AppData/Local/Temp/tmp89A3.tmp.jar" org.rsbot.Application
    3⤵
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
82ce1085647f9c95eba55dfe3c54a151

SHA1
45d931d213a4fdcfb50ea4d1257b3fbb3b5a2b3e

SHA256
f3eafc76012e1423c7694f92ceef2642fcd16244eb4f1e8a28cf072951e819d1

SHA512
85b8fd8990af58a06824472601413019f42df50a908a6bc31aac82aba22aa2d8cedff8aa1eb33b86bb927afe3c3b85820c14f6396804c6f822c59af8c479acab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8731.tmp.exe

Filesize
690KB

MD5
1e650d93e3510239ae2508a8205d46e3

SHA1
d2c9b27067d65fa205d7e6bfb1129d98de6f49a5

SHA256
d62bd0905f026d62e7f63ebdd3b7cf2d7d36ee304dd14873bb29423b6bc6690f

SHA512
21774d97ff0388fa42324cc02495a5f3c4bac4f137079d052c9a80b53ac3b5dd926d33f0c215232eb6e6e164ff96cf2fce71177714bbd5951ef7286227886570

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp89A3.tmp.jar

Filesize
586KB

MD5
472f18032670082617301fde3e5bcea6

SHA1
7c779c49af14b7f95dac48c7941d870d4d5e9637

SHA256
85b1fbb52fb45c3eaffd725010ea0e943ccb058cd218e61a46eb0e2a3a89ecaa

SHA512
c70ae50a82b1fdf47df1c783e89a2cf0fb641361432c80eac4f8363c51f93eee5e4e775d0fc65dbacc1389745f9e0ce8239f0ebaf7c098288454b4fe8d76eb22

Download Submit
C:\Users\Admin\Documents\RSBot\Settings\path.txt

Filesize
49B

MD5
4f2dbe134e19f042a9b3c8c342e052b0

SHA1
2ed99fa554c5bd7d7486b903328d90f291bb5d81

SHA256
cf5e3e8f2d987f9fe557303a33202059b01e6861e22ce748197f64132bc47810

SHA512
f8de3a0adee79e0b760332ce2367eafc97ed32085e97354874170b290242358c764fed243425ab69f26dcb7cff1c8035cd8cda831bbf0fedaf9f9534781e0b3e

Download Submit
memory/1096-24-0x0000000013140000-0x00000000131FE000-memory.dmp

Filesize
760KB

Download
memory/1544-18-0x00000210C0D30000-0x00000210C0FA0000-memory.dmp

Filesize
2.4MB

Download
memory/1544-52-0x00000210BF460000-0x00000210BF461000-memory.dmp

Filesize
4KB

Download
memory/1544-154-0x00000210C0D30000-0x00000210C0FA0000-memory.dmp

Filesize
2.4MB

Download
memory/2256-22-0x0000000013140000-0x00000000131FE000-memory.dmp

Filesize
760KB

Download
memory/2256-23-0x0000000013140000-0x00000000131FE000-memory.dmp

Filesize
760KB

Download
memory/2256-25-0x0000000013140000-0x00000000131FE000-memory.dmp

Filesize
760KB

Download
memory/2256-27-0x0000000013140000-0x00000000131FE000-memory.dmp

Filesize
760KB

Download
memory/2256-26-0x0000000013140000-0x00000000131FE000-memory.dmp

Filesize
760KB

Download
memory/3684-56-0x000001B8BD880000-0x000001B8BD881000-memory.dmp

Filesize
4KB

Download
memory/3684-96-0x000001B8BD880000-0x000001B8BD881000-memory.dmp

Filesize
4KB

Download
memory/3684-124-0x000001B8BD880000-0x000001B8BD881000-memory.dmp

Filesize
4KB

Download
memory/3684-126-0x000001B8BD880000-0x000001B8BD881000-memory.dmp

Filesize
4KB

Download
memory/3684-122-0x000001B8BD880000-0x000001B8BD881000-memory.dmp

Filesize
4KB

Download
memory/3684-62-0x000001B8BD880000-0x000001B8BD881000-memory.dmp

Filesize
4KB

Download
memory/3684-73-0x000001B8BD880000-0x000001B8BD881000-memory.dmp

Filesize
4KB

Download
memory/3684-80-0x000001B8BD880000-0x000001B8BD881000-memory.dmp

Filesize
4KB

Download
memory/3684-81-0x000001B8BD880000-0x000001B8BD881000-memory.dmp

Filesize
4KB

Download
memory/3684-89-0x000001B8BD880000-0x000001B8BD881000-memory.dmp

Filesize
4KB

Download
memory/3684-91-0x000001B8BD880000-0x000001B8BD881000-memory.dmp

Filesize
4KB

Download
memory/3684-106-0x000001B8BD880000-0x000001B8BD881000-memory.dmp

Filesize
4KB

Download
memory/3684-102-0x000001B8BD880000-0x000001B8BD881000-memory.dmp

Filesize
4KB

Download
memory/3684-100-0x000001B8BD880000-0x000001B8BD881000-memory.dmp

Filesize
4KB

Download
memory/3684-95-0x000001B8BD880000-0x000001B8BD881000-memory.dmp

Filesize
4KB

Download
memory/3684-104-0x000001B8BD880000-0x000001B8BD881000-memory.dmp

Filesize
4KB

Download
memory/5064-19-0x00007FFDBE9C0000-0x00007FFDBF361000-memory.dmp

Filesize
9.6MB

Download
memory/5064-2-0x00007FFDBE9C0000-0x00007FFDBF361000-memory.dmp

Filesize
9.6MB

Download
memory/5064-0-0x00007FFDBEC75000-0x00007FFDBEC76000-memory.dmp

Filesize
4KB

Download
memory/5064-4-0x00007FFDBE9C0000-0x00007FFDBF361000-memory.dmp

Filesize
9.6MB

Download
memory/5064-1-0x000000001B300000-0x000000001B3A6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads