darkcomet | b243464cec5a836812ddd51d38a520d6d692d3ec95ea69530784d967da359ef5

Analysis

max time kernel
128s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/10/2024, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe
Size

428KB
MD5

5fca3f94b5cf5b15b9336944b1284af4
SHA1

6615772dd3be52ba82e962a93da1cd70996a5f0e
SHA256

b243464cec5a836812ddd51d38a520d6d692d3ec95ea69530784d967da359ef5
SHA512

ae721c8e0fcab8917fa1c18a6be0ad83ba5ea3b64fb3a74955f3958fbb54b8a32437899d9cbdc3f5803c734ca5f0efc0a4e290691aad6cd13f0a720c26f01b8c
SSDEEP

12288:W13v5CveP1yrtYh4dAzhL8v/v0WCcFG0:WNvYeP1sWJzhLa/N1

Score

10^/10

darkcomet discovery persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 3 IoCs

pid	Process
2588	winf.scr
2380	winf.scr
2472	winf.scr

Loads dropped DLL 5 IoCs

pid	Process
1676	5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe
1676	5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe
1676	5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe
1676	5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe
1676	5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Firewall = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Firewall\\winf.scr"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2588 set thread context of 2380	2588	winf.scr	33
PID 2588 set thread context of 2472	2588	winf.scr	34

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2380-47-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-52-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-51-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-60-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-59-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-58-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-62-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-63-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-65-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-67-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-69-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-71-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-73-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-75-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-77-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-79-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-81-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-83-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-85-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2380-87-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winf.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winf.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winf.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2380	winf.scr
Token: SeSecurityPrivilege	2380	winf.scr
Token: SeTakeOwnershipPrivilege	2380	winf.scr
Token: SeLoadDriverPrivilege	2380	winf.scr
Token: SeSystemProfilePrivilege	2380	winf.scr
Token: SeSystemtimePrivilege	2380	winf.scr
Token: SeProfSingleProcessPrivilege	2380	winf.scr
Token: SeIncBasePriorityPrivilege	2380	winf.scr
Token: SeCreatePagefilePrivilege	2380	winf.scr
Token: SeBackupPrivilege	2380	winf.scr
Token: SeRestorePrivilege	2380	winf.scr
Token: SeShutdownPrivilege	2380	winf.scr
Token: SeDebugPrivilege	2380	winf.scr
Token: SeSystemEnvironmentPrivilege	2380	winf.scr
Token: SeChangeNotifyPrivilege	2380	winf.scr
Token: SeRemoteShutdownPrivilege	2380	winf.scr
Token: SeUndockPrivilege	2380	winf.scr
Token: SeManageVolumePrivilege	2380	winf.scr
Token: SeImpersonatePrivilege	2380	winf.scr
Token: SeCreateGlobalPrivilege	2380	winf.scr
Token: 33	2380	winf.scr
Token: 34	2380	winf.scr
Token: 35	2380	winf.scr
Token: SeDebugPrivilege	2472	winf.scr

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2864	DllHost.exe
2864	DllHost.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1676	5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe
2588	winf.scr
2864	DllHost.exe
2864	DllHost.exe
2472	winf.scr
2380	winf.scr
2864	DllHost.exe
2864	DllHost.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1172	1676	5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe	29
PID 1676 wrote to memory of 1172	1676	5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe	29
PID 1676 wrote to memory of 1172	1676	5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe	29
PID 1676 wrote to memory of 1172	1676	5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe	29
PID 1172 wrote to memory of 308	1172	cmd.exe	31
PID 1172 wrote to memory of 308	1172	cmd.exe	31
PID 1172 wrote to memory of 308	1172	cmd.exe	31
PID 1172 wrote to memory of 308	1172	cmd.exe	31
PID 1676 wrote to memory of 2588	1676	5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe	32
PID 1676 wrote to memory of 2588	1676	5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe	32
PID 1676 wrote to memory of 2588	1676	5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe	32
PID 1676 wrote to memory of 2588	1676	5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe	32
PID 2588 wrote to memory of 2380	2588	winf.scr	33
PID 2588 wrote to memory of 2380	2588	winf.scr	33
PID 2588 wrote to memory of 2380	2588	winf.scr	33
PID 2588 wrote to memory of 2380	2588	winf.scr	33
PID 2588 wrote to memory of 2380	2588	winf.scr	33
PID 2588 wrote to memory of 2380	2588	winf.scr	33
PID 2588 wrote to memory of 2380	2588	winf.scr	33
PID 2588 wrote to memory of 2380	2588	winf.scr	33
PID 2588 wrote to memory of 2380	2588	winf.scr	33
PID 2588 wrote to memory of 2472	2588	winf.scr	34
PID 2588 wrote to memory of 2472	2588	winf.scr	34
PID 2588 wrote to memory of 2472	2588	winf.scr	34
PID 2588 wrote to memory of 2472	2588	winf.scr	34
PID 2588 wrote to memory of 2472	2588	winf.scr	34
PID 2588 wrote to memory of 2472	2588	winf.scr	34
PID 2588 wrote to memory of 2472	2588	winf.scr	34
PID 2588 wrote to memory of 2472	2588	winf.scr	34

C:\Users\Admin\AppData\Local\Temp\5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5fca3f94b5cf5b15b9336944b1284af4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\259435372.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Firewall" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Firewall\winf.scr" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:308
- C:\Users\Admin\AppData\Roaming\Windows Firewall\winf.scr
  "C:\Users\Admin\AppData\Roaming\Windows Firewall\winf.scr" /S
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Roaming\Windows Firewall\winf.scr
    "C:\Users\Admin\AppData\Roaming\Windows Firewall\winf.scr"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2380
- - C:\Users\Admin\AppData\Roaming\Windows Firewall\winf.scr
    "C:\Users\Admin\AppData\Roaming\Windows Firewall\winf.scr"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2472

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259435153.jpg

Filesize
23KB

MD5
c99b18dc14fbb96ee35358c6d3c2507c

SHA1
6f20b16de62e9e758517e14f2b7e1772a585d785

SHA256
d882743b9e495254e6787253a6acdcb9e439f9309941816f7382182fd1a75497

SHA512
6bf2bc217b4ca2b45198d7815a2fc77134257e98407efb6993907683d1d5dbe63afc927c076f1cff3a6e7cfe27496e7e91b8a11646a2819e075681f21b64e3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\259435372.bat

Filesize
157B

MD5
1cdda77d900ebd27ba1dfe5bfe0e4b04

SHA1
7d32f8b91e83ac39faad1870c49ce3d418118c49

SHA256
4b22dcda64882e4af03659e202087268ae87a5328e1d63fe51ba035052e31e17

SHA512
998ee331c3e87db5b62f5b01d934d61f6d9ec26e022806b633923c3b5d3a3f2ce936ab8740157a73c9b4081f15d20f1112a9cfd57a2e6e1a492d29af56b53ae0

Download Submit
\Users\Admin\AppData\Roaming\Windows Firewall\winf.scr

Filesize
428KB

MD5
5fca3f94b5cf5b15b9336944b1284af4

SHA1
6615772dd3be52ba82e962a93da1cd70996a5f0e

SHA256
b243464cec5a836812ddd51d38a520d6d692d3ec95ea69530784d967da359ef5

SHA512
ae721c8e0fcab8917fa1c18a6be0ad83ba5ea3b64fb3a74955f3958fbb54b8a32437899d9cbdc3f5803c734ca5f0efc0a4e290691aad6cd13f0a720c26f01b8c

Download Submit
memory/1676-3-0x0000000003460000-0x0000000003462000-memory.dmp

Filesize
8KB

Download
memory/2380-71-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-75-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-87-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-47-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-85-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-83-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-81-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-79-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-52-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-51-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-60-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-59-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-58-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-77-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-62-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-73-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-63-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-65-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-67-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2380-69-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2472-64-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2472-54-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2472-53-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2472-50-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2472-48-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2588-44-0x00000000026D0000-0x00000000026D2000-memory.dmp

Filesize
8KB

Download
memory/2864-4-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2864-5-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2864-61-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads