darkcomet | bd4419248eef2c6dd4f4a353b3b8cea834b58f34720f2c2b6208d3137131882e

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c9e9cc367698595e74d1ebb80488faa_JaffaCakes118.exe
Size

1.3MB
MD5

6c9e9cc367698595e74d1ebb80488faa
SHA1

d367f2c47f611939b97efb96bfaff69a048b5107
SHA256

bd4419248eef2c6dd4f4a353b3b8cea834b58f34720f2c2b6208d3137131882e
SHA512

3bb47ebe4a9ffdc18270ccd7b8e1110a02fe722a9c281ad5b5d2bc0e0623bec3412127b70f2be1dceafab5d52103aaebb6e6c4107406ea97eaaf1039febea956
SSDEEP

12288:GeXWw5rArh3i/5hzJTIuN7w92L7FAQB+4H6IKZDIZLgsOnBCHuVSerxaE6Kka/wE:v/5eyPrFfi54HQDEL7qxnsU3SY

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

KRdiaD0JAK4QMSc2.exeexplorer.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	KRdiaD0JAK4QMSc2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Executes dropped EXE 2 IoCs

Processes:

KRdiaD0JAK4QMSc2.exeC75fLW7TZsQwmcD.exe

pid	Process
2260	KRdiaD0JAK4QMSc2.exe
1724	C75fLW7TZsQwmcD.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

KRdiaD0JAK4QMSc2.exe

description	pid	Process	procid_target
PID 2260 set thread context of 1256	2260	KRdiaD0JAK4QMSc2.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

KRdiaD0JAK4QMSc2.exeC75fLW7TZsQwmcD.exeexplorer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KRdiaD0JAK4QMSc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C75fLW7TZsQwmcD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exeKRdiaD0JAK4QMSc2.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	KRdiaD0JAK4QMSc2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	KRdiaD0JAK4QMSc2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	KRdiaD0JAK4QMSc2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	KRdiaD0JAK4QMSc2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

KRdiaD0JAK4QMSc2.exeexplorer.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	KRdiaD0JAK4QMSc2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

6c9e9cc367698595e74d1ebb80488faa_JaffaCakes118.exeKRdiaD0JAK4QMSc2.exeexplorer.exe

description	pid	Process
Token: SeDebugPrivilege	2900	6c9e9cc367698595e74d1ebb80488faa_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeSecurityPrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeTakeOwnershipPrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeLoadDriverPrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeSystemProfilePrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeSystemtimePrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeProfSingleProcessPrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeIncBasePriorityPrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeCreatePagefilePrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeBackupPrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeRestorePrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeShutdownPrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeDebugPrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeSystemEnvironmentPrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeChangeNotifyPrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeRemoteShutdownPrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeUndockPrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeManageVolumePrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeImpersonatePrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: SeCreateGlobalPrivilege	2260	KRdiaD0JAK4QMSc2.exe
Token: 33	2260	KRdiaD0JAK4QMSc2.exe
Token: 34	2260	KRdiaD0JAK4QMSc2.exe
Token: 35	2260	KRdiaD0JAK4QMSc2.exe
Token: SeIncreaseQuotaPrivilege	1256	explorer.exe
Token: SeSecurityPrivilege	1256	explorer.exe
Token: SeTakeOwnershipPrivilege	1256	explorer.exe
Token: SeLoadDriverPrivilege	1256	explorer.exe
Token: SeSystemProfilePrivilege	1256	explorer.exe
Token: SeSystemtimePrivilege	1256	explorer.exe
Token: SeProfSingleProcessPrivilege	1256	explorer.exe
Token: SeIncBasePriorityPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeBackupPrivilege	1256	explorer.exe
Token: SeRestorePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeDebugPrivilege	1256	explorer.exe
Token: SeSystemEnvironmentPrivilege	1256	explorer.exe
Token: SeChangeNotifyPrivilege	1256	explorer.exe
Token: SeRemoteShutdownPrivilege	1256	explorer.exe
Token: SeUndockPrivilege	1256	explorer.exe
Token: SeManageVolumePrivilege	1256	explorer.exe
Token: SeImpersonatePrivilege	1256	explorer.exe
Token: SeCreateGlobalPrivilege	1256	explorer.exe
Token: 33	1256	explorer.exe
Token: 34	1256	explorer.exe
Token: 35	1256	explorer.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

6c9e9cc367698595e74d1ebb80488faa_JaffaCakes118.exeKRdiaD0JAK4QMSc2.exe

description	pid	Process	procid_target
PID 2900 wrote to memory of 2260	2900	6c9e9cc367698595e74d1ebb80488faa_JaffaCakes118.exe	28
PID 2900 wrote to memory of 2260	2900	6c9e9cc367698595e74d1ebb80488faa_JaffaCakes118.exe	28
PID 2900 wrote to memory of 2260	2900	6c9e9cc367698595e74d1ebb80488faa_JaffaCakes118.exe	28
PID 2900 wrote to memory of 2260	2900	6c9e9cc367698595e74d1ebb80488faa_JaffaCakes118.exe	28
PID 2900 wrote to memory of 1724	2900	6c9e9cc367698595e74d1ebb80488faa_JaffaCakes118.exe	29
PID 2900 wrote to memory of 1724	2900	6c9e9cc367698595e74d1ebb80488faa_JaffaCakes118.exe	29
PID 2900 wrote to memory of 1724	2900	6c9e9cc367698595e74d1ebb80488faa_JaffaCakes118.exe	29
PID 2900 wrote to memory of 1724	2900	6c9e9cc367698595e74d1ebb80488faa_JaffaCakes118.exe	29
PID 2260 wrote to memory of 1256	2260	KRdiaD0JAK4QMSc2.exe	30
PID 2260 wrote to memory of 1256	2260	KRdiaD0JAK4QMSc2.exe	30
PID 2260 wrote to memory of 1256	2260	KRdiaD0JAK4QMSc2.exe	30
PID 2260 wrote to memory of 1256	2260	KRdiaD0JAK4QMSc2.exe	30
PID 2260 wrote to memory of 1256	2260	KRdiaD0JAK4QMSc2.exe	30
PID 2260 wrote to memory of 1256	2260	KRdiaD0JAK4QMSc2.exe	30

C:\Users\Admin\AppData\Local\Temp\6c9e9cc367698595e74d1ebb80488faa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6c9e9cc367698595e74d1ebb80488faa_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\KRdiaD0JAK4QMSc2.exe
  "C:\Users\Admin\AppData\Local\Temp\KRdiaD0JAK4QMSc2.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- C:\Users\Admin\AppData\Local\Temp\C75fLW7TZsQwmcD.exe
  "C:\Users\Admin\AppData\Local\Temp\C75fLW7TZsQwmcD.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C75fLW7TZsQwmcD.exe

Filesize
679KB

MD5
605a171c61a0607bdcf6be80ed07cf95

SHA1
477d4391b0d84406127e43ead289a3596ac1e5e5

SHA256
09b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9

SHA512
3b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRdiaD0JAK4QMSc2.exe

Filesize
635KB

MD5
dac515e4995d35e9e96f745957040d4d

SHA1
56285d7669dc2686ccbfa6403d590cb5eb7c4f8c

SHA256
4e5f9fad34dcae36fda683d1c0517bac1d62d15ea30dc31cc46930801d048ec6

SHA512
68ae67edb6c50a8a36767d1efa413d60ebd6287e52b08ec9935e15b188fb04e5856537ba4d3d9fe27eb0ea59ca17a9dc712ce89ae7cd6b609cab5b41295102d5

Download Submit
memory/1256-21-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1256-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1256-24-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1256-26-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1256-27-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1256-28-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1256-29-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1724-30-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2260-25-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2900-12-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2900-18-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2900-19-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2900-0-0x000007FEF588E000-0x000007FEF588F000-memory.dmp

Filesize
4KB

Download