darkcomet | ca70007968fb2447d9d568b5c0140513784f7307def356186939729b07ac43a2

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f43b537783e3773add26914099c217d_JaffaCakes118.exe
Size

1.6MB
MD5

6f43b537783e3773add26914099c217d
SHA1

50c8407245bc0c90189c27daa2246970a66156cb
SHA256

ca70007968fb2447d9d568b5c0140513784f7307def356186939729b07ac43a2
SHA512

f8130d71907f35938b0990598e469e044714aea0a5c2502cdc1a7dfeefbf03b112bb3ee8144efb0f02098727f77d8876c608a25f9c06ab2e5cb5251571f19a1c
SSDEEP

24576:BWScgdxiL5Ef37aV0tWaigK+uEVLVCk0dt+YJea+oZbbn2V1DjFLfyuO2+U:BwcxoYraMFigKbUVCkm++egbnUtLR

Score

10^/10

darkcomet toontown membership generator discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Toontown Membership Generator

powermaniac.no-ip.org:100

Mutex

DC_MUTEX-PD9KZXK

Attributes

gencode
HkjBUXctdV6u
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 6 IoCs

Processes:

NICKS SHIZ.EXESHADOW FUNNY.EXEwinini.exewinini.execvtres.execvtres.exe

pid	Process
1856	NICKS SHIZ.EXE
2344	SHADOW FUNNY.EXE
2812	winini.exe
2796	winini.exe
2788	cvtres.exe
2844	cvtres.exe

Loads dropped DLL 10 IoCs

Processes:

6f43b537783e3773add26914099c217d_JaffaCakes118.exeNICKS SHIZ.EXESHADOW FUNNY.EXEwinini.exewinini.exe

pid	Process
2380	6f43b537783e3773add26914099c217d_JaffaCakes118.exe
2380	6f43b537783e3773add26914099c217d_JaffaCakes118.exe
2380	6f43b537783e3773add26914099c217d_JaffaCakes118.exe
2380	6f43b537783e3773add26914099c217d_JaffaCakes118.exe
1856	NICKS SHIZ.EXE
1856	NICKS SHIZ.EXE
2344	SHADOW FUNNY.EXE
2344	SHADOW FUNNY.EXE
2796	winini.exe
2812	winini.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winini.exewinini.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\eviL swodniW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\eviL swodniW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winini.exe"	winini.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

winini.exewinini.exe

description	pid	Process	procid_target
PID 2796 set thread context of 2788	2796	winini.exe	34
PID 2812 set thread context of 2844	2812	winini.exe	35

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2788-62-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2788-51-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2788-48-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2788-46-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-63-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-65-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-68-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-67-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2788-71-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-72-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-73-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-74-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-75-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-76-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-77-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-78-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-79-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-80-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-81-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-82-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-83-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-84-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-85-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2844-86-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6f43b537783e3773add26914099c217d_JaffaCakes118.exeNICKS SHIZ.EXESHADOW FUNNY.EXEwinini.exewinini.execvtres.execvtres.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f43b537783e3773add26914099c217d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NICKS SHIZ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SHADOW FUNNY.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

winini.exewinini.execvtres.execvtres.exe

description	pid	Process
Token: SeDebugPrivilege	2812	winini.exe
Token: SeDebugPrivilege	2796	winini.exe
Token: SeIncreaseQuotaPrivilege	2844	cvtres.exe
Token: SeSecurityPrivilege	2844	cvtres.exe
Token: SeTakeOwnershipPrivilege	2844	cvtres.exe
Token: SeLoadDriverPrivilege	2844	cvtres.exe
Token: SeSystemProfilePrivilege	2844	cvtres.exe
Token: SeSystemtimePrivilege	2844	cvtres.exe
Token: SeProfSingleProcessPrivilege	2844	cvtres.exe
Token: SeIncBasePriorityPrivilege	2844	cvtres.exe
Token: SeCreatePagefilePrivilege	2844	cvtres.exe
Token: SeBackupPrivilege	2844	cvtres.exe
Token: SeRestorePrivilege	2844	cvtres.exe
Token: SeShutdownPrivilege	2844	cvtres.exe
Token: SeDebugPrivilege	2844	cvtres.exe
Token: SeSystemEnvironmentPrivilege	2844	cvtres.exe
Token: SeChangeNotifyPrivilege	2844	cvtres.exe
Token: SeRemoteShutdownPrivilege	2844	cvtres.exe
Token: SeUndockPrivilege	2844	cvtres.exe
Token: SeManageVolumePrivilege	2844	cvtres.exe
Token: SeImpersonatePrivilege	2844	cvtres.exe
Token: SeCreateGlobalPrivilege	2844	cvtres.exe
Token: 33	2844	cvtres.exe
Token: SeIncreaseQuotaPrivilege	2788	cvtres.exe
Token: 34	2844	cvtres.exe
Token: 35	2844	cvtres.exe
Token: SeSecurityPrivilege	2788	cvtres.exe
Token: SeTakeOwnershipPrivilege	2788	cvtres.exe
Token: SeLoadDriverPrivilege	2788	cvtres.exe
Token: SeSystemProfilePrivilege	2788	cvtres.exe
Token: SeSystemtimePrivilege	2788	cvtres.exe
Token: SeProfSingleProcessPrivilege	2788	cvtres.exe
Token: SeIncBasePriorityPrivilege	2788	cvtres.exe
Token: SeCreatePagefilePrivilege	2788	cvtres.exe
Token: SeBackupPrivilege	2788	cvtres.exe
Token: SeRestorePrivilege	2788	cvtres.exe
Token: SeShutdownPrivilege	2788	cvtres.exe
Token: SeDebugPrivilege	2788	cvtres.exe
Token: SeSystemEnvironmentPrivilege	2788	cvtres.exe
Token: SeChangeNotifyPrivilege	2788	cvtres.exe
Token: SeRemoteShutdownPrivilege	2788	cvtres.exe
Token: SeUndockPrivilege	2788	cvtres.exe
Token: SeManageVolumePrivilege	2788	cvtres.exe
Token: SeImpersonatePrivilege	2788	cvtres.exe
Token: SeCreateGlobalPrivilege	2788	cvtres.exe
Token: 33	2788	cvtres.exe
Token: 34	2788	cvtres.exe
Token: 35	2788	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cvtres.exe

pid	Process
2844	cvtres.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

6f43b537783e3773add26914099c217d_JaffaCakes118.exeNICKS SHIZ.EXESHADOW FUNNY.EXEwinini.exewinini.exe

description	pid	Process	procid_target
PID 2380 wrote to memory of 1856	2380	6f43b537783e3773add26914099c217d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1856	2380	6f43b537783e3773add26914099c217d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1856	2380	6f43b537783e3773add26914099c217d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1856	2380	6f43b537783e3773add26914099c217d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2344	2380	6f43b537783e3773add26914099c217d_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2344	2380	6f43b537783e3773add26914099c217d_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2344	2380	6f43b537783e3773add26914099c217d_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2344	2380	6f43b537783e3773add26914099c217d_JaffaCakes118.exe	31
PID 1856 wrote to memory of 2812	1856	NICKS SHIZ.EXE	32
PID 1856 wrote to memory of 2812	1856	NICKS SHIZ.EXE	32
PID 1856 wrote to memory of 2812	1856	NICKS SHIZ.EXE	32
PID 1856 wrote to memory of 2812	1856	NICKS SHIZ.EXE	32
PID 2344 wrote to memory of 2796	2344	SHADOW FUNNY.EXE	33
PID 2344 wrote to memory of 2796	2344	SHADOW FUNNY.EXE	33
PID 2344 wrote to memory of 2796	2344	SHADOW FUNNY.EXE	33
PID 2344 wrote to memory of 2796	2344	SHADOW FUNNY.EXE	33
PID 2796 wrote to memory of 2788	2796	winini.exe	34
PID 2796 wrote to memory of 2788	2796	winini.exe	34
PID 2796 wrote to memory of 2788	2796	winini.exe	34
PID 2796 wrote to memory of 2788	2796	winini.exe	34
PID 2796 wrote to memory of 2788	2796	winini.exe	34
PID 2796 wrote to memory of 2788	2796	winini.exe	34
PID 2796 wrote to memory of 2788	2796	winini.exe	34
PID 2796 wrote to memory of 2788	2796	winini.exe	34
PID 2812 wrote to memory of 2844	2812	winini.exe	35
PID 2812 wrote to memory of 2844	2812	winini.exe	35
PID 2812 wrote to memory of 2844	2812	winini.exe	35
PID 2812 wrote to memory of 2844	2812	winini.exe	35
PID 2812 wrote to memory of 2844	2812	winini.exe	35
PID 2812 wrote to memory of 2844	2812	winini.exe	35
PID 2812 wrote to memory of 2844	2812	winini.exe	35
PID 2812 wrote to memory of 2844	2812	winini.exe	35

C:\Users\Admin\AppData\Local\Temp\6f43b537783e3773add26914099c217d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f43b537783e3773add26914099c217d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\NICKS SHIZ.EXE
  "C:\Users\Admin\AppData\Local\Temp\NICKS SHIZ.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\winini.exe
    "C:\Users\Admin\AppData\Local\Temp\winini.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
      C:\Users\Admin\AppData\Local\Temp\cvtres.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2844
- C:\Users\Admin\AppData\Local\Temp\SHADOW FUNNY.EXE
  "C:\Users\Admin\AppData\Local\Temp\SHADOW FUNNY.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\winini.exe
    "C:\Users\Admin\AppData\Local\Temp\winini.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
      C:\Users\Admin\AppData\Local\Temp\cvtres.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SHADOW FUNNY.EXE

Filesize
700KB

MD5
fc661fefa5b3fde4aa18caa06069f6d4

SHA1
474b66fb1e5a1e21cf643a2430fc4693cfe7ea73

SHA256
ee5fe567ce3f027ea4316a51efd07ea8cf4b28c039ca3801c1567e7bec5c9556

SHA512
cc09d20bfb7f78abd26e51d3112719b1f9e36a7e6a3a2ec51daadb2262b8cd682b7dfde4663ef63454f492b3df4929fcc3656aa2f655c1080baab403e8cc29d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\winini.exe

Filesize
484KB

MD5
909f9eac8216be8d6dada7ebea2faa56

SHA1
3aeb04c2e8e944208cb989d0f133974df2e63d7f

SHA256
9b92674fb23307cc0077fc2442cfc0b9e7d6b18a90102b656a15f0681369fb6b

SHA512
9c674c3066d3dcdf6897318b1a6d92a250a599ae5bb282b6bef5d524f6871f4b647a4527fdfe690b0ceb91cbf80b03733d97e1a45a9c557ce0cc1e7da36524ac

Download Submit
\Users\Admin\AppData\Local\Temp\NICKS SHIZ.EXE

Filesize
748KB

MD5
54be4a8bb0a89e70428bcaf866d9ec27

SHA1
cd8082c20accf6d04be713310572471c471dde25

SHA256
ecda5d76046ddaac6fb95ed2244c214a9054bad3c96a0c43766f45b73226b5b4

SHA512
e18be110796fb6e2a4751342d4f1916d8e317c1b1497d2f0966e21643eccc44a287d22da06c8ee0baf64b474843ab506e3075bc04c5f178fa76dd3f759071f97

Download Submit
memory/1856-24-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/1856-21-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/1856-28-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/1856-36-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/2344-22-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/2344-27-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/2344-37-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/2344-20-0x0000000074991000-0x0000000074992000-memory.dmp

Filesize
4KB

Download
memory/2788-71-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2788-62-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2788-51-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2788-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2788-48-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2788-46-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2788-44-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-63-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-68-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-67-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-65-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-72-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-73-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-74-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-75-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-76-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-77-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-78-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-79-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-80-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-81-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-82-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-83-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-84-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-85-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-86-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download