darkcomet | 7e8b21d56644cc0509e46e6f246a6f44b64be4325377569acedeba3f3cf339d6

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-10-2024 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72912124de89e0086129e836194239ae_JaffaCakes118.exe
Size

1.6MB
MD5

72912124de89e0086129e836194239ae
SHA1

d3ae931046e2103b525fc5229dddf3d7de46a854
SHA256

7e8b21d56644cc0509e46e6f246a6f44b64be4325377569acedeba3f3cf339d6
SHA512

9d8e4bb75c9882a5db42d328f3a356f2b822b1bfd6e8fdddc739f0dcd08a0610e8b3c2c4f72924feea4fe4b5c78b159e2af429427aa51526a070aff6cee98707
SSDEEP

24576:ra0rsRzgekLnpwFCh6MPQd1ME+nr9JMSFWDV8q3k3Tj1TtR/K4JoerZxHt:2OKkLpECweASwVfk3Vvi8Lt

Score

10^/10

darkcomet discovery evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	vbc.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vbc.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vbc.exe

Executes dropped EXE 2 IoCs

Processes:

Java Runtime.exeFileReNamerv2.exe

pid	Process
1352	Java Runtime.exe
2076	FileReNamerv2.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Java Runtime.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\none = "C:\\ProgramData\\svchost.exe"	Java Runtime.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Java Runtime.exe

description	pid	Process	procid_target
PID 1352 set thread context of 2780	1352	Java Runtime.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Java Runtime.exeFileReNamerv2.exevbc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java Runtime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileReNamerv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vbc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	vbc.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

vbc.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	vbc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

72912124de89e0086129e836194239ae_JaffaCakes118.exevbc.exe

description	pid	Process
Token: SeDebugPrivilege	2068	72912124de89e0086129e836194239ae_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2780	vbc.exe
Token: SeSecurityPrivilege	2780	vbc.exe
Token: SeTakeOwnershipPrivilege	2780	vbc.exe
Token: SeLoadDriverPrivilege	2780	vbc.exe
Token: SeSystemProfilePrivilege	2780	vbc.exe
Token: SeSystemtimePrivilege	2780	vbc.exe
Token: SeProfSingleProcessPrivilege	2780	vbc.exe
Token: SeIncBasePriorityPrivilege	2780	vbc.exe
Token: SeCreatePagefilePrivilege	2780	vbc.exe
Token: SeBackupPrivilege	2780	vbc.exe
Token: SeRestorePrivilege	2780	vbc.exe
Token: SeShutdownPrivilege	2780	vbc.exe
Token: SeDebugPrivilege	2780	vbc.exe
Token: SeSystemEnvironmentPrivilege	2780	vbc.exe
Token: SeChangeNotifyPrivilege	2780	vbc.exe
Token: SeRemoteShutdownPrivilege	2780	vbc.exe
Token: SeUndockPrivilege	2780	vbc.exe
Token: SeManageVolumePrivilege	2780	vbc.exe
Token: SeImpersonatePrivilege	2780	vbc.exe
Token: SeCreateGlobalPrivilege	2780	vbc.exe
Token: 33	2780	vbc.exe
Token: 34	2780	vbc.exe
Token: 35	2780	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

FileReNamerv2.exevbc.exe

pid	Process
2076	FileReNamerv2.exe
2780	vbc.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

72912124de89e0086129e836194239ae_JaffaCakes118.exeJava Runtime.exe

description	pid	Process	procid_target
PID 2068 wrote to memory of 1352	2068	72912124de89e0086129e836194239ae_JaffaCakes118.exe	31
PID 2068 wrote to memory of 1352	2068	72912124de89e0086129e836194239ae_JaffaCakes118.exe	31
PID 2068 wrote to memory of 1352	2068	72912124de89e0086129e836194239ae_JaffaCakes118.exe	31
PID 2068 wrote to memory of 1352	2068	72912124de89e0086129e836194239ae_JaffaCakes118.exe	31
PID 2068 wrote to memory of 2076	2068	72912124de89e0086129e836194239ae_JaffaCakes118.exe	32
PID 2068 wrote to memory of 2076	2068	72912124de89e0086129e836194239ae_JaffaCakes118.exe	32
PID 2068 wrote to memory of 2076	2068	72912124de89e0086129e836194239ae_JaffaCakes118.exe	32
PID 2068 wrote to memory of 2076	2068	72912124de89e0086129e836194239ae_JaffaCakes118.exe	32
PID 1352 wrote to memory of 2780	1352	Java Runtime.exe	33
PID 1352 wrote to memory of 2780	1352	Java Runtime.exe	33
PID 1352 wrote to memory of 2780	1352	Java Runtime.exe	33
PID 1352 wrote to memory of 2780	1352	Java Runtime.exe	33
PID 1352 wrote to memory of 2780	1352	Java Runtime.exe	33
PID 1352 wrote to memory of 2780	1352	Java Runtime.exe	33
PID 1352 wrote to memory of 2780	1352	Java Runtime.exe	33
PID 1352 wrote to memory of 2780	1352	Java Runtime.exe	33
PID 1352 wrote to memory of 2780	1352	Java Runtime.exe	33
PID 1352 wrote to memory of 2780	1352	Java Runtime.exe	33
PID 1352 wrote to memory of 2780	1352	Java Runtime.exe	33
PID 1352 wrote to memory of 2780	1352	Java Runtime.exe	33
PID 1352 wrote to memory of 2780	1352	Java Runtime.exe	33

C:\Users\Admin\AppData\Local\Temp\72912124de89e0086129e836194239ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72912124de89e0086129e836194239ae_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\Java Runtime.exe
  "C:\Users\Admin\AppData\Local\Temp\Java Runtime.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Windows security bypass
    - Checks BIOS information in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2780
- C:\Users\Admin\AppData\Local\Temp\FileReNamerv2.exe
  "C:\Users\Admin\AppData\Local\Temp\FileReNamerv2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FileReNamerv2.exe

Filesize
72KB

MD5
8620ec2a1bf120a2cafaf8f4c6ce2449

SHA1
148bebd91c385667ff389816a70af2ae1d61c2c0

SHA256
401e1b7963610c98ebb0161e336654ce12fbc085a5046c60079ef9b61a2e5d25

SHA512
3ab5a7686b1421aaaac8c4a190e1daa1a3a368f9afc137a09fb9dbd9951486ed881aa5c8b13eae6101700858d6471d9b016f6604605481126c2a8e4ad8a98388

Download Submit
C:\Users\Admin\AppData\Local\Temp\Java Runtime.exe

Filesize
1.1MB

MD5
2d726d78d25827d5be263218d68cac91

SHA1
9badbc9f063b54ff19b25c843b5386f2e30de287

SHA256
e793b0ce104b26e895d68565a1d435fea8733e858c575d5828990df93aa0980d

SHA512
52b6953d496e57e838d1c81c3309fc17f103194d39f164947804c72843aed71c95c634625dbcb7eca11af4adb17359363dd1a61069b5c1bbcad642bbbb278116

Download Submit
memory/1352-51-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1352-22-0x00000000742E1000-0x00000000742E2000-memory.dmp

Filesize
4KB

Download
memory/1352-23-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1352-24-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2068-1-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2068-2-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2068-3-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2068-21-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2068-0-0x000007FEF5E6E000-0x000007FEF5E6F000-memory.dmp

Filesize
4KB

Download
memory/2780-39-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-52-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-38-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-47-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-45-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-44-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-43-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2780-42-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-26-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-35-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-34-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-31-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-30-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-27-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-46-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-53-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-54-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-55-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-56-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-57-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-58-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-59-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-60-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-61-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-62-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-63-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-64-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2780-65-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download