darkcomet | 1c10341bd486324dd1cb054e3da226321f1a7532c383aa5f45a46e8b59e028d4

Analysis

max time kernel
76s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Size

2.4MB
MD5

796d1e3fc712afd8a808f308f9c6aae3
SHA1

4a38845e5bfc6433aaf4642515da60f10fb7f27b
SHA256

1c10341bd486324dd1cb054e3da226321f1a7532c383aa5f45a46e8b59e028d4
SHA512

0349302076dbccebc58ea20a0aa5b009504ca27d5a32bcb59af1c5e25ccf1e6daba6035d609aabb163704d418beac3a39d39b669c61f6e9f86cf7af0a03bbda3
SSDEEP

24576:p3nbWmJVJFwSddIXvfhqbiaxvRxq99vHjN0Mn3NXSfQF10gOUl:FamdZdcBY0vjQYb0U

Score

10^/10

darkcomet discovery evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exeiexplore.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	iexplore.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exeiexplore.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	iexplore.exe

Executes dropped EXE 3 IoCs

Processes:

EMAILLISTA.EXEEMAILLISTA.EXEEMAILLISTA.EXE

pid	Process
3056	EMAILLISTA.EXE
2904	EMAILLISTA.EXE
2792	EMAILLISTA.EXE

Loads dropped DLL 6 IoCs

Processes:

796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exeiexplore.exe

pid	Process
3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
2256	iexplore.exe
2256	iexplore.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe

description	pid	Process	procid_target
PID 3036 set thread context of 2256	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EMAILLISTA.EXEiexplore.exeEMAILLISTA.EXE796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exeEMAILLISTA.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EMAILLISTA.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EMAILLISTA.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EMAILLISTA.EXE

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exeiexplore.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeSecurityPrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeBackupPrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeRestorePrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeShutdownPrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeDebugPrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeUndockPrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: 33	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: 34	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: 35	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2256	iexplore.exe
Token: SeSecurityPrivilege	2256	iexplore.exe
Token: SeTakeOwnershipPrivilege	2256	iexplore.exe
Token: SeLoadDriverPrivilege	2256	iexplore.exe
Token: SeSystemProfilePrivilege	2256	iexplore.exe
Token: SeSystemtimePrivilege	2256	iexplore.exe
Token: SeProfSingleProcessPrivilege	2256	iexplore.exe
Token: SeIncBasePriorityPrivilege	2256	iexplore.exe
Token: SeCreatePagefilePrivilege	2256	iexplore.exe
Token: SeBackupPrivilege	2256	iexplore.exe
Token: SeRestorePrivilege	2256	iexplore.exe
Token: SeShutdownPrivilege	2256	iexplore.exe
Token: SeDebugPrivilege	2256	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2256	iexplore.exe
Token: SeChangeNotifyPrivilege	2256	iexplore.exe
Token: SeRemoteShutdownPrivilege	2256	iexplore.exe
Token: SeUndockPrivilege	2256	iexplore.exe
Token: SeManageVolumePrivilege	2256	iexplore.exe
Token: SeImpersonatePrivilege	2256	iexplore.exe
Token: SeCreateGlobalPrivilege	2256	iexplore.exe
Token: 33	2256	iexplore.exe
Token: 34	2256	iexplore.exe
Token: 35	2256	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid	Process
2256	iexplore.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exeiexplore.exe

description	pid	Process	procid_target
PID 3036 wrote to memory of 3056	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe	30
PID 3036 wrote to memory of 3056	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe	30
PID 3036 wrote to memory of 3056	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe	30
PID 3036 wrote to memory of 3056	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe	30
PID 3036 wrote to memory of 2904	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe	31
PID 3036 wrote to memory of 2904	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe	31
PID 3036 wrote to memory of 2904	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe	31
PID 3036 wrote to memory of 2904	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe	31
PID 3036 wrote to memory of 2256	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2256	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2256	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2256	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2256	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2256	3036	796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe	32
PID 2256 wrote to memory of 2792	2256	iexplore.exe	33
PID 2256 wrote to memory of 2792	2256	iexplore.exe	33
PID 2256 wrote to memory of 2792	2256	iexplore.exe	33
PID 2256 wrote to memory of 2792	2256	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\796d1e3fc712afd8a808f308f9c6aae3_JaffaCakes118.exe"
1⤵
- Modifies security service
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\EMAILLISTA.EXE
  "C:\Users\Admin\AppData\Local\Temp\EMAILLISTA.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\EMAILLISTA.EXE
  "C:\Users\Admin\AppData\Local\Temp\EMAILLISTA.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2904
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies security service
  - Windows security bypass
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\EMAILLISTA.EXE
    "C:\Users\Admin\AppData\Local\Temp\EMAILLISTA.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\error.log

Filesize
610B

MD5
991d70a228452d3036d26f97dfc047d7

SHA1
3c15f7ff4fb91487c2d081e0be0a58069b225c2e

SHA256
03578150bee6fa1db20e3d94d41fc0c7cf0ef3238705c44504e39c704d2d9db0

SHA512
b16c414721e63b26020e02463a59e3b423d8559dd3df2debbd259a5753b13b90808d2357f39c0f6e5402225abbe3f8923d26ea0a4bfc336da934c5a1702f1fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\error.log

Filesize
915B

MD5
9d8d84419d9cc285ee2b63da0fba9b4a

SHA1
16dae21513188fb83c0a47a85d3110cc20b5db2a

SHA256
54aea9a4a53aaacdaa564958735d1006639c3f85e006caaed31cc47c1fd4c91e

SHA512
ecac6640ca91b9d5921198dac0248a7c4126e7491924e9d01955212b961130661ab1ee0c9c16be4ca4583ac51849ac7c0cecb1dfff537e8db2f9e158ea329a6c

Download Submit
\Users\Admin\AppData\Local\Temp\EMAILLISTA.EXE

Filesize
1.6MB

MD5
8abf9065c1a83daab75cf5af686616c8

SHA1
9ec1b929bff1008da098eb9700b6bcc40ed1aac5

SHA256
f11d4987b5a1b83017b38f2838c880e39f7d722d47f7e119592dbf2dc9bd5dd3

SHA512
51f25e5d1c873bc0e4cac162f3b7a5fcfe92b7f7d43847123df5c81002f8915aa8be875c46c2301f1ad4c8e6d5c16304579d8808c490ad902b48d3135933ffdc

Download Submit
memory/2256-23-0x0000000000400000-0x000000000066A000-memory.dmp

Filesize
2.4MB

Download
memory/2792-35-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/2904-34-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2904-20-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2904-33-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/3036-24-0x0000000000400000-0x000000000066A000-memory.dmp

Filesize
2.4MB

Download
memory/3036-0-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3056-31-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3056-32-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/3056-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download