darkcomet | 39dd349bae7daea858678837db336d958aab66ca4f47c852ca16a45b273cb18b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Size

880KB
MD5

79f26faebf6f232fd71c2d81c400a91e
SHA1

2a0b954324ff364271acb04589f1cceeb3b8a713
SHA256

39dd349bae7daea858678837db336d958aab66ca4f47c852ca16a45b273cb18b
SHA512

1ec197da98d1f5f75be1a3fe8a91fb30db78bee52a72d8c23c7d1b3626cceab46fc85a5f236dbfc9cba65207250b6102dbbb3770c88dd36aee9e52487c1d46c2
SSDEEP

12288:wqFvD1WrkIwrOqepNt0RoirD7/xNmcBH0dqhTtlN9p41zlq4uhT:wAB7IEOqBRbrDz2eU8IPuhT

Score

10^/10

darkcomet bootkit discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\winserv.exe"	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

Processes:

winserv.exewinserv.exewinserv.exe

pid	Process
1624	winserv.exe
4300	winserv.exe
4656	winserv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exewinserv.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdates = "C:\\MSDCSC\\winserv.exe"	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdates = "C:\\MSDCSC\\winserv.exe"	winserv.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exewinserv.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	winserv.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exewinserv.exewinserv.exe

description	pid	Process	procid_target
PID 3188 set thread context of 3452	3188	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	91
PID 3452 set thread context of 2612	3452	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	92
PID 1624 set thread context of 4300	1624	winserv.exe	95
PID 4300 set thread context of 4656	4300	winserv.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

winserv.exewinserv.exe79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exewinserv.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exewinserv.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeBackupPrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeRestorePrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeShutdownPrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeDebugPrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeUndockPrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: 33	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: 34	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: 35	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: 36	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4656	winserv.exe
Token: SeSecurityPrivilege	4656	winserv.exe
Token: SeTakeOwnershipPrivilege	4656	winserv.exe
Token: SeLoadDriverPrivilege	4656	winserv.exe
Token: SeSystemProfilePrivilege	4656	winserv.exe
Token: SeSystemtimePrivilege	4656	winserv.exe
Token: SeProfSingleProcessPrivilege	4656	winserv.exe
Token: SeIncBasePriorityPrivilege	4656	winserv.exe
Token: SeCreatePagefilePrivilege	4656	winserv.exe
Token: SeBackupPrivilege	4656	winserv.exe
Token: SeRestorePrivilege	4656	winserv.exe
Token: SeShutdownPrivilege	4656	winserv.exe
Token: SeDebugPrivilege	4656	winserv.exe
Token: SeSystemEnvironmentPrivilege	4656	winserv.exe
Token: SeChangeNotifyPrivilege	4656	winserv.exe
Token: SeRemoteShutdownPrivilege	4656	winserv.exe
Token: SeUndockPrivilege	4656	winserv.exe
Token: SeManageVolumePrivilege	4656	winserv.exe
Token: SeImpersonatePrivilege	4656	winserv.exe
Token: SeCreateGlobalPrivilege	4656	winserv.exe
Token: 33	4656	winserv.exe
Token: 34	4656	winserv.exe
Token: 35	4656	winserv.exe
Token: 36	4656	winserv.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exewinserv.exewinserv.exewinserv.exe

pid	Process
3188	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
3452	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
1624	winserv.exe
4300	winserv.exe
4656	winserv.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exewinserv.exewinserv.exe

description	pid	Process	procid_target
PID 3188 wrote to memory of 3452	3188	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	91
PID 3188 wrote to memory of 3452	3188	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	91
PID 3188 wrote to memory of 3452	3188	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	91
PID 3188 wrote to memory of 3452	3188	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	91
PID 3188 wrote to memory of 3452	3188	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	91
PID 3188 wrote to memory of 3452	3188	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	91
PID 3188 wrote to memory of 3452	3188	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	91
PID 3188 wrote to memory of 3452	3188	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	91
PID 3452 wrote to memory of 2612	3452	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	92
PID 3452 wrote to memory of 2612	3452	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	92
PID 3452 wrote to memory of 2612	3452	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	92
PID 3452 wrote to memory of 2612	3452	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	92
PID 3452 wrote to memory of 2612	3452	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	92
PID 3452 wrote to memory of 2612	3452	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	92
PID 3452 wrote to memory of 2612	3452	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	92
PID 3452 wrote to memory of 2612	3452	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	92
PID 3452 wrote to memory of 2612	3452	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	92
PID 3452 wrote to memory of 2612	3452	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	92
PID 3452 wrote to memory of 2612	3452	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	92
PID 3452 wrote to memory of 2612	3452	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	92
PID 3452 wrote to memory of 2612	3452	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	92
PID 3452 wrote to memory of 2612	3452	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	92
PID 2612 wrote to memory of 1624	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	93
PID 2612 wrote to memory of 1624	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	93
PID 2612 wrote to memory of 1624	2612	79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe	93
PID 1624 wrote to memory of 4300	1624	winserv.exe	95
PID 1624 wrote to memory of 4300	1624	winserv.exe	95
PID 1624 wrote to memory of 4300	1624	winserv.exe	95
PID 1624 wrote to memory of 4300	1624	winserv.exe	95
PID 1624 wrote to memory of 4300	1624	winserv.exe	95
PID 1624 wrote to memory of 4300	1624	winserv.exe	95
PID 1624 wrote to memory of 4300	1624	winserv.exe	95
PID 1624 wrote to memory of 4300	1624	winserv.exe	95
PID 4300 wrote to memory of 4656	4300	winserv.exe	96
PID 4300 wrote to memory of 4656	4300	winserv.exe	96
PID 4300 wrote to memory of 4656	4300	winserv.exe	96
PID 4300 wrote to memory of 4656	4300	winserv.exe	96
PID 4300 wrote to memory of 4656	4300	winserv.exe	96
PID 4300 wrote to memory of 4656	4300	winserv.exe	96
PID 4300 wrote to memory of 4656	4300	winserv.exe	96
PID 4300 wrote to memory of 4656	4300	winserv.exe	96
PID 4300 wrote to memory of 4656	4300	winserv.exe	96
PID 4300 wrote to memory of 4656	4300	winserv.exe	96
PID 4300 wrote to memory of 4656	4300	winserv.exe	96
PID 4300 wrote to memory of 4656	4300	winserv.exe	96
PID 4300 wrote to memory of 4656	4300	winserv.exe	96
PID 4300 wrote to memory of 4656	4300	winserv.exe	96

C:\Users\Admin\AppData\Local\Temp\79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Users\Admin\AppData\Local\Temp\79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\MSDCSC\winserv.exe
      "C:\MSDCSC\winserv.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\MSDCSC\winserv.exe
        
        "C:\MSDCSC\winserv.exe"
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4300
      - C:\MSDCSC\winserv.exe
        
        "C:\MSDCSC\winserv.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSDCSC\winserv.exe

Filesize
880KB

MD5
79f26faebf6f232fd71c2d81c400a91e

SHA1
2a0b954324ff364271acb04589f1cceeb3b8a713

SHA256
39dd349bae7daea858678837db336d958aab66ca4f47c852ca16a45b273cb18b

SHA512
1ec197da98d1f5f75be1a3fe8a91fb30db78bee52a72d8c23c7d1b3626cceab46fc85a5f236dbfc9cba65207250b6102dbbb3770c88dd36aee9e52487c1d46c2

Download Submit
memory/2612-9-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2612-8-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2612-10-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2612-11-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2612-12-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2612-25-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3188-0-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3452-5-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/3452-3-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/3452-48-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4300-43-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4656-46-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-59-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-44-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-47-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-40-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-39-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-50-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-51-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-53-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-55-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-57-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-45-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-61-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-63-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-65-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-67-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-69-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-71-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-73-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-75-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4656-77-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download