darkcomet | 783804af4970d2e4e3ba0b0bab3850be0e615999d7e9c54e4a8e2b6dca30232e

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe
Size

981KB
MD5

7cd2f7e2368ac92b1802fbbccffc4372
SHA1

a5c509557cc80936da8fdf38fac784fa581997d9
SHA256

783804af4970d2e4e3ba0b0bab3850be0e615999d7e9c54e4a8e2b6dca30232e
SHA512

7ba2878a7b24af602d812af21833d1a70f55e5680f16f7c12c97359d1f8554ee0d73504d3a8071f62522fc585fde0afb73fdd1c245605e278cbba710219799b7
SSDEEP

24576:rcRNDHO+p9Y2XwXBleb2G9+8yp3DN48iHURol0A2P:r4R9fXUy9CtDN48iHqoWZ

Score

10^/10

darkcomet discovery persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

12414.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Drivers\\sys.exe"	12414.exe

Drops file in Drivers directory 3 IoCs

Processes:

12414.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\sys.exe	12414.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\sys.exe	12414.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\	12414.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

12414.exeexplorer.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	12414.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Executes dropped EXE 2 IoCs

Processes:

12414.exe19336.exe

pid	Process
1988	12414.exe
2868	19336.exe

Loads dropped DLL 6 IoCs

Processes:

19336.exe

pid	Process
2868	19336.exe
2868	19336.exe
2868	19336.exe
2868	19336.exe
2868	19336.exe
2868	19336.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

12414.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\sys = "C:\\Windows\\system32\\Drivers\\sys.exe"	12414.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

12414.exe

description	pid	Process	procid_target
PID 1988 set thread context of 2660	1988	12414.exe	33

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0008000000016276-6.dat	upx
behavioral1/memory/1988-15-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2660-30-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2660-31-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1988-29-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2660-27-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2660-32-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2660-38-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2660-37-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2660-36-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2660-33-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

19336.exe12414.exeexplorer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19336.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12414.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
behavioral1/files/0x000800000001650a-14.dat	nsis_installer_1
behavioral1/files/0x000800000001650a-14.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

12414.exeexplorer.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	12414.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	12414.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	12414.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	12414.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

12414.exeexplorer.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	12414.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exe19336.exe

pid	Process
2660	explorer.exe
2868	19336.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe12414.exeexplorer.exe

description	pid	Process
Token: SeDebugPrivilege	876	7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1988	12414.exe
Token: SeSecurityPrivilege	1988	12414.exe
Token: SeTakeOwnershipPrivilege	1988	12414.exe
Token: SeLoadDriverPrivilege	1988	12414.exe
Token: SeSystemProfilePrivilege	1988	12414.exe
Token: SeSystemtimePrivilege	1988	12414.exe
Token: SeProfSingleProcessPrivilege	1988	12414.exe
Token: SeIncBasePriorityPrivilege	1988	12414.exe
Token: SeCreatePagefilePrivilege	1988	12414.exe
Token: SeBackupPrivilege	1988	12414.exe
Token: SeRestorePrivilege	1988	12414.exe
Token: SeShutdownPrivilege	1988	12414.exe
Token: SeDebugPrivilege	1988	12414.exe
Token: SeSystemEnvironmentPrivilege	1988	12414.exe
Token: SeChangeNotifyPrivilege	1988	12414.exe
Token: SeRemoteShutdownPrivilege	1988	12414.exe
Token: SeUndockPrivilege	1988	12414.exe
Token: SeManageVolumePrivilege	1988	12414.exe
Token: SeImpersonatePrivilege	1988	12414.exe
Token: SeCreateGlobalPrivilege	1988	12414.exe
Token: 33	1988	12414.exe
Token: 34	1988	12414.exe
Token: 35	1988	12414.exe
Token: SeIncreaseQuotaPrivilege	2660	explorer.exe
Token: SeSecurityPrivilege	2660	explorer.exe
Token: SeTakeOwnershipPrivilege	2660	explorer.exe
Token: SeLoadDriverPrivilege	2660	explorer.exe
Token: SeSystemProfilePrivilege	2660	explorer.exe
Token: SeSystemtimePrivilege	2660	explorer.exe
Token: SeProfSingleProcessPrivilege	2660	explorer.exe
Token: SeIncBasePriorityPrivilege	2660	explorer.exe
Token: SeCreatePagefilePrivilege	2660	explorer.exe
Token: SeBackupPrivilege	2660	explorer.exe
Token: SeRestorePrivilege	2660	explorer.exe
Token: SeShutdownPrivilege	2660	explorer.exe
Token: SeDebugPrivilege	2660	explorer.exe
Token: SeSystemEnvironmentPrivilege	2660	explorer.exe
Token: SeChangeNotifyPrivilege	2660	explorer.exe
Token: SeRemoteShutdownPrivilege	2660	explorer.exe
Token: SeUndockPrivilege	2660	explorer.exe
Token: SeManageVolumePrivilege	2660	explorer.exe
Token: SeImpersonatePrivilege	2660	explorer.exe
Token: SeCreateGlobalPrivilege	2660	explorer.exe
Token: 33	2660	explorer.exe
Token: 34	2660	explorer.exe
Token: 35	2660	explorer.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe12414.exe

description	pid	Process	procid_target
PID 876 wrote to memory of 1988	876	7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe	31
PID 876 wrote to memory of 1988	876	7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe	31
PID 876 wrote to memory of 1988	876	7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe	31
PID 876 wrote to memory of 1988	876	7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe	31
PID 876 wrote to memory of 2868	876	7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe	32
PID 876 wrote to memory of 2868	876	7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe	32
PID 876 wrote to memory of 2868	876	7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe	32
PID 876 wrote to memory of 2868	876	7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe	32
PID 876 wrote to memory of 2868	876	7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe	32
PID 876 wrote to memory of 2868	876	7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe	32
PID 876 wrote to memory of 2868	876	7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe	32
PID 1988 wrote to memory of 2660	1988	12414.exe	33
PID 1988 wrote to memory of 2660	1988	12414.exe	33
PID 1988 wrote to memory of 2660	1988	12414.exe	33
PID 1988 wrote to memory of 2660	1988	12414.exe	33
PID 1988 wrote to memory of 2660	1988	12414.exe	33
PID 1988 wrote to memory of 2660	1988	12414.exe	33

C:\Users\Admin\AppData\Local\Temp\7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7cd2f7e2368ac92b1802fbbccffc4372_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\12414.exe
  "C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\12414.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\19336.exe
  "C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\19336.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\12414.exe

Filesize
233KB

MD5
e861c5bd67b1f053414bbc4c0b3520d2

SHA1
1009ef3462d11047926421523d60e68d03c3cf17

SHA256
5332049a2b4cc381d4d022e45ee7952eb13bc67ae19890709d477f3fd9dd7a14

SHA512
ba46de35e33cd44afcf4bd383656271cea5951de199ec38b9628a52d9e695560f51f99d36d9f2db43ffd258a838e29a443793c3dd601cf43f1c2d85a2e8bd608

Download Submit
C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\19336.exe

Filesize
738KB

MD5
8733c89f832c5e011934b72685a34153

SHA1
d9258906c84abd12731d9536cb12ccb46c77443e

SHA256
86ee53c7d42f9187b734d69bdcde0869932b85992e5fa635ecf0040a933acc96

SHA512
031c4347ef188a8cca66e24dbfa99b7ac2dbb68b52236802be505e14550f1c3dea799e1cd18ef562319e0406003037013bfc399ebaf1f48fbbcbd0a03cdfa0e1

Download Submit
\Users\Admin\AppData\Local\Temp\nstD461.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
\Users\Admin\AppData\Local\Temp\nstD461.tmp\StartMenu.dll

Filesize
7KB

MD5
a4173b381625f9f12aadb4e1cdaefdb8

SHA1
cf1680c2bc970d5675adbf5e89292a97e6724713

SHA256
7755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b

SHA512
fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82

Download Submit
\Users\Admin\AppData\Local\Temp\nstD461.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nstD461.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nstD461.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
memory/876-16-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/876-0-0x000007FEF615E000-0x000007FEF615F000-memory.dmp

Filesize
4KB

Download
memory/876-2-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/876-11-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/1988-15-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1988-29-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2660-27-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2660-37-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2660-36-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2660-33-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2660-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-24-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2660-38-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2660-32-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2660-31-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2660-30-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download