darkcomet | 796f9fce957141ba80aadad317bccbf5d7da642b27dd42987acb7494bf440cea

Analysis

max time kernel
142s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe
Size

864KB
MD5

8ecb60530662248b182dcf49bd700911
SHA1

eb02fea24cbacd512f386cfb88c0539bfd1531ef
SHA256

796f9fce957141ba80aadad317bccbf5d7da642b27dd42987acb7494bf440cea
SHA512

779fd482f31e9d7e644e3996d06863193018c84db8eea7c508ecad792da99c6fb3af051a36472b90328f7d488b23a3700380c4bc97bde5a131bd0446964e7ba1
SSDEEP

12288:ZEfboEly+DFuxs11IGz7n7LfY8Q2QieSdVcsqrFal9SjWO5PZUJBIZN63sEjaxs:ZEf0ElyUIGz7n7DQ2T1k3yc2bqrbG

Score

10^/10

darkcomet discovery persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svrdarkcry.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe"	svrdarkcry.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svrdarkcry.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svrdarkcry.exe

Executes dropped EXE 3 IoCs

Processes:

svrdarkcry.exesvrdarkcry.exeESET Antivirus License Finder (MiNODLogin) 3.7.0.2.exe

pid	Process
2088	svrdarkcry.exe
664	svrdarkcry.exe
2500	ESET Antivirus License Finder (MiNODLogin) 3.7.0.2.exe

Loads dropped DLL 4 IoCs

Processes:

svrdarkcry.exeESET Antivirus License Finder (MiNODLogin) 3.7.0.2.exe

pid	Process
2088	svrdarkcry.exe
2500	ESET Antivirus License Finder (MiNODLogin) 3.7.0.2.exe
2500	ESET Antivirus License Finder (MiNODLogin) 3.7.0.2.exe
2500	ESET Antivirus License Finder (MiNODLogin) 3.7.0.2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svrdarkcry.exenotepad.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	svrdarkcry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	notepad.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

svrdarkcry.exesvrdarkcry.exe

description	pid	Process	procid_target
PID 2088 set thread context of 664	2088	svrdarkcry.exe	31
PID 664 set thread context of 2480	664	svrdarkcry.exe	34

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/664-22-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral1/memory/664-19-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral1/memory/664-16-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral1/memory/664-15-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral1/memory/664-33-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral1/memory/664-34-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral1/memory/664-35-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral1/memory/664-84-0x0000000013140000-0x00000000131FD000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
264	2480	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ESET Antivirus License Finder (MiNODLogin) 3.7.0.2.exesvrdarkcry.exenotepad.exeexplorer.exesvrdarkcry.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESET Antivirus License Finder (MiNODLogin) 3.7.0.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrdarkcry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrdarkcry.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
behavioral1/files/0x002d000000018b59-25.dat	nsis_installer_1
behavioral1/files/0x002d000000018b59-25.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svrdarkcry.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svrdarkcry.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svrdarkcry.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svrdarkcry.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svrdarkcry.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svrdarkcry.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svrdarkcry.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ESET Antivirus License Finder (MiNODLogin) 3.7.0.2.exe

pid	Process
2500	ESET Antivirus License Finder (MiNODLogin) 3.7.0.2.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

svrdarkcry.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	664	svrdarkcry.exe
Token: SeSecurityPrivilege	664	svrdarkcry.exe
Token: SeTakeOwnershipPrivilege	664	svrdarkcry.exe
Token: SeLoadDriverPrivilege	664	svrdarkcry.exe
Token: SeSystemProfilePrivilege	664	svrdarkcry.exe
Token: SeSystemtimePrivilege	664	svrdarkcry.exe
Token: SeProfSingleProcessPrivilege	664	svrdarkcry.exe
Token: SeIncBasePriorityPrivilege	664	svrdarkcry.exe
Token: SeCreatePagefilePrivilege	664	svrdarkcry.exe
Token: SeBackupPrivilege	664	svrdarkcry.exe
Token: SeRestorePrivilege	664	svrdarkcry.exe
Token: SeShutdownPrivilege	664	svrdarkcry.exe
Token: SeDebugPrivilege	664	svrdarkcry.exe
Token: SeSystemEnvironmentPrivilege	664	svrdarkcry.exe
Token: SeChangeNotifyPrivilege	664	svrdarkcry.exe
Token: SeRemoteShutdownPrivilege	664	svrdarkcry.exe
Token: SeUndockPrivilege	664	svrdarkcry.exe
Token: SeManageVolumePrivilege	664	svrdarkcry.exe
Token: SeImpersonatePrivilege	664	svrdarkcry.exe
Token: SeCreateGlobalPrivilege	664	svrdarkcry.exe
Token: 33	664	svrdarkcry.exe
Token: 34	664	svrdarkcry.exe
Token: 35	664	svrdarkcry.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

8ecb60530662248b182dcf49bd700911_JaffaCakes118.exesvrdarkcry.exesvrdarkcry.exeexplorer.exe

description	pid	Process	procid_target
PID 2892 wrote to memory of 2088	2892	8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe	30
PID 2892 wrote to memory of 2088	2892	8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe	30
PID 2892 wrote to memory of 2088	2892	8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe	30
PID 2892 wrote to memory of 2088	2892	8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe	30
PID 2088 wrote to memory of 664	2088	svrdarkcry.exe	31
PID 2088 wrote to memory of 664	2088	svrdarkcry.exe	31
PID 2088 wrote to memory of 664	2088	svrdarkcry.exe	31
PID 2088 wrote to memory of 664	2088	svrdarkcry.exe	31
PID 2088 wrote to memory of 664	2088	svrdarkcry.exe	31
PID 2088 wrote to memory of 664	2088	svrdarkcry.exe	31
PID 2088 wrote to memory of 664	2088	svrdarkcry.exe	31
PID 2088 wrote to memory of 664	2088	svrdarkcry.exe	31
PID 2892 wrote to memory of 2500	2892	8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe	32
PID 2892 wrote to memory of 2500	2892	8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe	32
PID 2892 wrote to memory of 2500	2892	8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe	32
PID 2892 wrote to memory of 2500	2892	8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe	32
PID 2892 wrote to memory of 2500	2892	8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe	32
PID 2892 wrote to memory of 2500	2892	8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe	32
PID 2892 wrote to memory of 2500	2892	8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe	32
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2532	664	svrdarkcry.exe	33
PID 664 wrote to memory of 2480	664	svrdarkcry.exe	34
PID 664 wrote to memory of 2480	664	svrdarkcry.exe	34
PID 664 wrote to memory of 2480	664	svrdarkcry.exe	34
PID 664 wrote to memory of 2480	664	svrdarkcry.exe	34
PID 664 wrote to memory of 2480	664	svrdarkcry.exe	34
PID 664 wrote to memory of 2480	664	svrdarkcry.exe	34
PID 2480 wrote to memory of 264	2480	explorer.exe	35
PID 2480 wrote to memory of 264	2480	explorer.exe	35
PID 2480 wrote to memory of 264	2480	explorer.exe	35
PID 2480 wrote to memory of 264	2480	explorer.exe	35

C:\Users\Admin\AppData\Local\Temp\8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ecb60530662248b182dcf49bd700911_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\svrdarkcry.exe
  "C:\Users\Admin\AppData\Local\Temp\svrdarkcry.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\svrdarkcry.exe
    "C:\Users\Admin\AppData\Local\Temp\svrdarkcry.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2532
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 240
        5⤵
        Program crash
        
        PID:264
- C:\Users\Admin\AppData\Local\Temp\ESET Antivirus License Finder (MiNODLogin) 3.7.0.2.exe
  "C:\Users\Admin\AppData\Local\Temp\ESET Antivirus License Finder (MiNODLogin) 3.7.0.2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ESET Antivirus License Finder (MiNODLogin) 3.7.0.2.exe

Filesize
367KB

MD5
0e482bb1dfe28586f703702218632f3b

SHA1
e1b48c6f997d8d99bdbf7ce7594699d193591b01

SHA256
48f0de4307055588aa258e8734c1fa7bb4d88c55cd45fa8f51fa683b2b1d9d70

SHA512
822f35eae716660cfb0c7b70f795a8ad6f00775327b6bf533f0b6b87babb4c588505604a5a5929d0cc0bcb1e19f70dfd215324da11e8b4573901e4541ab30ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svrdarkcry.exe

Filesize
265KB

MD5
0e7a768676c5c1859ed10fdf4bf49f9d

SHA1
3bb1c7c5ac6669de6758394600c0e74d51a19309

SHA256
b57c41012033403c405958d9b7d838b3e74c12ddf5768196f827830522889a0f

SHA512
0aa60441731a0405022c5c9c5de2f14f6254a8eb76f10ab7ae8e57d8e64df62470624f178e03dd672cbf7eb27ad7b0a5207676787e0d3fc477197bf844f71b5d

Download Submit
\Users\Admin\AppData\Local\Temp\nse5CD1.tmp\LangDLL.dll

Filesize
5KB

MD5
1775e8fe7832f0351d4024ba3478c58d

SHA1
3a2aafd8275f384332f6d08224d927040ce37cb4

SHA256
a2a159540c738c7bc4d6ce8dd203bf859078409c0021a2a60f4b0faa5352d375

SHA512
362cda0e1f50a8fecde1611863b1c6218962e3ec198ce3641ce50910d400ac647cdc3742888140fd6817ce6b30d83865aa0c72292bb80b1ae86cab419e0fb2b7

Download Submit
\Users\Admin\AppData\Local\Temp\nse5CD1.tmp\System.dll

Filesize
11KB

MD5
c6f5b9596db45ce43f14b64e0fbcf552

SHA1
665a2207a643726602dc3e845e39435868dddabc

SHA256
4b6da3f2bdb6c452fb493b98f6b7aa1171787dbd3fa2df2b3b22ccaeac88ffa0

SHA512
8faa0204f9ed2721acede285be843b5a2d7f9986841bcf3816ebc8900910afb590816c64aebd2dd845686daf825bbf9970cb4a08b20a785c7e54542eddc5b09a

Download Submit
\Users\Admin\AppData\Local\Temp\nse5CD1.tmp\nsDialogs.dll

Filesize
9KB

MD5
f2c993a0c726386d72e4640967cef83e

SHA1
efe88db252b5e9edff2d859e783fcf1a349e553f

SHA256
6739a2c8075cc383620a867e983957de0b4ae9ef0453baadd1469132893d7301

SHA512
3873a87ba360702c72a6d3e853a0b6f2df219593cf5436d12a9d4d169029e939993c45330212008b628184da64ae98d6a7ab42b30d5f82c896acfc89d558169f

Download Submit
memory/664-15-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/664-34-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/664-84-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/664-19-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/664-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/664-16-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/664-22-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/664-35-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/664-14-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/664-33-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/2088-21-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2480-83-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2480-82-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2480-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2480-79-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2532-37-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2532-77-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2892-0-0x000007FEF59DE000-0x000007FEF59DF000-memory.dmp

Filesize
4KB

Download
memory/2892-26-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-13-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-2-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download