darkcomet | e84e30a9b25dd4a255fced298c840589f96f35093f07235319400d637a5514d3

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
Size

406KB
MD5

96629368f4704ce4a58ae204080899ba
SHA1

0025522a0d665ea21a15b421a5418f01ed1d3f1b
SHA256

e84e30a9b25dd4a255fced298c840589f96f35093f07235319400d637a5514d3
SHA512

7e333f2f13c9ad17af1cf0680fde6da1ba31308c3d6735f5b54cc8f42ef35ff87d206ed4cbf9a0628eafb8e0ee064f96f59f4570288a37acab2b7abf6584735e
SSDEEP

12288:BMXxyNH7qNyWMnr2Xa5dlFi11US0nfPl3LzSv:BMoH7qNyWgr2q52KRnl3/Sv

Score

10^/10

darkcomet thirddata discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

thirdData

testiphone.no-ip.biz:84

Mutex

DC_MUTEX-EQB5555

Attributes

gencode
ZdWvjJUlpaP2
install
false
offline_keylogger
false
password
motdepasse
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	MsCtfMonitor.exe

Executes dropped EXE 2 IoCs

pid	Process
2012	MsCtfMonitor.exe
5092	rtscom.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Activex Application Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\MsCtfMonitor.exe"	MsCtfMonitor.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 416 set thread context of 3772	416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe	88
PID 5092 set thread context of 1532	5092	rtscom.exe	93

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3772-10-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3772-9-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3772-11-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3772-13-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3772-12-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3772-15-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsCtfMonitor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rtscom.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
2012	MsCtfMonitor.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3772	AppLaunch.exe
Token: SeSecurityPrivilege	3772	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	3772	AppLaunch.exe
Token: SeLoadDriverPrivilege	3772	AppLaunch.exe
Token: SeSystemProfilePrivilege	3772	AppLaunch.exe
Token: SeSystemtimePrivilege	3772	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	3772	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	3772	AppLaunch.exe
Token: SeCreatePagefilePrivilege	3772	AppLaunch.exe
Token: SeBackupPrivilege	3772	AppLaunch.exe
Token: SeRestorePrivilege	3772	AppLaunch.exe
Token: SeShutdownPrivilege	3772	AppLaunch.exe
Token: SeDebugPrivilege	3772	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	3772	AppLaunch.exe
Token: SeChangeNotifyPrivilege	3772	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	3772	AppLaunch.exe
Token: SeUndockPrivilege	3772	AppLaunch.exe
Token: SeManageVolumePrivilege	3772	AppLaunch.exe
Token: SeImpersonatePrivilege	3772	AppLaunch.exe
Token: SeCreateGlobalPrivilege	3772	AppLaunch.exe
Token: 33	3772	AppLaunch.exe
Token: 34	3772	AppLaunch.exe
Token: 35	3772	AppLaunch.exe
Token: 36	3772	AppLaunch.exe
Token: SeDebugPrivilege	2012	MsCtfMonitor.exe
Token: SeDebugPrivilege	5092	rtscom.exe
Token: SeIncreaseQuotaPrivilege	1532	AppLaunch.exe
Token: SeSecurityPrivilege	1532	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	1532	AppLaunch.exe
Token: SeLoadDriverPrivilege	1532	AppLaunch.exe
Token: SeSystemProfilePrivilege	1532	AppLaunch.exe
Token: SeSystemtimePrivilege	1532	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	1532	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	1532	AppLaunch.exe
Token: SeCreatePagefilePrivilege	1532	AppLaunch.exe
Token: SeBackupPrivilege	1532	AppLaunch.exe
Token: SeRestorePrivilege	1532	AppLaunch.exe
Token: SeShutdownPrivilege	1532	AppLaunch.exe
Token: SeDebugPrivilege	1532	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	1532	AppLaunch.exe
Token: SeChangeNotifyPrivilege	1532	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	1532	AppLaunch.exe
Token: SeUndockPrivilege	1532	AppLaunch.exe
Token: SeManageVolumePrivilege	1532	AppLaunch.exe
Token: SeImpersonatePrivilege	1532	AppLaunch.exe
Token: SeCreateGlobalPrivilege	1532	AppLaunch.exe
Token: 33	1532	AppLaunch.exe
Token: 34	1532	AppLaunch.exe
Token: 35	1532	AppLaunch.exe
Token: 36	1532	AppLaunch.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 3772	416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe	88
PID 416 wrote to memory of 3772	416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe	88
PID 416 wrote to memory of 3772	416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe	88
PID 416 wrote to memory of 3772	416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe	88
PID 416 wrote to memory of 3772	416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe	88
PID 416 wrote to memory of 3772	416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe	88
PID 416 wrote to memory of 3772	416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe	88
PID 416 wrote to memory of 3772	416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe	88
PID 416 wrote to memory of 2012	416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe	89
PID 416 wrote to memory of 2012	416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe	89
PID 416 wrote to memory of 2012	416	96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe	89
PID 2012 wrote to memory of 5092	2012	MsCtfMonitor.exe	90
PID 2012 wrote to memory of 5092	2012	MsCtfMonitor.exe	90
PID 2012 wrote to memory of 5092	2012	MsCtfMonitor.exe	90
PID 5092 wrote to memory of 1532	5092	rtscom.exe	93
PID 5092 wrote to memory of 1532	5092	rtscom.exe	93
PID 5092 wrote to memory of 1532	5092	rtscom.exe	93
PID 5092 wrote to memory of 1532	5092	rtscom.exe	93
PID 5092 wrote to memory of 1532	5092	rtscom.exe	93
PID 5092 wrote to memory of 1532	5092	rtscom.exe	93
PID 5092 wrote to memory of 1532	5092	rtscom.exe	93
PID 5092 wrote to memory of 1532	5092	rtscom.exe	93

C:\Users\Admin\AppData\Local\Temp\96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\96629368f4704ce4a58ae204080899ba_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:416
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\rtscom.exe
    "C:\Users\Admin\AppData\Local\Temp\rtscom.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rtscom.exe

Filesize
406KB

MD5
96629368f4704ce4a58ae204080899ba

SHA1
0025522a0d665ea21a15b421a5418f01ed1d3f1b

SHA256
e84e30a9b25dd4a255fced298c840589f96f35093f07235319400d637a5514d3

SHA512
7e333f2f13c9ad17af1cf0680fde6da1ba31308c3d6735f5b54cc8f42ef35ff87d206ed4cbf9a0628eafb8e0ee064f96f59f4570288a37acab2b7abf6584735e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe

Filesize
8KB

MD5
e824048f3f9786d0546cc2c46ade94a5

SHA1
3ca156921fb9cb6419bee49ab63331048cf8a027

SHA256
55f2a0ca79087cfc2d8c59578f9625ba76809e39d8d9eb2a7f4010ab07c58315

SHA512
6892512a3729c00ca1e3cdeb4f2bdc91b36b256e3c4f883d2a3651edca5bced12ba0fbeba7d060080d60de074da712575438d19c2c03b79aea4320609801e5be

Download Submit
memory/416-8-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/416-2-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/416-0-0x00000000754B2000-0x00000000754B3000-memory.dmp

Filesize
4KB

Download
memory/416-7-0x00000000754B2000-0x00000000754B3000-memory.dmp

Filesize
4KB

Download
memory/416-1-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/2012-32-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/2012-31-0x00000000754B2000-0x00000000754B3000-memory.dmp

Filesize
4KB

Download
memory/2012-28-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/2012-27-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/2012-26-0x00000000754B2000-0x00000000754B3000-memory.dmp

Filesize
4KB

Download
memory/3772-11-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3772-15-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3772-14-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/3772-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3772-13-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3772-9-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3772-10-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download