darkcomet | 6127a7138e021cda4e64f0bfe0ca74c1b8a66ba5840b0d9ecff7f4096d279514

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe
Size

791KB
MD5

a0fe55ed4b6e9f7b70c640681e7116c9
SHA1

5adb7ad253412cfbaefb0004fde0557449c9ce03
SHA256

6127a7138e021cda4e64f0bfe0ca74c1b8a66ba5840b0d9ecff7f4096d279514
SHA512

26c34ac7cbd7205283f95e4fc3d0208dbdac4aaf2412c54ecfec888a4bb850cae1ca32de6c2095203a7bca5c84ae923bbce66decf669837d3a4788d5e821e81f
SSDEEP

24576:vOESUc+MtiJ+kOsK70iFt8qBP7TH24v6:vJS+J+kO5t84P1

Score

10^/10

darkcomet jdb discovery evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

JDB

robbery.no-ip.org:1338

Mutex

RobEU-King

Attributes

gencode
BUyCSukijnkZ
install
false
offline_keylogger
true
password
robeu
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
764	attrib.exe
5040	attrib.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4224 set thread context of 1428	4224	a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe	83
PID 1428 set thread context of 4908	1428	csc.exe	87

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1428	csc.exe
Token: SeSecurityPrivilege	1428	csc.exe
Token: SeTakeOwnershipPrivilege	1428	csc.exe
Token: SeLoadDriverPrivilege	1428	csc.exe
Token: SeSystemProfilePrivilege	1428	csc.exe
Token: SeSystemtimePrivilege	1428	csc.exe
Token: SeProfSingleProcessPrivilege	1428	csc.exe
Token: SeIncBasePriorityPrivilege	1428	csc.exe
Token: SeCreatePagefilePrivilege	1428	csc.exe
Token: SeBackupPrivilege	1428	csc.exe
Token: SeRestorePrivilege	1428	csc.exe
Token: SeShutdownPrivilege	1428	csc.exe
Token: SeDebugPrivilege	1428	csc.exe
Token: SeSystemEnvironmentPrivilege	1428	csc.exe
Token: SeChangeNotifyPrivilege	1428	csc.exe
Token: SeRemoteShutdownPrivilege	1428	csc.exe
Token: SeUndockPrivilege	1428	csc.exe
Token: SeManageVolumePrivilege	1428	csc.exe
Token: SeImpersonatePrivilege	1428	csc.exe
Token: SeCreateGlobalPrivilege	1428	csc.exe
Token: 33	1428	csc.exe
Token: 34	1428	csc.exe
Token: 35	1428	csc.exe
Token: 36	1428	csc.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 1428	4224	a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe	83
PID 4224 wrote to memory of 1428	4224	a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe	83
PID 4224 wrote to memory of 1428	4224	a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe	83
PID 4224 wrote to memory of 1428	4224	a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe	83
PID 4224 wrote to memory of 1428	4224	a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe	83
PID 4224 wrote to memory of 1428	4224	a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe	83
PID 4224 wrote to memory of 1428	4224	a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe	83
PID 4224 wrote to memory of 1428	4224	a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe	83
PID 4224 wrote to memory of 1428	4224	a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe	83
PID 4224 wrote to memory of 1428	4224	a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe	83
PID 4224 wrote to memory of 1428	4224	a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe	83
PID 4224 wrote to memory of 1428	4224	a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe	83
PID 4224 wrote to memory of 1428	4224	a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe	83
PID 4224 wrote to memory of 1428	4224	a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe	83
PID 1428 wrote to memory of 3248	1428	csc.exe	84
PID 1428 wrote to memory of 3248	1428	csc.exe	84
PID 1428 wrote to memory of 3248	1428	csc.exe	84
PID 1428 wrote to memory of 4508	1428	csc.exe	86
PID 1428 wrote to memory of 4508	1428	csc.exe	86
PID 1428 wrote to memory of 4508	1428	csc.exe	86
PID 1428 wrote to memory of 4908	1428	csc.exe	87
PID 1428 wrote to memory of 4908	1428	csc.exe	87
PID 1428 wrote to memory of 4908	1428	csc.exe	87
PID 1428 wrote to memory of 4908	1428	csc.exe	87
PID 1428 wrote to memory of 4908	1428	csc.exe	87
PID 3248 wrote to memory of 5040	3248	cmd.exe	90
PID 3248 wrote to memory of 5040	3248	cmd.exe	90
PID 3248 wrote to memory of 5040	3248	cmd.exe	90
PID 4508 wrote to memory of 764	4508	cmd.exe	91
PID 4508 wrote to memory of 764	4508	cmd.exe	91
PID 4508 wrote to memory of 764	4508	cmd.exe	91

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
764	attrib.exe
5040	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0fe55ed4b6e9f7b70c640681e7116c9_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:5040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:764
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1428-2-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1428-3-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1428-5-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1428-6-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1428-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1428-9-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1428-11-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4224-0-0x0000000074692000-0x0000000074693000-memory.dmp

Filesize
4KB

Download
memory/4224-1-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4224-7-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4908-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads