darkcomet | e2da2cf00a3d33fd8d416d6883a162079fe5fe21a2785d48e992d497425703bd

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Size

2.2MB
MD5

a4d2cd5d1efc7fab78e480cf28dd16bb
SHA1

4ee1508b6d0e31d73e8509c2b4b60a25a025bdbc
SHA256

e2da2cf00a3d33fd8d416d6883a162079fe5fe21a2785d48e992d497425703bd
SHA512

bebad14834cf0fe73b9003406963920fa03935318aec39b228bca1ad2e67cc1b658eb80cd6b54a9ca3b672f7f62ea6ceb5b6d1e56a7118c267be5e684ff855e9
SSDEEP

49152:lK1A6CWs7ypd+jBzEtxmk1C08QtLwhdSOp:lK1xNs7yKBimKUQtL4S8

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4820	CRYPTER ANGEL BY DR ZINOU 2012.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3436 set thread context of 2624	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	CRYPTER ANGEL BY DR ZINOU 2012.EXE

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeSecurityPrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeBackupPrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeRestorePrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeShutdownPrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeDebugPrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeUndockPrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: 33	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: 34	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: 35	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: 36	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2624	iexplore.exe
Token: SeSecurityPrivilege	2624	iexplore.exe
Token: SeTakeOwnershipPrivilege	2624	iexplore.exe
Token: SeLoadDriverPrivilege	2624	iexplore.exe
Token: SeSystemProfilePrivilege	2624	iexplore.exe
Token: SeSystemtimePrivilege	2624	iexplore.exe
Token: SeProfSingleProcessPrivilege	2624	iexplore.exe
Token: SeIncBasePriorityPrivilege	2624	iexplore.exe
Token: SeCreatePagefilePrivilege	2624	iexplore.exe
Token: SeBackupPrivilege	2624	iexplore.exe
Token: SeRestorePrivilege	2624	iexplore.exe
Token: SeShutdownPrivilege	2624	iexplore.exe
Token: SeDebugPrivilege	2624	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2624	iexplore.exe
Token: SeChangeNotifyPrivilege	2624	iexplore.exe
Token: SeRemoteShutdownPrivilege	2624	iexplore.exe
Token: SeUndockPrivilege	2624	iexplore.exe
Token: SeManageVolumePrivilege	2624	iexplore.exe
Token: SeImpersonatePrivilege	2624	iexplore.exe
Token: SeCreateGlobalPrivilege	2624	iexplore.exe
Token: 33	2624	iexplore.exe
Token: 34	2624	iexplore.exe
Token: 35	2624	iexplore.exe
Token: 36	2624	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4820	CRYPTER ANGEL BY DR ZINOU 2012.EXE
4820	CRYPTER ANGEL BY DR ZINOU 2012.EXE
4820	CRYPTER ANGEL BY DR ZINOU 2012.EXE
4820	CRYPTER ANGEL BY DR ZINOU 2012.EXE
4820	CRYPTER ANGEL BY DR ZINOU 2012.EXE
4820	CRYPTER ANGEL BY DR ZINOU 2012.EXE
4820	CRYPTER ANGEL BY DR ZINOU 2012.EXE
4820	CRYPTER ANGEL BY DR ZINOU 2012.EXE
4820	CRYPTER ANGEL BY DR ZINOU 2012.EXE
4820	CRYPTER ANGEL BY DR ZINOU 2012.EXE
4820	CRYPTER ANGEL BY DR ZINOU 2012.EXE
4820	CRYPTER ANGEL BY DR ZINOU 2012.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 4820	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	82
PID 3436 wrote to memory of 4820	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	82
PID 3436 wrote to memory of 2624	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	83
PID 3436 wrote to memory of 2624	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	83
PID 3436 wrote to memory of 2624	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	83
PID 3436 wrote to memory of 2624	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	83
PID 3436 wrote to memory of 2624	3436	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Users\Admin\AppData\Local\Temp\CRYPTER ANGEL BY DR ZINOU 2012.EXE
  "C:\Users\Admin\AppData\Local\Temp\CRYPTER ANGEL BY DR ZINOU 2012.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4820
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CRYPTER ANGEL BY DR ZINOU 2012.EXE

Filesize
1.6MB

MD5
c4cf1de9eaca71ff1dd26cb660248aff

SHA1
c08cbe78c649f68a3a2b7354ba97ef77d46909ad

SHA256
76d34459b09b6d8a695fb2fb87eb518fc2186d3400c924efb88d403f12800c3c

SHA512
48d7385b27c6cc75e74177097545f7e42e350cc24c62a050798199826e52e2f1b5631a14d19e33a9bed5946bfdd143c9d17d0109874369c5163457d1ddffd0be

Download Submit
memory/2624-18-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/3436-21-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/3436-0-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/4820-20-0x000000001CFC0000-0x000000001D05C000-memory.dmp

Filesize
624KB

Download
memory/4820-23-0x000000001D250000-0x000000001D29C000-memory.dmp

Filesize
304KB

Download
memory/4820-16-0x000000001C2D0000-0x000000001C3DC000-memory.dmp

Filesize
1.0MB

Download
memory/4820-17-0x000000001C490000-0x000000001C536000-memory.dmp

Filesize
664KB

Download
memory/4820-14-0x00007FFB07870000-0x00007FFB08211000-memory.dmp

Filesize
9.6MB

Download
memory/4820-19-0x000000001CA10000-0x000000001CEDE000-memory.dmp

Filesize
4.8MB

Download
memory/4820-13-0x00007FFB07870000-0x00007FFB08211000-memory.dmp

Filesize
9.6MB

Download
memory/4820-12-0x00007FFB07B25000-0x00007FFB07B26000-memory.dmp

Filesize
4KB

Download
memory/4820-22-0x00000000019F0000-0x00000000019F8000-memory.dmp

Filesize
32KB

Download
memory/4820-15-0x000000001C110000-0x000000001C278000-memory.dmp

Filesize
1.4MB

Download
memory/4820-24-0x00007FFB07870000-0x00007FFB08211000-memory.dmp

Filesize
9.6MB

Download
memory/4820-25-0x00007FFB07870000-0x00007FFB08211000-memory.dmp

Filesize
9.6MB

Download
memory/4820-26-0x00007FFB07B25000-0x00007FFB07B26000-memory.dmp

Filesize
4KB

Download
memory/4820-27-0x00007FFB07870000-0x00007FFB08211000-memory.dmp

Filesize
9.6MB

Download
memory/4820-28-0x00007FFB07870000-0x00007FFB08211000-memory.dmp

Filesize
9.6MB

Download
memory/4820-29-0x00007FFB07870000-0x00007FFB08211000-memory.dmp

Filesize
9.6MB

Download
memory/4820-30-0x00007FFB07870000-0x00007FFB08211000-memory.dmp

Filesize
9.6MB

Download
memory/4820-31-0x00007FFB07870000-0x00007FFB08211000-memory.dmp

Filesize
9.6MB

Download