darkcomet | 6d6ac08d166cba2f92f1486ca95b8910b357438a52213db079a480c6ca8285bd

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

affb5b64eecbeb5f91696981a728084e_JaffaCakes118.exe
Size

1.9MB
MD5

affb5b64eecbeb5f91696981a728084e
SHA1

17328b9942c706e6590ba25aef2f80bbc4a9beed
SHA256

6d6ac08d166cba2f92f1486ca95b8910b357438a52213db079a480c6ca8285bd
SHA512

e7381e2e58440122ac0b3839249009c57a57f17d096cec9f16a47eb7987a3238a3c75cef05308a37414715fa3ef7875b46687b5a5c0f13009c1110bc53dd6345
SSDEEP

49152:+KdzWDktvGKI6zpOg31DUT7RsB7Rss7RsR:lCDkFL3VUnRslRssRsR

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Crypted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	affb5b64eecbeb5f91696981a728084e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	crypted-local.exe

Executes dropped EXE 3 IoCs

pid	Process
4780	crypted-local.exe
4520	Allopass generator.exe
3252	Crypted.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3252 set thread context of 220	3252	Crypted.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allopass generator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Crypted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Crypted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Crypted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Crypted.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Crypted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3252	Crypted.exe
Token: SeSecurityPrivilege	3252	Crypted.exe
Token: SeTakeOwnershipPrivilege	3252	Crypted.exe
Token: SeLoadDriverPrivilege	3252	Crypted.exe
Token: SeSystemProfilePrivilege	3252	Crypted.exe
Token: SeSystemtimePrivilege	3252	Crypted.exe
Token: SeProfSingleProcessPrivilege	3252	Crypted.exe
Token: SeIncBasePriorityPrivilege	3252	Crypted.exe
Token: SeCreatePagefilePrivilege	3252	Crypted.exe
Token: SeBackupPrivilege	3252	Crypted.exe
Token: SeRestorePrivilege	3252	Crypted.exe
Token: SeShutdownPrivilege	3252	Crypted.exe
Token: SeDebugPrivilege	3252	Crypted.exe
Token: SeSystemEnvironmentPrivilege	3252	Crypted.exe
Token: SeChangeNotifyPrivilege	3252	Crypted.exe
Token: SeRemoteShutdownPrivilege	3252	Crypted.exe
Token: SeUndockPrivilege	3252	Crypted.exe
Token: SeManageVolumePrivilege	3252	Crypted.exe
Token: SeImpersonatePrivilege	3252	Crypted.exe
Token: SeCreateGlobalPrivilege	3252	Crypted.exe
Token: 33	3252	Crypted.exe
Token: 34	3252	Crypted.exe
Token: 35	3252	Crypted.exe
Token: 36	3252	Crypted.exe
Token: SeIncreaseQuotaPrivilege	220	explorer.exe
Token: SeSecurityPrivilege	220	explorer.exe
Token: SeTakeOwnershipPrivilege	220	explorer.exe
Token: SeLoadDriverPrivilege	220	explorer.exe
Token: SeSystemProfilePrivilege	220	explorer.exe
Token: SeSystemtimePrivilege	220	explorer.exe
Token: SeProfSingleProcessPrivilege	220	explorer.exe
Token: SeIncBasePriorityPrivilege	220	explorer.exe
Token: SeCreatePagefilePrivilege	220	explorer.exe
Token: SeBackupPrivilege	220	explorer.exe
Token: SeRestorePrivilege	220	explorer.exe
Token: SeShutdownPrivilege	220	explorer.exe
Token: SeDebugPrivilege	220	explorer.exe
Token: SeSystemEnvironmentPrivilege	220	explorer.exe
Token: SeChangeNotifyPrivilege	220	explorer.exe
Token: SeRemoteShutdownPrivilege	220	explorer.exe
Token: SeUndockPrivilege	220	explorer.exe
Token: SeManageVolumePrivilege	220	explorer.exe
Token: SeImpersonatePrivilege	220	explorer.exe
Token: SeCreateGlobalPrivilege	220	explorer.exe
Token: 33	220	explorer.exe
Token: 34	220	explorer.exe
Token: 35	220	explorer.exe
Token: 36	220	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 4780	1096	affb5b64eecbeb5f91696981a728084e_JaffaCakes118.exe	83
PID 1096 wrote to memory of 4780	1096	affb5b64eecbeb5f91696981a728084e_JaffaCakes118.exe	83
PID 1096 wrote to memory of 4520	1096	affb5b64eecbeb5f91696981a728084e_JaffaCakes118.exe	84
PID 1096 wrote to memory of 4520	1096	affb5b64eecbeb5f91696981a728084e_JaffaCakes118.exe	84
PID 1096 wrote to memory of 4520	1096	affb5b64eecbeb5f91696981a728084e_JaffaCakes118.exe	84
PID 4780 wrote to memory of 3252	4780	crypted-local.exe	85
PID 4780 wrote to memory of 3252	4780	crypted-local.exe	85
PID 4780 wrote to memory of 3252	4780	crypted-local.exe	85
PID 3252 wrote to memory of 220	3252	Crypted.exe	86
PID 3252 wrote to memory of 220	3252	Crypted.exe	86
PID 3252 wrote to memory of 220	3252	Crypted.exe	86
PID 3252 wrote to memory of 220	3252	Crypted.exe	86
PID 3252 wrote to memory of 220	3252	Crypted.exe	86

C:\Users\Admin\AppData\Local\Temp\affb5b64eecbeb5f91696981a728084e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\affb5b64eecbeb5f91696981a728084e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\crypted-local.exe
  "C:\Users\Admin\AppData\Local\Temp\crypted-local.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\Crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Checks BIOS information in registry
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:220
- C:\Users\Admin\AppData\Local\Temp\Allopass generator.exe
  "C:\Users\Admin\AppData\Local\Temp\Allopass generator.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Allopass generator.exe

Filesize
606KB

MD5
e6a8fd3995f57f302a2238abbd3a07c7

SHA1
7f4dc62e4394f52de9d1fdfd9631704e7e62aa23

SHA256
4b730ae873b513ff8420debf51fb1bc01a1902a48bb7f1becaf3cbe1b16d5d76

SHA512
83550d4763019f160723929d77dcba7973b02247425ba8bb6ba09df2e77d7c53fc1a41825efb42c86f959c69b3a669a7657f6abfde7db74d08741f7deb4918f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
658KB

MD5
15b05b236b770a4459f647e90a285dd7

SHA1
5e4ef073c021a79a337ed8b271fc6f4b35b2efe4

SHA256
2e674da3566238b949990dce325faecf2a6a23cb8cb77c16b74621f1e79defcd

SHA512
922f33d30bae60037302ebed37f11e2ccedce79ec1332f0f5dd3eb4e5441fa45aec48a553649aaae9c9dfc9fcca6d667109cc5368185e18cdc07cf02bdbe8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypted-local.exe

Filesize
807KB

MD5
abd0a551a83bf34b693e5bd62dc12072

SHA1
c85284944c0685f52462b67ebe4ee696277416c4

SHA256
bba0042db7a44929c2e07ed45cd934d71048aabc228bcc899ec77713f6a35d51

SHA512
d89261e60ed3f19fbd4cb8de44a8c37746241be65856c2ca140e73405d0bfef4c44e982f437c4440cdccaca8bb70d20af96bcb47f78875d09e932b8f2a85f2eb

Download Submit
memory/220-58-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/220-57-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/220-54-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/220-55-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/1096-35-0x00007FFEF1340000-0x00007FFEF1CE1000-memory.dmp

Filesize
9.6MB

Download
memory/1096-6-0x00007FFEF1340000-0x00007FFEF1CE1000-memory.dmp

Filesize
9.6MB

Download
memory/1096-9-0x00007FFEF1340000-0x00007FFEF1CE1000-memory.dmp

Filesize
9.6MB

Download
memory/1096-10-0x00007FFEF1340000-0x00007FFEF1CE1000-memory.dmp

Filesize
9.6MB

Download
memory/1096-7-0x000000001BCA0000-0x000000001BCEC000-memory.dmp

Filesize
304KB

Download
memory/1096-5-0x0000000000880000-0x0000000000888000-memory.dmp

Filesize
32KB

Download
memory/1096-1-0x000000001AF90000-0x000000001B036000-memory.dmp

Filesize
664KB

Download
memory/1096-0-0x00007FFEF15F5000-0x00007FFEF15F6000-memory.dmp

Filesize
4KB

Download
memory/1096-2-0x00007FFEF1340000-0x00007FFEF1CE1000-memory.dmp

Filesize
9.6MB

Download
memory/1096-3-0x000000001B590000-0x000000001BA5E000-memory.dmp

Filesize
4.8MB

Download
memory/1096-8-0x00007FFEF1340000-0x00007FFEF1CE1000-memory.dmp

Filesize
9.6MB

Download
memory/1096-4-0x000000001BB40000-0x000000001BBDC000-memory.dmp

Filesize
624KB

Download
memory/3252-56-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/4520-38-0x0000000000200000-0x00000000002A0000-memory.dmp

Filesize
640KB

Download
memory/4520-42-0x0000000004BB0000-0x0000000004BBA000-memory.dmp

Filesize
40KB

Download
memory/4520-44-0x0000000004E20000-0x0000000004E76000-memory.dmp

Filesize
344KB

Download
memory/4520-40-0x0000000005100000-0x00000000056A4000-memory.dmp

Filesize
5.6MB

Download
memory/4520-41-0x0000000004BF0000-0x0000000004C82000-memory.dmp

Filesize
584KB

Download
memory/4520-39-0x0000000004AB0000-0x0000000004B4C000-memory.dmp

Filesize
624KB

Download
memory/4780-53-0x00007FFEF1340000-0x00007FFEF1CE1000-memory.dmp

Filesize
9.6MB

Download
memory/4780-37-0x00007FFEF1340000-0x00007FFEF1CE1000-memory.dmp

Filesize
9.6MB

Download
memory/4780-36-0x00007FFEF1340000-0x00007FFEF1CE1000-memory.dmp

Filesize
9.6MB

Download
memory/4780-34-0x00007FFEF1340000-0x00007FFEF1CE1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads