darkcomet | ab01cbd6f7caf8d17bd7fa7bcc99506be8dd81fcbf4daa81222f44500c963714

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8013e0312054d2635ef24902a328285_JaffaCakes118.exe
Size

1.2MB
MD5

b8013e0312054d2635ef24902a328285
SHA1

63f200ccb8f46d74fa6c2f20732a7dff7f1a1e40
SHA256

ab01cbd6f7caf8d17bd7fa7bcc99506be8dd81fcbf4daa81222f44500c963714
SHA512

9dd7dc2504e7ba770576c73a602fe884c417de454ace646b38406db30c5e59fe057117013faf230c257f8eadc03a803889d2c94272f57335d9a20126c57f8ec0
SSDEEP

24576:7xagUxoKN3ZHXcVkVRVPWEMcJgOvTUwwRsbkmif6:2HXXIgJgOQ

Score

10^/10

darkcomet will defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Will

twynix.myvnc.com:2433

Mutex

DC_MUTEX-2DXNGLY

Attributes

gencode
q9Sj6itdwyBJ
install
false
offline_keylogger
true
password
df0189d921
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audio Device = "C:\\Users\\Admin\\AppData\\Roaming\\ahekoha.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 108 set thread context of 2784	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	34
PID 108 set thread context of 2888	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	37

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\ahekoha.exe:ZONE.identifier	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\ahekoha.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2888	vbc.exe
Token: SeSecurityPrivilege	2888	vbc.exe
Token: SeTakeOwnershipPrivilege	2888	vbc.exe
Token: SeLoadDriverPrivilege	2888	vbc.exe
Token: SeSystemProfilePrivilege	2888	vbc.exe
Token: SeSystemtimePrivilege	2888	vbc.exe
Token: SeProfSingleProcessPrivilege	2888	vbc.exe
Token: SeIncBasePriorityPrivilege	2888	vbc.exe
Token: SeCreatePagefilePrivilege	2888	vbc.exe
Token: SeBackupPrivilege	2888	vbc.exe
Token: SeRestorePrivilege	2888	vbc.exe
Token: SeShutdownPrivilege	2888	vbc.exe
Token: SeDebugPrivilege	2888	vbc.exe
Token: SeSystemEnvironmentPrivilege	2888	vbc.exe
Token: SeChangeNotifyPrivilege	2888	vbc.exe
Token: SeRemoteShutdownPrivilege	2888	vbc.exe
Token: SeUndockPrivilege	2888	vbc.exe
Token: SeManageVolumePrivilege	2888	vbc.exe
Token: SeImpersonatePrivilege	2888	vbc.exe
Token: SeCreateGlobalPrivilege	2888	vbc.exe
Token: 33	2888	vbc.exe
Token: 34	2888	vbc.exe
Token: 35	2888	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2764	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2784	vbc.exe
2888	vbc.exe
2764	DllHost.exe
2764	DllHost.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 2360	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	31
PID 108 wrote to memory of 2360	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	31
PID 108 wrote to memory of 2360	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	31
PID 108 wrote to memory of 2360	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	31
PID 2360 wrote to memory of 2492	2360	vbc.exe	33
PID 2360 wrote to memory of 2492	2360	vbc.exe	33
PID 2360 wrote to memory of 2492	2360	vbc.exe	33
PID 2360 wrote to memory of 2492	2360	vbc.exe	33
PID 108 wrote to memory of 2784	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	34
PID 108 wrote to memory of 2784	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	34
PID 108 wrote to memory of 2784	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	34
PID 108 wrote to memory of 2784	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	34
PID 108 wrote to memory of 2784	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	34
PID 108 wrote to memory of 2784	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	34
PID 108 wrote to memory of 2784	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	34
PID 108 wrote to memory of 2784	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	34
PID 108 wrote to memory of 2784	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	34
PID 108 wrote to memory of 2904	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	35
PID 108 wrote to memory of 2904	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	35
PID 108 wrote to memory of 2904	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	35
PID 108 wrote to memory of 2904	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	35
PID 108 wrote to memory of 2888	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	37
PID 108 wrote to memory of 2888	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	37
PID 108 wrote to memory of 2888	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	37
PID 108 wrote to memory of 2888	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	37
PID 108 wrote to memory of 2888	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	37
PID 108 wrote to memory of 2888	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	37
PID 108 wrote to memory of 2888	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	37
PID 108 wrote to memory of 2888	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	37
PID 108 wrote to memory of 2888	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	37
PID 108 wrote to memory of 2888	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	37
PID 108 wrote to memory of 2888	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	37
PID 108 wrote to memory of 2888	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	37
PID 108 wrote to memory of 2888	108	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	37

C:\Users\Admin\AppData\Local\Temp\b8013e0312054d2635ef24902a328285_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8013e0312054d2635ef24902a328285_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:108
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\04qot13a.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD902.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD901.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2492
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2784
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2888

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\04qot13a.0.vb

Filesize
256B

MD5
9f362c5084b0126d5460310d3353d13e

SHA1
8617abc0a8c22a109b52e2e3c85b4400ed04b40e

SHA256
83ef5a38a9ddf6fcb030ef4f4f63c0e989a49c83691f18b07f851bf35544f2d0

SHA512
9f701a8cec9297f50533ee6cf72851f2400bc777013b663cacea1b531801446d08ffc9a3f5d120b7e81a0f363c7421b9c2103e26be6606f7fe29de3107c4cbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\04qot13a.cmdline

Filesize
317B

MD5
5590a8b03c98ec35364dedc8b53e9e67

SHA1
5743c7d0622b600f9a8610ee0d70c9986f227444

SHA256
79331ed1ff60514454b80ced6cf5c1c92bafaa92e7f4ecedb7fbf813fc8112ac

SHA512
ced2b415556607fcb07cec680f5b890b09ee6c020ac5a32129a6673a4051ade103668f5a5b7347a2989e9dbf4646da9e5da46fd8db5cb6843eba242f7a2d38cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\04qot13a.dll

Filesize
6KB

MD5
d4b108aadc926f96cc7100036a8a6303

SHA1
b65f54329cc0254b7159cc2ae780cb7a195b18d8

SHA256
b08f1ebbafdb12e5b28c0edfaf8cc5a9bffa995236e1adf467f04bc04ce591b8

SHA512
4f747ae1479624db054e2fd5640bd90a268114386dd04b551d9b10135f44d260dce7a0e115fbff88cd6a25695a692cc2e168087583a370ac72dbd33e31bd76ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMG_ANDROID_061512_001632254.JPG

Filesize
205KB

MD5
367b59c27d2c952b43521563bbd204ba

SHA1
2be5cbe45fcfa6d713a784569eddbe328edf0ebb

SHA256
8318dccec3113e9c1ef9018d0d3579f617338b93761a9abd6554571ad1ad3188

SHA512
2c5f140bfcb341db96d254164ce5c4a4f01b781c2c9bbd9c8251ddf0be2473c0f9c8c744f246ffb4b84a13597393ed81bbfd0cf82d96d60e602623858395e808

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD902.tmp

Filesize
1KB

MD5
203972caf7b8675ebbbb03550ed15490

SHA1
2159123c826349497420734258a5acc5b5270185

SHA256
b8d20b50253774806030630f21c13ae1de5e9529e6d19ff083b7352cc8bf9527

SHA512
af3782a0edbb09681e09215cc4a5be0623c541028337ce8533f9b65f251e3d3da990deb897a4e11595fd93725e1ebbf7be172308a01fcef68d9722bd060061c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD901.tmp

Filesize
652B

MD5
d22ca34878c9b71a3108f703a9f3d307

SHA1
d15d7dd12b49217ca6fc8122e2d8c827b07f3df8

SHA256
df38fa54170f31e4fa40997966a395e7909887b3776c3c6ee49bf6e7b207a9d9

SHA512
d583fa893f0c2876b0973531796c6f82aa175cd7d15d6cfd565f1e725b951d48e613281c5bf2ebf909b399af667d872f27bb9efd359f9b2ca3eb6847916e5e63

Download Submit
C:\Users\Admin\AppData\Roaming\ahekoha.exe:ZONE.identifier

Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt

Filesize
107B

MD5
1caa65cbb28efa50a25b8137e9cbe039

SHA1
9af5de33f1db66ea59dc6f58f549e359e6fd2d6a

SHA256
e4635fdf45ba10bfa7ae893302d9078f27654dba5d6e863dc851dd65b50a4222

SHA512
c6becb524c88de5e90907986091db546e6478832efacf2883efd0e606ebcd1ea11ade2246d488f2b8814fd282c5686f03e9fa05af308d1d8bd1f66a2d995e42c

Download Submit
memory/108-2-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/108-1-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/108-0-0x0000000074621000-0x0000000074622000-memory.dmp

Filesize
4KB

Download
memory/108-61-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2360-7-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2360-16-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2764-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2784-30-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2784-32-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2784-38-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2784-20-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2784-22-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2784-24-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2784-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2888-49-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-67-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-55-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-47-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-45-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-43-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-59-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-58-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-62-0x0000000001F40000-0x0000000001F42000-memory.dmp

Filesize
8KB

Download
memory/2888-52-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-64-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-65-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-41-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-53-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-68-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-69-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-70-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-71-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-72-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-73-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-74-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-75-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-76-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-77-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-78-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-79-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-80-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads