darkcomet | ab01cbd6f7caf8d17bd7fa7bcc99506be8dd81fcbf4daa81222f44500c963714

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8013e0312054d2635ef24902a328285_JaffaCakes118.exe
Size

1.2MB
MD5

b8013e0312054d2635ef24902a328285
SHA1

63f200ccb8f46d74fa6c2f20732a7dff7f1a1e40
SHA256

ab01cbd6f7caf8d17bd7fa7bcc99506be8dd81fcbf4daa81222f44500c963714
SHA512

9dd7dc2504e7ba770576c73a602fe884c417de454ace646b38406db30c5e59fe057117013faf230c257f8eadc03a803889d2c94272f57335d9a20126c57f8ec0
SSDEEP

24576:7xagUxoKN3ZHXcVkVRVPWEMcJgOvTUwwRsbkmif6:2HXXIgJgOQ

Score

10^/10

darkcomet will defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Will

twynix.myvnc.com:2433

Mutex

DC_MUTEX-2DXNGLY

Attributes

gencode
q9Sj6itdwyBJ
install
false
offline_keylogger
true
password
df0189d921
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio Device = "C:\\Users\\Admin\\AppData\\Roaming\\ahekoha.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4744 set thread context of 3372	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	86
PID 4744 set thread context of 2332	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	89

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\ahekoha.exe:ZONE.identifier	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\ahekoha.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2332	vbc.exe
Token: SeSecurityPrivilege	2332	vbc.exe
Token: SeTakeOwnershipPrivilege	2332	vbc.exe
Token: SeLoadDriverPrivilege	2332	vbc.exe
Token: SeSystemProfilePrivilege	2332	vbc.exe
Token: SeSystemtimePrivilege	2332	vbc.exe
Token: SeProfSingleProcessPrivilege	2332	vbc.exe
Token: SeIncBasePriorityPrivilege	2332	vbc.exe
Token: SeCreatePagefilePrivilege	2332	vbc.exe
Token: SeBackupPrivilege	2332	vbc.exe
Token: SeRestorePrivilege	2332	vbc.exe
Token: SeShutdownPrivilege	2332	vbc.exe
Token: SeDebugPrivilege	2332	vbc.exe
Token: SeSystemEnvironmentPrivilege	2332	vbc.exe
Token: SeChangeNotifyPrivilege	2332	vbc.exe
Token: SeRemoteShutdownPrivilege	2332	vbc.exe
Token: SeUndockPrivilege	2332	vbc.exe
Token: SeManageVolumePrivilege	2332	vbc.exe
Token: SeImpersonatePrivilege	2332	vbc.exe
Token: SeCreateGlobalPrivilege	2332	vbc.exe
Token: 33	2332	vbc.exe
Token: 34	2332	vbc.exe
Token: 35	2332	vbc.exe
Token: 36	2332	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3372	vbc.exe
2332	vbc.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 2848	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	83
PID 4744 wrote to memory of 2848	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	83
PID 4744 wrote to memory of 2848	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	83
PID 2848 wrote to memory of 4604	2848	vbc.exe	85
PID 2848 wrote to memory of 4604	2848	vbc.exe	85
PID 2848 wrote to memory of 4604	2848	vbc.exe	85
PID 4744 wrote to memory of 3372	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	86
PID 4744 wrote to memory of 3372	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	86
PID 4744 wrote to memory of 3372	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	86
PID 4744 wrote to memory of 3372	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	86
PID 4744 wrote to memory of 3372	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	86
PID 4744 wrote to memory of 3372	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	86
PID 4744 wrote to memory of 3372	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	86
PID 4744 wrote to memory of 3372	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	86
PID 4744 wrote to memory of 4556	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	87
PID 4744 wrote to memory of 4556	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	87
PID 4744 wrote to memory of 4556	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	87
PID 4744 wrote to memory of 2332	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	89
PID 4744 wrote to memory of 2332	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	89
PID 4744 wrote to memory of 2332	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	89
PID 4744 wrote to memory of 2332	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	89
PID 4744 wrote to memory of 2332	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	89
PID 4744 wrote to memory of 2332	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	89
PID 4744 wrote to memory of 2332	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	89
PID 4744 wrote to memory of 2332	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	89
PID 4744 wrote to memory of 2332	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	89
PID 4744 wrote to memory of 2332	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	89
PID 4744 wrote to memory of 2332	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	89
PID 4744 wrote to memory of 2332	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	89
PID 4744 wrote to memory of 2332	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	89
PID 4744 wrote to memory of 2332	4744	b8013e0312054d2635ef24902a328285_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\b8013e0312054d2635ef24902a328285_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8013e0312054d2635ef24902a328285_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a60gim3b.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA48D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5821766A434D4C4CBC9EF0BC7FD7D179.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4604
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3372
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:4556
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA48D.tmp

Filesize
1KB

MD5
2204cfed6c0ed5e58b545d56b13afef6

SHA1
9c3ae02356a5796f15b406974c54ebacdbfe35ef

SHA256
909c8f9a4ef31aa6027bf8d493df464df3eae72df8ce9941840de778e4a30e61

SHA512
2c3f5dd0f18b6867542ad94ef3e41157ebf331c2e21118645b0be65c1b135976b07688e8af9219bce875e75514ef85769ab1e01392b528dc627c57a0ac921ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a60gim3b.0.vb

Filesize
256B

MD5
9f362c5084b0126d5460310d3353d13e

SHA1
8617abc0a8c22a109b52e2e3c85b4400ed04b40e

SHA256
83ef5a38a9ddf6fcb030ef4f4f63c0e989a49c83691f18b07f851bf35544f2d0

SHA512
9f701a8cec9297f50533ee6cf72851f2400bc777013b663cacea1b531801446d08ffc9a3f5d120b7e81a0f363c7421b9c2103e26be6606f7fe29de3107c4cbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a60gim3b.cmdline

Filesize
317B

MD5
bf7357d6fa0962f6367802f6a6698734

SHA1
a2b11b9f08232b80e3abf491af7376b16009533a

SHA256
a531457536a867865c71dacd499ab6279db5d7bdc76deef769229b511628a51c

SHA512
e1b8b6af8a484356bfd809e9fc8eac1161544e724aa252da214fbe7613b033c3e76742a0b35bb018df105777e9fe92235d9ea244b46f8b208181a721f1ed1b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\a60gim3b.dll

Filesize
6KB

MD5
e7d20ead229c86ac04757aaa3b4f4328

SHA1
f80752b607cea2e4b4c03b344e9b84c01dbc1bdc

SHA256
21481d3d63abae40c040dd2009a41c4111d83602ce5ed7637634b85defac7fd7

SHA512
bd4c649e544a71727dc1df90272f870bed4711f52851b194bc7125695bfbbc038657109888f912623ec2d883c6ffbf7d81a9c1394f7276961c68171ef5514a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5821766A434D4C4CBC9EF0BC7FD7D179.TMP

Filesize
652B

MD5
903f2ab554506b848b660eb8548cc990

SHA1
d26d51f50f8b070d68511b442a6afcd795ffd415

SHA256
395a765a88d90c05cda2f2a2f7c645bc9a77efb9eea45b8bb72105ffe6da4072

SHA512
97982ac690a4d87aa35f7a9cf822869d4f2fb6d42bfb3c7c50d92f098d206b47347366fd5ea51a2f03c25cb3d759e71b19e51176e233c20c74a0cd953cd5060b

Download Submit
C:\Users\Admin\AppData\Roaming\ahekoha.exe:ZONE.identifier

Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt

Filesize
107B

MD5
1caa65cbb28efa50a25b8137e9cbe039

SHA1
9af5de33f1db66ea59dc6f58f549e359e6fd2d6a

SHA256
e4635fdf45ba10bfa7ae893302d9078f27654dba5d6e863dc851dd65b50a4222

SHA512
c6becb524c88de5e90907986091db546e6478832efacf2883efd0e606ebcd1ea11ade2246d488f2b8814fd282c5686f03e9fa05af308d1d8bd1f66a2d995e42c

Download Submit
memory/2332-35-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-40-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-54-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-53-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-52-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-51-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-50-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-49-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-31-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-32-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-34-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-48-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-47-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-38-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-39-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-46-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-41-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-42-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-43-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-44-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2332-45-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2848-16-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/2848-8-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3372-30-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3372-22-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3372-20-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4744-37-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-0-0x0000000074812000-0x0000000074813000-memory.dmp

Filesize
4KB

Download
memory/4744-1-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-2-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads