darkcomet | 70b3769b7fde9e790cf054af2bac07c84a9659dd49a8bc4e4378bdc30ddd5bd2

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe
Size

851KB
MD5

bccda777a8abe59f3e1c1c9774b90e9f
SHA1

1326bd3cf3b7d86000984ad923edfe76ee39336c
SHA256

70b3769b7fde9e790cf054af2bac07c84a9659dd49a8bc4e4378bdc30ddd5bd2
SHA512

99c0a7f1168f59030495f77336fe0fe3892d8f0b08b9ed006496938b5794ba213fc9e2b92e27009aa39d5089b5adbf29886308b990e69e95c74da0984f9311cc
SSDEEP

12288:FnSkLgPc+w5IkKnSSU5cL5TQ+YmKzRLROI9N8iSUUvIRBAzH:xuc1I/SSDlPYRLRVj/UwRizH

Score

10^/10

darkcomet legit discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Legit

glasz.no-ip.org:200

Mutex

DC_MUTEX-7V8VVQ0

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
sUPjlHsZGjFy
install
true
offline_keylogger
true
persistence
true
reg_key
rundll32

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	cvtres.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
268	attrib.exe
2316	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
1332	msdcsc.exe

Loads dropped DLL 1 IoCs

pid	Process
2744	cvtres.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	cvtres.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2836 set thread context of 2744	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	30

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2744	cvtres.exe
Token: SeSecurityPrivilege	2744	cvtres.exe
Token: SeTakeOwnershipPrivilege	2744	cvtres.exe
Token: SeLoadDriverPrivilege	2744	cvtres.exe
Token: SeSystemProfilePrivilege	2744	cvtres.exe
Token: SeSystemtimePrivilege	2744	cvtres.exe
Token: SeProfSingleProcessPrivilege	2744	cvtres.exe
Token: SeIncBasePriorityPrivilege	2744	cvtres.exe
Token: SeCreatePagefilePrivilege	2744	cvtres.exe
Token: SeBackupPrivilege	2744	cvtres.exe
Token: SeRestorePrivilege	2744	cvtres.exe
Token: SeShutdownPrivilege	2744	cvtres.exe
Token: SeDebugPrivilege	2744	cvtres.exe
Token: SeSystemEnvironmentPrivilege	2744	cvtres.exe
Token: SeChangeNotifyPrivilege	2744	cvtres.exe
Token: SeRemoteShutdownPrivilege	2744	cvtres.exe
Token: SeUndockPrivilege	2744	cvtres.exe
Token: SeManageVolumePrivilege	2744	cvtres.exe
Token: SeImpersonatePrivilege	2744	cvtres.exe
Token: SeCreateGlobalPrivilege	2744	cvtres.exe
Token: 33	2744	cvtres.exe
Token: 34	2744	cvtres.exe
Token: 35	2744	cvtres.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1720	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1720	DllHost.exe
1720	DllHost.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2744	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2744	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2744	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2744	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2744	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2744	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2744	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2744	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2744	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2744	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2744	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2744	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2744	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2624	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	31
PID 2836 wrote to memory of 2624	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	31
PID 2836 wrote to memory of 2624	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	31
PID 2836 wrote to memory of 2624	2836	bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe	31
PID 2744 wrote to memory of 2632	2744	cvtres.exe	32
PID 2744 wrote to memory of 2632	2744	cvtres.exe	32
PID 2744 wrote to memory of 2632	2744	cvtres.exe	32
PID 2744 wrote to memory of 2632	2744	cvtres.exe	32
PID 2744 wrote to memory of 532	2744	cvtres.exe	33
PID 2744 wrote to memory of 532	2744	cvtres.exe	33
PID 2744 wrote to memory of 532	2744	cvtres.exe	33
PID 2744 wrote to memory of 532	2744	cvtres.exe	33
PID 532 wrote to memory of 268	532	cmd.exe	36
PID 532 wrote to memory of 268	532	cmd.exe	36
PID 532 wrote to memory of 268	532	cmd.exe	36
PID 532 wrote to memory of 268	532	cmd.exe	36
PID 2632 wrote to memory of 2316	2632	cmd.exe	37
PID 2632 wrote to memory of 2316	2632	cmd.exe	37
PID 2632 wrote to memory of 2316	2632	cmd.exe	37
PID 2632 wrote to memory of 2316	2632	cmd.exe	37
PID 2744 wrote to memory of 1332	2744	cvtres.exe	40
PID 2744 wrote to memory of 1332	2744	cvtres.exe	40
PID 2744 wrote to memory of 1332	2744	cvtres.exe	40
PID 2744 wrote to memory of 1332	2744	cvtres.exe	40

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
268	attrib.exe
2316	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bccda777a8abe59f3e1c1c9774b90e9f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:268
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1332
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zUaqC.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2624

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BLUE HILLS.JPG

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUaqC.vbs

Filesize
408B

MD5
1dfca4a085536d0351398141ec4ad428

SHA1
8fb8cb61367c01807426c681633d77a086b6980f

SHA256
0be4987a21b264b8ff1f7b926d2204b9e4c6b85e76c311b9b2f923376207aa48

SHA512
5d52ac8355ac97f06860694e467f0b85c0a200d4bc84a50c2a808fbfcecbeda1f0b27af359ded52595ef630c3e4e2d813ce03e6327633d7316fdff8e1dc4d91a

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/1720-36-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2744-11-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2744-15-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2744-21-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2744-25-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2744-22-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2744-19-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2744-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-28-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2744-45-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2744-35-0x00000000023D0000-0x00000000023D2000-memory.dmp

Filesize
8KB

Download
memory/2744-16-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2744-7-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2744-14-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2744-13-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2744-10-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2744-6-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2836-0-0x0000000074531000-0x0000000074532000-memory.dmp

Filesize
4KB

Download
memory/2836-3-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-4-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-2-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-1-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-29-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads