darkcomet | c8503de87f8200c86863915acd9ce8b1d662c19cab9243df755f098107c71529

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c250268be8a7f03b4094d06b421435eb_JaffaCakes118.exe
Size

951KB
MD5

c250268be8a7f03b4094d06b421435eb
SHA1

dabb2ed63fabd5df5afd4b75ef66489973ecabf6
SHA256

c8503de87f8200c86863915acd9ce8b1d662c19cab9243df755f098107c71529
SHA512

2cb6cbceb048709cdb318ab5524c079268582a8de70f9baa2199e4101f90e9af8185b8f51e4e9a9b24fc442264a3d584fa4866ca76c4daff0277aa4b878851a1
SSDEEP

12288:JvVE3IIIKuvj3+JqFiISjk7o0RjCwzCQy:JPnvj3+Jqe9N

Score

10^/10

darkcomet server discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Server

216.38.8.186 :107

Mutex

DC_MUTEX-H94LEA3

Attributes

gencode
5vBqJWEKBjsA
install
false
offline_keylogger
true
password
123456
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	c250268be8a7f03b4094d06b421435eb_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3188	ConfF.exe
692	cvtres.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	c250268be8a7f03b4094d06b421435eb_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	c250268be8a7f03b4094d06b421435eb_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3188 set thread context of 692	3188	ConfF.exe	103

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	c250268be8a7f03b4094d06b421435eb_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	c250268be8a7f03b4094d06b421435eb_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	c250268be8a7f03b4094d06b421435eb_JaffaCakes118.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c250268be8a7f03b4094d06b421435eb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ConfF.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
692	cvtres.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeRestorePrivilege	1952	dw20.exe
Token: SeBackupPrivilege	1952	dw20.exe
Token: SeBackupPrivilege	1952	dw20.exe
Token: SeBackupPrivilege	1952	dw20.exe
Token: SeBackupPrivilege	1952	dw20.exe
Token: SeIncreaseQuotaPrivilege	692	cvtres.exe
Token: SeSecurityPrivilege	692	cvtres.exe
Token: SeTakeOwnershipPrivilege	692	cvtres.exe
Token: SeLoadDriverPrivilege	692	cvtres.exe
Token: SeSystemProfilePrivilege	692	cvtres.exe
Token: SeSystemtimePrivilege	692	cvtres.exe
Token: SeProfSingleProcessPrivilege	692	cvtres.exe
Token: SeIncBasePriorityPrivilege	692	cvtres.exe
Token: SeCreatePagefilePrivilege	692	cvtres.exe
Token: SeBackupPrivilege	692	cvtres.exe
Token: SeRestorePrivilege	692	cvtres.exe
Token: SeShutdownPrivilege	692	cvtres.exe
Token: SeDebugPrivilege	692	cvtres.exe
Token: SeSystemEnvironmentPrivilege	692	cvtres.exe
Token: SeChangeNotifyPrivilege	692	cvtres.exe
Token: SeRemoteShutdownPrivilege	692	cvtres.exe
Token: SeUndockPrivilege	692	cvtres.exe
Token: SeManageVolumePrivilege	692	cvtres.exe
Token: SeImpersonatePrivilege	692	cvtres.exe
Token: SeCreateGlobalPrivilege	692	cvtres.exe
Token: 33	692	cvtres.exe
Token: 34	692	cvtres.exe
Token: 35	692	cvtres.exe
Token: 36	692	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
692	cvtres.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 3188	2228	c250268be8a7f03b4094d06b421435eb_JaffaCakes118.exe	98
PID 2228 wrote to memory of 3188	2228	c250268be8a7f03b4094d06b421435eb_JaffaCakes118.exe	98
PID 2228 wrote to memory of 3188	2228	c250268be8a7f03b4094d06b421435eb_JaffaCakes118.exe	98
PID 3188 wrote to memory of 1952	3188	ConfF.exe	102
PID 3188 wrote to memory of 1952	3188	ConfF.exe	102
PID 3188 wrote to memory of 1952	3188	ConfF.exe	102
PID 3188 wrote to memory of 692	3188	ConfF.exe	103
PID 3188 wrote to memory of 692	3188	ConfF.exe	103
PID 3188 wrote to memory of 692	3188	ConfF.exe	103
PID 3188 wrote to memory of 692	3188	ConfF.exe	103
PID 3188 wrote to memory of 692	3188	ConfF.exe	103
PID 3188 wrote to memory of 692	3188	ConfF.exe	103
PID 3188 wrote to memory of 692	3188	ConfF.exe	103
PID 3188 wrote to memory of 692	3188	ConfF.exe	103
PID 3188 wrote to memory of 692	3188	ConfF.exe	103
PID 3188 wrote to memory of 692	3188	ConfF.exe	103
PID 3188 wrote to memory of 692	3188	ConfF.exe	103
PID 3188 wrote to memory of 692	3188	ConfF.exe	103
PID 3188 wrote to memory of 692	3188	ConfF.exe	103
PID 3188 wrote to memory of 692	3188	ConfF.exe	103
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104
PID 692 wrote to memory of 4208	692	cvtres.exe	104

C:\Users\Admin\AppData\Local\Temp\c250268be8a7f03b4094d06b421435eb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c250268be8a7f03b4094d06b421435eb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\ConfF.exe
  "C:\Users\Admin\AppData\ConfF.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 940
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
    C:\Users\Admin\AppData\Local\Temp\\cvtres.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\ConfF.exe

Filesize
512KB

MD5
f941adeec0a064627c21f11aac6804de

SHA1
32c7d8ffe19ebf6ab2113440739ea45193916af3

SHA256
6410ab9913464033815005c74c8814a3239b02dc639bef554ab843ddd35582b2

SHA512
cf4a987d7f4c35e59f193185614ccdb56037ae9c76035a5a8620f2f855301c65e7f954ec820becc2d6cb7fec17389b57c533c74912e8fdae2ab05c4ffc5e1919

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
memory/692-43-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-47-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-45-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-49-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-31-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-37-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-36-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-32-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-28-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-51-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-30-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2228-19-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/2228-0-0x0000000075222000-0x0000000075223000-memory.dmp

Filesize
4KB

Download
memory/2228-6-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/2228-5-0x0000000075222000-0x0000000075223000-memory.dmp

Filesize
4KB

Download
memory/2228-2-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/2228-1-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/3188-22-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/3188-20-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/3188-21-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/3188-42-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/4208-35-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads