darkcomet | b9ae6f9216c4a3a29130842be44f603a695c39b4c77a7c32340db7dd27609a39

Analysis

max time kernel
133s
max time network
143s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3ac625a033e0474462ad1d9c1c34cd3_JaffaCakes118.exe
Size

902KB
MD5

c3ac625a033e0474462ad1d9c1c34cd3
SHA1

aadc6cd38305233a690e8e5498b66d9684fa6371
SHA256

b9ae6f9216c4a3a29130842be44f603a695c39b4c77a7c32340db7dd27609a39
SHA512

da46e11e3cd1ab780a10ac7497a7f0375ff8714eecb7d28c39b18826ea29e4765cd3a0dfb713e0766daf9a2618d215522b1dfcd1a62a6d2b632c94f312013a84
SSDEEP

12288:cRU5FD7S4NmkTSZ7GPFV/jtaFnAFvlXMHWPR1KfoRcnF4Wx9q6+/3XP9QFW:LuyUsxj0ni5R8vuWxtgmU

Score

10^/10

darkcomet discovery persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Desktop\\Game.exe"	Crypted.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Crypted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
2492	Crypted.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Game = "C:\\Users\\Admin\\Desktop\\Game.exe"	Crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Game = "C:\\Users\\Admin\\Desktop\\Game.exe"	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2492 set thread context of 2900	2492	Crypted.exe	32

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016c53-9.dat	upx
behavioral1/memory/2492-10-0x0000000013140000-0x000000001322D000-memory.dmp	upx
behavioral1/memory/2900-47-0x0000000013140000-0x000000001322D000-memory.dmp	upx
behavioral1/memory/2900-54-0x0000000013140000-0x000000001322D000-memory.dmp	upx
behavioral1/memory/2492-50-0x0000000013140000-0x000000001322D000-memory.dmp	upx
behavioral1/memory/2900-48-0x0000000013140000-0x000000001322D000-memory.dmp	upx
behavioral1/memory/2900-55-0x0000000013140000-0x000000001322D000-memory.dmp	upx
behavioral1/memory/2900-56-0x0000000013140000-0x000000001322D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Crypted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Crypted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Crypted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Crypted.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Crypted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2492	Crypted.exe
Token: SeSecurityPrivilege	2492	Crypted.exe
Token: SeTakeOwnershipPrivilege	2492	Crypted.exe
Token: SeLoadDriverPrivilege	2492	Crypted.exe
Token: SeSystemProfilePrivilege	2492	Crypted.exe
Token: SeSystemtimePrivilege	2492	Crypted.exe
Token: SeProfSingleProcessPrivilege	2492	Crypted.exe
Token: SeIncBasePriorityPrivilege	2492	Crypted.exe
Token: SeCreatePagefilePrivilege	2492	Crypted.exe
Token: SeBackupPrivilege	2492	Crypted.exe
Token: SeRestorePrivilege	2492	Crypted.exe
Token: SeShutdownPrivilege	2492	Crypted.exe
Token: SeDebugPrivilege	2492	Crypted.exe
Token: SeSystemEnvironmentPrivilege	2492	Crypted.exe
Token: SeChangeNotifyPrivilege	2492	Crypted.exe
Token: SeRemoteShutdownPrivilege	2492	Crypted.exe
Token: SeUndockPrivilege	2492	Crypted.exe
Token: SeManageVolumePrivilege	2492	Crypted.exe
Token: SeImpersonatePrivilege	2492	Crypted.exe
Token: SeCreateGlobalPrivilege	2492	Crypted.exe
Token: 33	2492	Crypted.exe
Token: 34	2492	Crypted.exe
Token: 35	2492	Crypted.exe
Token: SeIncreaseQuotaPrivilege	2900	explorer.exe
Token: SeSecurityPrivilege	2900	explorer.exe
Token: SeTakeOwnershipPrivilege	2900	explorer.exe
Token: SeLoadDriverPrivilege	2900	explorer.exe
Token: SeSystemProfilePrivilege	2900	explorer.exe
Token: SeSystemtimePrivilege	2900	explorer.exe
Token: SeProfSingleProcessPrivilege	2900	explorer.exe
Token: SeIncBasePriorityPrivilege	2900	explorer.exe
Token: SeCreatePagefilePrivilege	2900	explorer.exe
Token: SeBackupPrivilege	2900	explorer.exe
Token: SeRestorePrivilege	2900	explorer.exe
Token: SeShutdownPrivilege	2900	explorer.exe
Token: SeDebugPrivilege	2900	explorer.exe
Token: SeSystemEnvironmentPrivilege	2900	explorer.exe
Token: SeChangeNotifyPrivilege	2900	explorer.exe
Token: SeRemoteShutdownPrivilege	2900	explorer.exe
Token: SeUndockPrivilege	2900	explorer.exe
Token: SeManageVolumePrivilege	2900	explorer.exe
Token: SeImpersonatePrivilege	2900	explorer.exe
Token: SeCreateGlobalPrivilege	2900	explorer.exe
Token: 33	2900	explorer.exe
Token: 34	2900	explorer.exe
Token: 35	2900	explorer.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2492	2920	c3ac625a033e0474462ad1d9c1c34cd3_JaffaCakes118.exe	30
PID 2920 wrote to memory of 2492	2920	c3ac625a033e0474462ad1d9c1c34cd3_JaffaCakes118.exe	30
PID 2920 wrote to memory of 2492	2920	c3ac625a033e0474462ad1d9c1c34cd3_JaffaCakes118.exe	30
PID 2920 wrote to memory of 2492	2920	c3ac625a033e0474462ad1d9c1c34cd3_JaffaCakes118.exe	30
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2516	2492	Crypted.exe	31
PID 2492 wrote to memory of 2900	2492	Crypted.exe	32
PID 2492 wrote to memory of 2900	2492	Crypted.exe	32
PID 2492 wrote to memory of 2900	2492	Crypted.exe	32
PID 2492 wrote to memory of 2900	2492	Crypted.exe	32
PID 2492 wrote to memory of 2900	2492	Crypted.exe	32
PID 2492 wrote to memory of 2900	2492	Crypted.exe	32

C:\Users\Admin\AppData\Local\Temp\c3ac625a033e0474462ad1d9c1c34cd3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c3ac625a033e0474462ad1d9c1c34cd3_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\Crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2516
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
340KB

MD5
cdf6631ff366b3213e236a40fde563d4

SHA1
0aa2cfe8558be89bc929fc1c2ef71c1b84b7c5b0

SHA256
4333fae17564beb216559d9cb03ea40bfd835ef0d6a23cc9fe4253990b712701

SHA512
3ce39e508c7f3958818bcbcc4e3e9d255003e03ed3602e4d93902517a94d8f044cf97edba4e54d915d386878733146451ed9424c572439e0415f11b29f906682

Download Submit
memory/2492-12-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2492-50-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2492-10-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2516-15-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2516-42-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2900-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2900-47-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2900-54-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2900-48-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2900-44-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2900-55-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2900-56-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2920-11-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/2920-2-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/2920-0-0x000007FEF5A1E000-0x000007FEF5A1F000-memory.dmp

Filesize
4KB

Download
memory/2920-1-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads