darkcomet | b9ae6f9216c4a3a29130842be44f603a695c39b4c77a7c32340db7dd27609a39

Analysis

max time kernel
132s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3ac625a033e0474462ad1d9c1c34cd3_JaffaCakes118.exe
Size

902KB
MD5

c3ac625a033e0474462ad1d9c1c34cd3
SHA1

aadc6cd38305233a690e8e5498b66d9684fa6371
SHA256

b9ae6f9216c4a3a29130842be44f603a695c39b4c77a7c32340db7dd27609a39
SHA512

da46e11e3cd1ab780a10ac7497a7f0375ff8714eecb7d28c39b18826ea29e4765cd3a0dfb713e0766daf9a2618d215522b1dfcd1a62a6d2b632c94f312013a84
SSDEEP

12288:cRU5FD7S4NmkTSZ7GPFV/jtaFnAFvlXMHWPR1KfoRcnF4Wx9q6+/3XP9QFW:LuyUsxj0ni5R8vuWxtgmU

Score

10^/10

darkcomet discovery persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Desktop\\Game.exe"	Crypted.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Crypted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	c3ac625a033e0474462ad1d9c1c34cd3_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1020	Crypted.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Game = "C:\\Users\\Admin\\Desktop\\Game.exe"	Crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Game = "C:\\Users\\Admin\\Desktop\\Game.exe"	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1020 set thread context of 2724	1020	Crypted.exe	85

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023c97-13.dat	upx
behavioral2/memory/1020-16-0x0000000013140000-0x000000001322D000-memory.dmp	upx
behavioral2/memory/2724-27-0x0000000013140000-0x000000001322D000-memory.dmp	upx
behavioral2/memory/2724-29-0x0000000013140000-0x000000001322D000-memory.dmp	upx
behavioral2/memory/1020-31-0x0000000013140000-0x000000001322D000-memory.dmp	upx
behavioral2/memory/2724-32-0x0000000013140000-0x000000001322D000-memory.dmp	upx
behavioral2/memory/2724-35-0x0000000013140000-0x000000001322D000-memory.dmp	upx
behavioral2/memory/2724-34-0x0000000013140000-0x000000001322D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Crypted.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Crypted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Crypted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Crypted.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Crypted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1020	Crypted.exe
Token: SeSecurityPrivilege	1020	Crypted.exe
Token: SeTakeOwnershipPrivilege	1020	Crypted.exe
Token: SeLoadDriverPrivilege	1020	Crypted.exe
Token: SeSystemProfilePrivilege	1020	Crypted.exe
Token: SeSystemtimePrivilege	1020	Crypted.exe
Token: SeProfSingleProcessPrivilege	1020	Crypted.exe
Token: SeIncBasePriorityPrivilege	1020	Crypted.exe
Token: SeCreatePagefilePrivilege	1020	Crypted.exe
Token: SeBackupPrivilege	1020	Crypted.exe
Token: SeRestorePrivilege	1020	Crypted.exe
Token: SeShutdownPrivilege	1020	Crypted.exe
Token: SeDebugPrivilege	1020	Crypted.exe
Token: SeSystemEnvironmentPrivilege	1020	Crypted.exe
Token: SeChangeNotifyPrivilege	1020	Crypted.exe
Token: SeRemoteShutdownPrivilege	1020	Crypted.exe
Token: SeUndockPrivilege	1020	Crypted.exe
Token: SeManageVolumePrivilege	1020	Crypted.exe
Token: SeImpersonatePrivilege	1020	Crypted.exe
Token: SeCreateGlobalPrivilege	1020	Crypted.exe
Token: 33	1020	Crypted.exe
Token: 34	1020	Crypted.exe
Token: 35	1020	Crypted.exe
Token: 36	1020	Crypted.exe
Token: SeIncreaseQuotaPrivilege	2724	explorer.exe
Token: SeSecurityPrivilege	2724	explorer.exe
Token: SeTakeOwnershipPrivilege	2724	explorer.exe
Token: SeLoadDriverPrivilege	2724	explorer.exe
Token: SeSystemProfilePrivilege	2724	explorer.exe
Token: SeSystemtimePrivilege	2724	explorer.exe
Token: SeProfSingleProcessPrivilege	2724	explorer.exe
Token: SeIncBasePriorityPrivilege	2724	explorer.exe
Token: SeCreatePagefilePrivilege	2724	explorer.exe
Token: SeBackupPrivilege	2724	explorer.exe
Token: SeRestorePrivilege	2724	explorer.exe
Token: SeShutdownPrivilege	2724	explorer.exe
Token: SeDebugPrivilege	2724	explorer.exe
Token: SeSystemEnvironmentPrivilege	2724	explorer.exe
Token: SeChangeNotifyPrivilege	2724	explorer.exe
Token: SeRemoteShutdownPrivilege	2724	explorer.exe
Token: SeUndockPrivilege	2724	explorer.exe
Token: SeManageVolumePrivilege	2724	explorer.exe
Token: SeImpersonatePrivilege	2724	explorer.exe
Token: SeCreateGlobalPrivilege	2724	explorer.exe
Token: 33	2724	explorer.exe
Token: 34	2724	explorer.exe
Token: 35	2724	explorer.exe
Token: 36	2724	explorer.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1020	4900	c3ac625a033e0474462ad1d9c1c34cd3_JaffaCakes118.exe	83
PID 4900 wrote to memory of 1020	4900	c3ac625a033e0474462ad1d9c1c34cd3_JaffaCakes118.exe	83
PID 4900 wrote to memory of 1020	4900	c3ac625a033e0474462ad1d9c1c34cd3_JaffaCakes118.exe	83
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 4788	1020	Crypted.exe	84
PID 1020 wrote to memory of 2724	1020	Crypted.exe	85
PID 1020 wrote to memory of 2724	1020	Crypted.exe	85
PID 1020 wrote to memory of 2724	1020	Crypted.exe	85
PID 1020 wrote to memory of 2724	1020	Crypted.exe	85
PID 1020 wrote to memory of 2724	1020	Crypted.exe	85

C:\Users\Admin\AppData\Local\Temp\c3ac625a033e0474462ad1d9c1c34cd3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c3ac625a033e0474462ad1d9c1c34cd3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\Crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4788
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
340KB

MD5
cdf6631ff366b3213e236a40fde563d4

SHA1
0aa2cfe8558be89bc929fc1c2ef71c1b84b7c5b0

SHA256
4333fae17564beb216559d9cb03ea40bfd835ef0d6a23cc9fe4253990b712701

SHA512
3ce39e508c7f3958818bcbcc4e3e9d255003e03ed3602e4d93902517a94d8f044cf97edba4e54d915d386878733146451ed9424c572439e0415f11b29f906682

Download Submit
memory/1020-31-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/1020-20-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/1020-16-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2724-29-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2724-27-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2724-34-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2724-35-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2724-32-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2724-33-0x0000000000430000-0x0000000000863000-memory.dmp

Filesize
4.2MB

Download
memory/4788-22-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/4900-19-0x00007FFDD3620000-0x00007FFDD3FC1000-memory.dmp

Filesize
9.6MB

Download
memory/4900-3-0x000000001B950000-0x000000001BE1E000-memory.dmp

Filesize
4.8MB

Download
memory/4900-5-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/4900-2-0x00007FFDD3620000-0x00007FFDD3FC1000-memory.dmp

Filesize
9.6MB

Download
memory/4900-0-0x00007FFDD38D5000-0x00007FFDD38D6000-memory.dmp

Filesize
4KB

Download
memory/4900-1-0x000000001B3D0000-0x000000001B476000-memory.dmp

Filesize
664KB

Download
memory/4900-4-0x000000001BF70000-0x000000001C00C000-memory.dmp

Filesize
624KB

Download
memory/4900-8-0x00007FFDD3620000-0x00007FFDD3FC1000-memory.dmp

Filesize
9.6MB

Download
memory/4900-7-0x00007FFDD3620000-0x00007FFDD3FC1000-memory.dmp

Filesize
9.6MB

Download
memory/4900-6-0x000000001C0D0000-0x000000001C11C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads