darkcomet | 2a58986678032748ea8a1179faf8b925069de84ac92f7de852547515ed8f9122

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7c225008df3ce32c2100db88f750772_JaffaCakes118.exe
Size

251KB
MD5

e7c225008df3ce32c2100db88f750772
SHA1

479e07478d2f05f584765a78ad135e518dd76c44
SHA256

2a58986678032748ea8a1179faf8b925069de84ac92f7de852547515ed8f9122
SHA512

aa1683754279058cca005fa84ac534537696d8dbbdbb668c0713d458525ea87865b5476720bd151ea550213fea0150861a83986ef083b49292b021740371cda2
SSDEEP

6144:EYqt/vTpwbGgq7Sherr7nVHQr41qEk+i:HqtT2ag1errrV6CHk

Score

10^/10

darkcomet discovery evasion rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	tmp9599.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	tmp9599.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	tmp9599.tmp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	tmp9599.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	explorer.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	tmp9599.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	tmp9599.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tmp9599.tmp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	explorer.exe

Disables Task Manager via registry modification
evasion

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	tmp9599.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	e7c225008df3ce32c2100db88f750772_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4940	tmp9599.tmp.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	tmp9599.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	tmp9599.tmp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4940 set thread context of 4864	4940	tmp9599.tmp.exe	84

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023bab-8.dat	upx
behavioral2/memory/4940-12-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral2/memory/4864-16-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral2/memory/4864-18-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral2/memory/4864-17-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral2/memory/4864-22-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral2/memory/4864-23-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral2/memory/4864-21-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral2/memory/4940-20-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral2/memory/4864-24-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral2/memory/4864-25-0x0000000013140000-0x00000000131FB000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9599.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp9599.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	tmp9599.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	tmp9599.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	tmp9599.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	tmp9599.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	3900	e7c225008df3ce32c2100db88f750772_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4940	tmp9599.tmp.exe
Token: SeSecurityPrivilege	4940	tmp9599.tmp.exe
Token: SeTakeOwnershipPrivilege	4940	tmp9599.tmp.exe
Token: SeLoadDriverPrivilege	4940	tmp9599.tmp.exe
Token: SeSystemProfilePrivilege	4940	tmp9599.tmp.exe
Token: SeSystemtimePrivilege	4940	tmp9599.tmp.exe
Token: SeProfSingleProcessPrivilege	4940	tmp9599.tmp.exe
Token: SeIncBasePriorityPrivilege	4940	tmp9599.tmp.exe
Token: SeCreatePagefilePrivilege	4940	tmp9599.tmp.exe
Token: SeBackupPrivilege	4940	tmp9599.tmp.exe
Token: SeRestorePrivilege	4940	tmp9599.tmp.exe
Token: SeShutdownPrivilege	4940	tmp9599.tmp.exe
Token: SeDebugPrivilege	4940	tmp9599.tmp.exe
Token: SeSystemEnvironmentPrivilege	4940	tmp9599.tmp.exe
Token: SeChangeNotifyPrivilege	4940	tmp9599.tmp.exe
Token: SeRemoteShutdownPrivilege	4940	tmp9599.tmp.exe
Token: SeUndockPrivilege	4940	tmp9599.tmp.exe
Token: SeManageVolumePrivilege	4940	tmp9599.tmp.exe
Token: SeImpersonatePrivilege	4940	tmp9599.tmp.exe
Token: SeCreateGlobalPrivilege	4940	tmp9599.tmp.exe
Token: 33	4940	tmp9599.tmp.exe
Token: 34	4940	tmp9599.tmp.exe
Token: 35	4940	tmp9599.tmp.exe
Token: 36	4940	tmp9599.tmp.exe
Token: SeIncreaseQuotaPrivilege	4864	explorer.exe
Token: SeSecurityPrivilege	4864	explorer.exe
Token: SeTakeOwnershipPrivilege	4864	explorer.exe
Token: SeLoadDriverPrivilege	4864	explorer.exe
Token: SeSystemProfilePrivilege	4864	explorer.exe
Token: SeSystemtimePrivilege	4864	explorer.exe
Token: SeProfSingleProcessPrivilege	4864	explorer.exe
Token: SeIncBasePriorityPrivilege	4864	explorer.exe
Token: SeCreatePagefilePrivilege	4864	explorer.exe
Token: SeBackupPrivilege	4864	explorer.exe
Token: SeRestorePrivilege	4864	explorer.exe
Token: SeShutdownPrivilege	4864	explorer.exe
Token: SeDebugPrivilege	4864	explorer.exe
Token: SeSystemEnvironmentPrivilege	4864	explorer.exe
Token: SeChangeNotifyPrivilege	4864	explorer.exe
Token: SeRemoteShutdownPrivilege	4864	explorer.exe
Token: SeUndockPrivilege	4864	explorer.exe
Token: SeManageVolumePrivilege	4864	explorer.exe
Token: SeImpersonatePrivilege	4864	explorer.exe
Token: SeCreateGlobalPrivilege	4864	explorer.exe
Token: 33	4864	explorer.exe
Token: 34	4864	explorer.exe
Token: 35	4864	explorer.exe
Token: 36	4864	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 4940	3900	e7c225008df3ce32c2100db88f750772_JaffaCakes118.exe	83
PID 3900 wrote to memory of 4940	3900	e7c225008df3ce32c2100db88f750772_JaffaCakes118.exe	83
PID 3900 wrote to memory of 4940	3900	e7c225008df3ce32c2100db88f750772_JaffaCakes118.exe	83
PID 4940 wrote to memory of 4864	4940	tmp9599.tmp.exe	84
PID 4940 wrote to memory of 4864	4940	tmp9599.tmp.exe	84
PID 4940 wrote to memory of 4864	4940	tmp9599.tmp.exe	84
PID 4940 wrote to memory of 4864	4940	tmp9599.tmp.exe	84
PID 4940 wrote to memory of 4864	4940	tmp9599.tmp.exe	84

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	tmp9599.tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	tmp9599.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	tmp9599.tmp.exe

C:\Users\Admin\AppData\Local\Temp\e7c225008df3ce32c2100db88f750772_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e7c225008df3ce32c2100db88f750772_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Users\Admin\AppData\Local\Temp\tmp9599.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9599.tmp.exe"
  2⤵
  - Modifies firewall policy service
  - Modifies security service
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4940
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Checks BIOS information in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9599.tmp.exe

Filesize
242KB

MD5
1ba3ea0d16b2c22d82958d37323b8514

SHA1
dea2e3d97e05e61a2aebeb63d6367d145e6b1edf

SHA256
1cf65f6939f25fb970d511de86ceddb27b29285c6dba589246790ed54a96ba82

SHA512
919db558a04afcd3744730c3a1fac209725838140ff45ece65c1204a5a963ba08847536059a8d50db8fda93b59b388e967d96a775bcd2b01ebb38d7960aac00c

Download Submit
memory/3900-15-0x00007FF9FF760000-0x00007FFA00101000-memory.dmp

Filesize
9.6MB

Download
memory/3900-1-0x000000001BFD0000-0x000000001C076000-memory.dmp

Filesize
664KB

Download
memory/3900-2-0x00007FF9FF760000-0x00007FFA00101000-memory.dmp

Filesize
9.6MB

Download
memory/3900-4-0x00007FF9FF760000-0x00007FFA00101000-memory.dmp

Filesize
9.6MB

Download
memory/3900-0-0x00007FF9FFA15000-0x00007FF9FFA16000-memory.dmp

Filesize
4KB

Download
memory/4864-16-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/4864-18-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/4864-17-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/4864-22-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/4864-23-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/4864-21-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/4864-24-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/4864-25-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/4940-14-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/4940-12-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/4940-20-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads