darkcomet | cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe
Size

3.2MB
MD5

f2395e55fc1ed3d2eda2a3bdd13d8af6
SHA1

bf5fa44a16a1ba7d772b6722552ed9525a965ee1
SHA256

cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88
SHA512

69334c6ee8df715b3373eb65f2aba85c4fbcf9fa9e6548b1b1910b646335cad97dfb36e553061aa756cc6dd881f63acff351464a515323227aa164342bb9724f
SSDEEP

49152:9gYvvhIIP0qkE+ZZPhrXXi3kmPlfD34C7/tcHk3oFughjfqKw07txr18zoTC:9gYv55j43H+9k21cu6ughTqKw07tx2f

Score

10^/10

darkcomet rolleo discovery evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

ROLLEO

127.0.0.1:1607

109.226.126.84:1607

Mutex

DC_MUTEX-SR7HAR4

Attributes

InstallPath
WindowsDefencer\Update.exe
gencode
TeJuc1dkNHmJ
install
true
offline_keylogger
false
persistence
true
reg_key
Windows Defencer

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WindowsDefencer\\Update.exe"	file.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iexplore.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2476	attrib.exe
2772	attrib.exe

Executes dropped EXE 3 IoCs

pid	Process
2388	file.exe
2356	borodacraft.exe
2796	Update.exe

Loads dropped DLL 8 IoCs

pid	Process
2056	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe
2056	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe
2056	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe
2056	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe
2388	file.exe
2796	Update.exe
2796	Update.exe
2796	Update.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defencer = "C:\\Windows\\system32\\WindowsDefencer\\Update.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defencer = "C:\\Windows\\system32\\WindowsDefencer\\Update.exe"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HMBKLLDMJJNGAOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defencer = "C:\\Windows\\system32\\WindowsDefencer\\Update.exe"	file.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsDefencer\Update.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\WindowsDefencer\Update.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\WindowsDefencer\	file.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 1828	2796	Update.exe	40

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016593-9.dat	upx
behavioral1/memory/2388-20-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2388-60-0x0000000003FF0000-0x00000000040A7000-memory.dmp	upx
behavioral1/memory/2796-63-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1828-68-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2796-70-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2388-111-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	borodacraft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2388	file.exe
Token: SeSecurityPrivilege	2388	file.exe
Token: SeTakeOwnershipPrivilege	2388	file.exe
Token: SeLoadDriverPrivilege	2388	file.exe
Token: SeSystemProfilePrivilege	2388	file.exe
Token: SeSystemtimePrivilege	2388	file.exe
Token: SeProfSingleProcessPrivilege	2388	file.exe
Token: SeIncBasePriorityPrivilege	2388	file.exe
Token: SeCreatePagefilePrivilege	2388	file.exe
Token: SeBackupPrivilege	2388	file.exe
Token: SeRestorePrivilege	2388	file.exe
Token: SeShutdownPrivilege	2388	file.exe
Token: SeDebugPrivilege	2388	file.exe
Token: SeSystemEnvironmentPrivilege	2388	file.exe
Token: SeChangeNotifyPrivilege	2388	file.exe
Token: SeRemoteShutdownPrivilege	2388	file.exe
Token: SeUndockPrivilege	2388	file.exe
Token: SeManageVolumePrivilege	2388	file.exe
Token: SeImpersonatePrivilege	2388	file.exe
Token: SeCreateGlobalPrivilege	2388	file.exe
Token: 33	2388	file.exe
Token: 34	2388	file.exe
Token: 35	2388	file.exe
Token: SeIncreaseQuotaPrivilege	2796	Update.exe
Token: SeSecurityPrivilege	2796	Update.exe
Token: SeTakeOwnershipPrivilege	2796	Update.exe
Token: SeLoadDriverPrivilege	2796	Update.exe
Token: SeSystemProfilePrivilege	2796	Update.exe
Token: SeSystemtimePrivilege	2796	Update.exe
Token: SeProfSingleProcessPrivilege	2796	Update.exe
Token: SeIncBasePriorityPrivilege	2796	Update.exe
Token: SeCreatePagefilePrivilege	2796	Update.exe
Token: SeBackupPrivilege	2796	Update.exe
Token: SeRestorePrivilege	2796	Update.exe
Token: SeShutdownPrivilege	2796	Update.exe
Token: SeDebugPrivilege	2796	Update.exe
Token: SeSystemEnvironmentPrivilege	2796	Update.exe
Token: SeChangeNotifyPrivilege	2796	Update.exe
Token: SeRemoteShutdownPrivilege	2796	Update.exe
Token: SeUndockPrivilege	2796	Update.exe
Token: SeManageVolumePrivilege	2796	Update.exe
Token: SeImpersonatePrivilege	2796	Update.exe
Token: SeCreateGlobalPrivilege	2796	Update.exe
Token: 33	2796	Update.exe
Token: 34	2796	Update.exe
Token: 35	2796	Update.exe
Token: SeRestorePrivilege	2796	Update.exe
Token: SeBackupPrivilege	2796	Update.exe
Token: SeIncreaseQuotaPrivilege	1828	iexplore.exe
Token: SeSecurityPrivilege	1828	iexplore.exe
Token: SeTakeOwnershipPrivilege	1828	iexplore.exe
Token: SeLoadDriverPrivilege	1828	iexplore.exe
Token: SeSystemProfilePrivilege	1828	iexplore.exe
Token: SeSystemtimePrivilege	1828	iexplore.exe
Token: SeProfSingleProcessPrivilege	1828	iexplore.exe
Token: SeIncBasePriorityPrivilege	1828	iexplore.exe
Token: SeCreatePagefilePrivilege	1828	iexplore.exe
Token: SeBackupPrivilege	1828	iexplore.exe
Token: SeRestorePrivilege	1828	iexplore.exe
Token: SeShutdownPrivilege	1828	iexplore.exe
Token: SeDebugPrivilege	1828	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1828	iexplore.exe
Token: SeChangeNotifyPrivilege	1828	iexplore.exe
Token: SeRemoteShutdownPrivilege	1828	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2356	2056	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2356	2056	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2356	2056	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2356	2056	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2388	2056	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe	31
PID 2056 wrote to memory of 2388	2056	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe	31
PID 2056 wrote to memory of 2388	2056	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe	31
PID 2056 wrote to memory of 2388	2056	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2712	2388	file.exe	32
PID 2388 wrote to memory of 2712	2388	file.exe	32
PID 2388 wrote to memory of 2712	2388	file.exe	32
PID 2388 wrote to memory of 2712	2388	file.exe	32
PID 2388 wrote to memory of 2748	2388	file.exe	33
PID 2388 wrote to memory of 2748	2388	file.exe	33
PID 2388 wrote to memory of 2748	2388	file.exe	33
PID 2388 wrote to memory of 2748	2388	file.exe	33
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2388 wrote to memory of 2828	2388	file.exe	36
PID 2748 wrote to memory of 2772	2748	cmd.exe	37
PID 2748 wrote to memory of 2772	2748	cmd.exe	37
PID 2748 wrote to memory of 2772	2748	cmd.exe	37
PID 2748 wrote to memory of 2772	2748	cmd.exe	37
PID 2712 wrote to memory of 2476	2712	cmd.exe	38
PID 2712 wrote to memory of 2476	2712	cmd.exe	38
PID 2712 wrote to memory of 2476	2712	cmd.exe	38
PID 2712 wrote to memory of 2476	2712	cmd.exe	38
PID 2388 wrote to memory of 2796	2388	file.exe	39
PID 2388 wrote to memory of 2796	2388	file.exe	39
PID 2388 wrote to memory of 2796	2388	file.exe	39
PID 2388 wrote to memory of 2796	2388	file.exe	39
PID 2388 wrote to memory of 2796	2388	file.exe	39
PID 2388 wrote to memory of 2796	2388	file.exe	39
PID 2388 wrote to memory of 2796	2388	file.exe	39
PID 2796 wrote to memory of 1828	2796	Update.exe	40
PID 2796 wrote to memory of 1828	2796	Update.exe	40
PID 2796 wrote to memory of 1828	2796	Update.exe	40
PID 2796 wrote to memory of 1828	2796	Update.exe	40
PID 2796 wrote to memory of 1828	2796	Update.exe	40
PID 2796 wrote to memory of 1828	2796	Update.exe	40
PID 2796 wrote to memory of 1828	2796	Update.exe	40
PID 2796 wrote to memory of 1828	2796	Update.exe	40
PID 2796 wrote to memory of 1828	2796	Update.exe	40
PID 1828 wrote to memory of 2300	1828	iexplore.exe	41
PID 1828 wrote to memory of 2300	1828	iexplore.exe	41
PID 1828 wrote to memory of 2300	1828	iexplore.exe	41
PID 1828 wrote to memory of 2300	1828	iexplore.exe	41
PID 1828 wrote to memory of 2300	1828	iexplore.exe	41
PID 1828 wrote to memory of 2300	1828	iexplore.exe	41

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2772	attrib.exe
2476	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\borodacraft.exe
  "C:\Users\Admin\AppData\Local\Temp\borodacraft.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2356
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\file.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\file.exe" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2772
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
- - C:\Windows\SysWOW64\WindowsDefencer\Update.exe
    "C:\Windows\system32\WindowsDefencer\Update.exe"
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Disables RegEdit via registry modification
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\borodacraft.exe

Filesize
3.0MB

MD5
e01dfbe76c690a070ec522d0091a9b3a

SHA1
3233ef818c3cc27e07612b7db236b74798eca8f7

SHA256
f4d4b2be4cfc692bf9e3a48a93b038280d6dca1dc69956bcae3707abf97d1686

SHA512
ace329d994a6bc7317401e31d7f2e830e9bb17488891c3fc56c14e03b2a2e72b599b7b4f41cc2f59b781c22478e69461791e1a7ba14c27cd845567b3d5f8b406

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
252KB

MD5
49e04125173bdb0f292b0abb13db301d

SHA1
00bce84c8a0b6b71d03fa032aff71eb3500b2147

SHA256
f0bbed6d47a04063aa467df02a87991e25bf744ee0eec4e31cff20f1ac110a29

SHA512
af083f3620e1401f619314014405ed8ffe3a938e15c6a04fdf204c32d348f52d21ff36ed084ba6fcf0a6f292c3d12becee08c229fc4c9ac14b234f594a2bbeb9

Download Submit
memory/1828-68-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2388-20-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2388-22-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2388-60-0x0000000003FF0000-0x00000000040A7000-memory.dmp

Filesize
732KB

Download
memory/2388-111-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2796-63-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2796-66-0x0000000000230000-0x00000000002E7000-memory.dmp

Filesize
732KB

Download
memory/2796-70-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2828-55-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2828-27-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads