darkcomet | cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/12/2024, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe
Size

3.2MB
MD5

f2395e55fc1ed3d2eda2a3bdd13d8af6
SHA1

bf5fa44a16a1ba7d772b6722552ed9525a965ee1
SHA256

cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88
SHA512

69334c6ee8df715b3373eb65f2aba85c4fbcf9fa9e6548b1b1910b646335cad97dfb36e553061aa756cc6dd881f63acff351464a515323227aa164342bb9724f
SSDEEP

49152:9gYvvhIIP0qkE+ZZPhrXXi3kmPlfD34C7/tcHk3oFughjfqKw07txr18zoTC:9gYv55j43H+9k21cu6ughTqKw07tx2f

Score

10^/10

darkcomet rolleo discovery evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

ROLLEO

127.0.0.1:1607

109.226.126.84:1607

Mutex

DC_MUTEX-SR7HAR4

Attributes

InstallPath
WindowsDefencer\Update.exe
gencode
TeJuc1dkNHmJ
install
true
offline_keylogger
false
persistence
true
reg_key
Windows Defencer

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WindowsDefencer\\Update.exe"	file.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iexplore.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3636	attrib.exe
4936	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	file.exe

Executes dropped EXE 3 IoCs

pid	Process
3016	borodacraft.exe
3844	file.exe
1636	Update.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defencer = "C:\\Windows\\system32\\WindowsDefencer\\Update.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defencer = "C:\\Windows\\system32\\WindowsDefencer\\Update.exe"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ELLDCJEGAHOIGNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defencer = "C:\\Windows\\system32\\WindowsDefencer\\Update.exe"	file.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsDefencer\Update.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\WindowsDefencer\Update.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\WindowsDefencer\	file.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 3120	1636	Update.exe	92

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c9e-16.dat	upx
behavioral2/memory/3844-23-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3120-88-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1636-90-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3844-93-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	borodacraft.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	file.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3844	file.exe
Token: SeSecurityPrivilege	3844	file.exe
Token: SeTakeOwnershipPrivilege	3844	file.exe
Token: SeLoadDriverPrivilege	3844	file.exe
Token: SeSystemProfilePrivilege	3844	file.exe
Token: SeSystemtimePrivilege	3844	file.exe
Token: SeProfSingleProcessPrivilege	3844	file.exe
Token: SeIncBasePriorityPrivilege	3844	file.exe
Token: SeCreatePagefilePrivilege	3844	file.exe
Token: SeBackupPrivilege	3844	file.exe
Token: SeRestorePrivilege	3844	file.exe
Token: SeShutdownPrivilege	3844	file.exe
Token: SeDebugPrivilege	3844	file.exe
Token: SeSystemEnvironmentPrivilege	3844	file.exe
Token: SeChangeNotifyPrivilege	3844	file.exe
Token: SeRemoteShutdownPrivilege	3844	file.exe
Token: SeUndockPrivilege	3844	file.exe
Token: SeManageVolumePrivilege	3844	file.exe
Token: SeImpersonatePrivilege	3844	file.exe
Token: SeCreateGlobalPrivilege	3844	file.exe
Token: 33	3844	file.exe
Token: 34	3844	file.exe
Token: 35	3844	file.exe
Token: 36	3844	file.exe
Token: SeIncreaseQuotaPrivilege	1636	Update.exe
Token: SeSecurityPrivilege	1636	Update.exe
Token: SeTakeOwnershipPrivilege	1636	Update.exe
Token: SeLoadDriverPrivilege	1636	Update.exe
Token: SeSystemProfilePrivilege	1636	Update.exe
Token: SeSystemtimePrivilege	1636	Update.exe
Token: SeProfSingleProcessPrivilege	1636	Update.exe
Token: SeIncBasePriorityPrivilege	1636	Update.exe
Token: SeCreatePagefilePrivilege	1636	Update.exe
Token: SeBackupPrivilege	1636	Update.exe
Token: SeRestorePrivilege	1636	Update.exe
Token: SeShutdownPrivilege	1636	Update.exe
Token: SeDebugPrivilege	1636	Update.exe
Token: SeSystemEnvironmentPrivilege	1636	Update.exe
Token: SeChangeNotifyPrivilege	1636	Update.exe
Token: SeRemoteShutdownPrivilege	1636	Update.exe
Token: SeUndockPrivilege	1636	Update.exe
Token: SeManageVolumePrivilege	1636	Update.exe
Token: SeImpersonatePrivilege	1636	Update.exe
Token: SeCreateGlobalPrivilege	1636	Update.exe
Token: 33	1636	Update.exe
Token: 34	1636	Update.exe
Token: 35	1636	Update.exe
Token: 36	1636	Update.exe
Token: SeIncreaseQuotaPrivilege	3120	iexplore.exe
Token: SeSecurityPrivilege	3120	iexplore.exe
Token: SeTakeOwnershipPrivilege	3120	iexplore.exe
Token: SeLoadDriverPrivilege	3120	iexplore.exe
Token: SeSystemProfilePrivilege	3120	iexplore.exe
Token: SeSystemtimePrivilege	3120	iexplore.exe
Token: SeProfSingleProcessPrivilege	3120	iexplore.exe
Token: SeIncBasePriorityPrivilege	3120	iexplore.exe
Token: SeCreatePagefilePrivilege	3120	iexplore.exe
Token: SeBackupPrivilege	3120	iexplore.exe
Token: SeRestorePrivilege	3120	iexplore.exe
Token: SeShutdownPrivilege	3120	iexplore.exe
Token: SeDebugPrivilege	3120	iexplore.exe
Token: SeSystemEnvironmentPrivilege	3120	iexplore.exe
Token: SeChangeNotifyPrivilege	3120	iexplore.exe
Token: SeRemoteShutdownPrivilege	3120	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 3016	1476	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe	82
PID 1476 wrote to memory of 3016	1476	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe	82
PID 1476 wrote to memory of 3016	1476	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe	82
PID 1476 wrote to memory of 3844	1476	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe	83
PID 1476 wrote to memory of 3844	1476	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe	83
PID 1476 wrote to memory of 3844	1476	f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe	83
PID 3844 wrote to memory of 3744	3844	file.exe	84
PID 3844 wrote to memory of 3744	3844	file.exe	84
PID 3844 wrote to memory of 3744	3844	file.exe	84
PID 3844 wrote to memory of 3476	3844	file.exe	86
PID 3844 wrote to memory of 3476	3844	file.exe	86
PID 3844 wrote to memory of 3476	3844	file.exe	86
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3844 wrote to memory of 4884	3844	file.exe	87
PID 3744 wrote to memory of 3636	3744	cmd.exe	89
PID 3744 wrote to memory of 3636	3744	cmd.exe	89
PID 3744 wrote to memory of 3636	3744	cmd.exe	89
PID 3476 wrote to memory of 4936	3476	cmd.exe	90
PID 3476 wrote to memory of 4936	3476	cmd.exe	90
PID 3476 wrote to memory of 4936	3476	cmd.exe	90
PID 3844 wrote to memory of 1636	3844	file.exe	91
PID 3844 wrote to memory of 1636	3844	file.exe	91
PID 3844 wrote to memory of 1636	3844	file.exe	91
PID 1636 wrote to memory of 3120	1636	Update.exe	92
PID 1636 wrote to memory of 3120	1636	Update.exe	92
PID 1636 wrote to memory of 3120	1636	Update.exe	92
PID 1636 wrote to memory of 3120	1636	Update.exe	92
PID 1636 wrote to memory of 3120	1636	Update.exe	92
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93
PID 3120 wrote to memory of 2528	3120	iexplore.exe	93

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4936	attrib.exe
3636	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\borodacraft.exe
  "C:\Users\Admin\AppData\Local\Temp\borodacraft.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\file.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\file.exe" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4936
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4884
- - C:\Windows\SysWOW64\WindowsDefencer\Update.exe
    "C:\Windows\system32\WindowsDefencer\Update.exe"
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Disables RegEdit via registry modification
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3120
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\borodacraft.exe

Filesize
3.0MB

MD5
e01dfbe76c690a070ec522d0091a9b3a

SHA1
3233ef818c3cc27e07612b7db236b74798eca8f7

SHA256
f4d4b2be4cfc692bf9e3a48a93b038280d6dca1dc69956bcae3707abf97d1686

SHA512
ace329d994a6bc7317401e31d7f2e830e9bb17488891c3fc56c14e03b2a2e72b599b7b4f41cc2f59b781c22478e69461791e1a7ba14c27cd845567b3d5f8b406

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
252KB

MD5
49e04125173bdb0f292b0abb13db301d

SHA1
00bce84c8a0b6b71d03fa032aff71eb3500b2147

SHA256
f0bbed6d47a04063aa467df02a87991e25bf744ee0eec4e31cff20f1ac110a29

SHA512
af083f3620e1401f619314014405ed8ffe3a938e15c6a04fdf204c32d348f52d21ff36ed084ba6fcf0a6f292c3d12becee08c229fc4c9ac14b234f594a2bbeb9

Download Submit
memory/1636-90-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2528-91-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/3120-88-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3844-23-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3844-25-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/3844-93-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4884-29-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads