darkcomet | 91e123c82523c2fc331266650bb55ecadad77be08673da19f24eed10236652d1

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f290bcd0a10a945a27348528ae1e28b8_JaffaCakes118.exe
Size

3.5MB
MD5

f290bcd0a10a945a27348528ae1e28b8
SHA1

f431bc91f1026e3a644756f08f20769a6be52c4a
SHA256

91e123c82523c2fc331266650bb55ecadad77be08673da19f24eed10236652d1
SHA512

42de9a08423f02c94217097ee7912817ccb86614a708cb7b9936f6586240d63824c898847292312a64993b834d13e193666765f57ae218a0de1032b323dfe85e
SSDEEP

98304:u5x9gcLho+OZPR/bERxZET+0O4eMLc9mDSR9ZBD0iDb+eV:u5Mcl+TYr2The4jU9j4iDb+e

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 4 IoCs

pid	Process
2564	Torrent.exe
1520	vbc.exe
4008	HIDEIP~1.EXE
2440	HIDEIP~1.EXE

Loads dropped DLL 3 IoCs

pid	Process
4008	HIDEIP~1.EXE
2440	HIDEIP~1.EXE
2440	HIDEIP~1.EXE

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f290bcd0a10a945a27348528ae1e28b8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\Torrent.exe"	Torrent.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2564 set thread context of 1520	2564	Torrent.exe	83
PID 4008 set thread context of 2440	4008	HIDEIP~1.EXE	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2572	2440	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Torrent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HIDEIP~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HIDEIP~1.EXE

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x0009000000023c8f-28.dat	nsis_installer_2

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4008	HIDEIP~1.EXE

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1520	vbc.exe
Token: SeSecurityPrivilege	1520	vbc.exe
Token: SeTakeOwnershipPrivilege	1520	vbc.exe
Token: SeLoadDriverPrivilege	1520	vbc.exe
Token: SeSystemProfilePrivilege	1520	vbc.exe
Token: SeSystemtimePrivilege	1520	vbc.exe
Token: SeProfSingleProcessPrivilege	1520	vbc.exe
Token: SeIncBasePriorityPrivilege	1520	vbc.exe
Token: SeCreatePagefilePrivilege	1520	vbc.exe
Token: SeBackupPrivilege	1520	vbc.exe
Token: SeRestorePrivilege	1520	vbc.exe
Token: SeShutdownPrivilege	1520	vbc.exe
Token: SeDebugPrivilege	1520	vbc.exe
Token: SeSystemEnvironmentPrivilege	1520	vbc.exe
Token: SeChangeNotifyPrivilege	1520	vbc.exe
Token: SeRemoteShutdownPrivilege	1520	vbc.exe
Token: SeUndockPrivilege	1520	vbc.exe
Token: SeManageVolumePrivilege	1520	vbc.exe
Token: SeImpersonatePrivilege	1520	vbc.exe
Token: SeCreateGlobalPrivilege	1520	vbc.exe
Token: 33	1520	vbc.exe
Token: 34	1520	vbc.exe
Token: 35	1520	vbc.exe
Token: 36	1520	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1520	vbc.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2564	2696	f290bcd0a10a945a27348528ae1e28b8_JaffaCakes118.exe	82
PID 2696 wrote to memory of 2564	2696	f290bcd0a10a945a27348528ae1e28b8_JaffaCakes118.exe	82
PID 2696 wrote to memory of 2564	2696	f290bcd0a10a945a27348528ae1e28b8_JaffaCakes118.exe	82
PID 2564 wrote to memory of 1520	2564	Torrent.exe	83
PID 2564 wrote to memory of 1520	2564	Torrent.exe	83
PID 2564 wrote to memory of 1520	2564	Torrent.exe	83
PID 2564 wrote to memory of 1520	2564	Torrent.exe	83
PID 2564 wrote to memory of 1520	2564	Torrent.exe	83
PID 2564 wrote to memory of 1520	2564	Torrent.exe	83
PID 2564 wrote to memory of 1520	2564	Torrent.exe	83
PID 2564 wrote to memory of 1520	2564	Torrent.exe	83
PID 2564 wrote to memory of 1520	2564	Torrent.exe	83
PID 2564 wrote to memory of 1520	2564	Torrent.exe	83
PID 2564 wrote to memory of 1520	2564	Torrent.exe	83
PID 2564 wrote to memory of 1520	2564	Torrent.exe	83
PID 2564 wrote to memory of 1520	2564	Torrent.exe	83
PID 2564 wrote to memory of 1520	2564	Torrent.exe	83
PID 2696 wrote to memory of 4008	2696	f290bcd0a10a945a27348528ae1e28b8_JaffaCakes118.exe	84
PID 2696 wrote to memory of 4008	2696	f290bcd0a10a945a27348528ae1e28b8_JaffaCakes118.exe	84
PID 2696 wrote to memory of 4008	2696	f290bcd0a10a945a27348528ae1e28b8_JaffaCakes118.exe	84
PID 4008 wrote to memory of 2440	4008	HIDEIP~1.EXE	85
PID 4008 wrote to memory of 2440	4008	HIDEIP~1.EXE	85
PID 4008 wrote to memory of 2440	4008	HIDEIP~1.EXE	85
PID 4008 wrote to memory of 2440	4008	HIDEIP~1.EXE	85
PID 4008 wrote to memory of 2440	4008	HIDEIP~1.EXE	85
PID 4008 wrote to memory of 2440	4008	HIDEIP~1.EXE	85
PID 4008 wrote to memory of 2440	4008	HIDEIP~1.EXE	85
PID 4008 wrote to memory of 2440	4008	HIDEIP~1.EXE	85
PID 4008 wrote to memory of 2440	4008	HIDEIP~1.EXE	85
PID 4008 wrote to memory of 2440	4008	HIDEIP~1.EXE	85

C:\Users\Admin\AppData\Local\Temp\f290bcd0a10a945a27348528ae1e28b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f290bcd0a10a945a27348528ae1e28b8_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Torrent.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Torrent.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\vbc.exe
    C:\Users\Admin\AppData\Local\Temp\vbc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HIDEIP~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HIDEIP~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HIDEIP~1.EXE
    "C:\Program Files (x86)\HideIPEasy\HideIPEasy.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 664
      4⤵
      Program crash
      PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2440 -ip 2440
1⤵
PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HIDEIP~1.EXE

Filesize
5.8MB

MD5
2454037c9fc6590a3306594cce1655ad

SHA1
0f5972797fccca0f98dc5b4cf7ea88e54e4c9a0e

SHA256
a33bdb04fd028b654998db53088697f49b31bb1fa2ff9f2fc4dcb6cfa9b56316

SHA512
9d2bab08ad9b5e584ecb2d25cfb8db5af5cff3f57345923f2620738246e340f65a0bb9b09c1da0f0aa361f5d99771854a70c136001df072c3089d7c26e20f0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hide IP Easy\Registry.rw.tvr

Filesize
4KB

MD5
e6a374d14baff681a4b804150afcca3a

SHA1
3227c189af0967877fe846bfd9737266fb6b946f

SHA256
f413501e968d3c35b91c1373c3c0bd11cf18509bb41be68ee080505903f8350b

SHA512
005fb10987ca2a6f2c2db750faf6e0c8dabad2d5a3b13dcb4c8f5dc71f21abb3c695fe8e111cbff83ac57c83b7dc66be7a4a4c030dc5f94ad36530e36c35e588

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hide IP Easy\Registry.rw.tvr.lck

Filesize
60B

MD5
e92345b1343023023e7e97307667de76

SHA1
5cff994a175a1507aaa7ed88770ce10dc52b09db

SHA256
09e478d743f09491f36956acc1653e505ff1d23011b9d8dd42f76320475da8a2

SHA512
50da77f2f033add4a215450f08feedbae07f33f16218a154356219b2bd1681f257d5524a7b10b30c636890eead972da433316da33813112b7beb5fb441c66523

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hide IP Easy\Registry.rw.tvr.transact

Filesize
4KB

MD5
58ce80ba4f5932423f7cc41ba66ccb5c

SHA1
0cba32a27e2cbfbdaf7fb934e0a116f60a6590b3

SHA256
63fa8c8c364cf5fe03211aa9ad57016e9f38ec08f2d653d162fdf5bc63d87e73

SHA512
b1b8da10ca1493c1ccb8c7182b17786db5f5bb0bf4c48c4bbac7155f8b03099b9db356e2a878097c85c4ff6bd60d2505815629f8eb9833c1032aaf8784fce716

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hide IP Easy\SKEL\9f6cfc4add1cd43f43da5b6a60035e6bb31fea7d.Tls

Filesize
376B

MD5
1534b437a832d71674b63cd3319f0784

SHA1
9f6cfc4add1cd43f43da5b6a60035e6bb31fea7d

SHA256
a350561d6fb500531fb34e8d26af6e61c5d8d1e409eb28ed3bbbbe917655c228

SHA512
5a12439ad51b1795b55efa503779da33dfeddd2fc4235fd9c4a5cae13ffc8789b0377f02a9bb6a1c0532f1fbf653dff36d7a38703d8ee4061d57f66aec42bef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Torrent.exe

Filesize
1.1MB

MD5
8d84aad1f2b00ffa9ed94178e194d9aa

SHA1
915a64bd561f1a153dcc84922fc61677407fa858

SHA256
7ef1439999d378f1f20eb5b9c4cf69f21be55465f2820138650e356d1b3c0aae

SHA512
87eba540440a81e4ff2ce9ebdb550cdfc25c1db696242caec4b1089f0cae4c5df2e9c606f140d3b9d945fc7c0ae085c512b0e1565c6d726e8325e2aeb9831e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/1520-19-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1520-21-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1520-17-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1520-23-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1520-26-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1520-25-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1520-24-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1520-14-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2440-72-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-88-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-75-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-70-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-71-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-73-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-77-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-78-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-80-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-68-0x0000000079BF0000-0x0000000079C0A000-memory.dmp

Filesize
104KB

Download
memory/2440-81-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-82-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-87-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-69-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-90-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-91-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-94-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-76-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-74-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-89-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-100-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2440-95-0x00000000023E0000-0x0000000002568000-memory.dmp

Filesize
1.5MB

Download
memory/2564-7-0x00000000752B2000-0x00000000752B3000-memory.dmp

Filesize
4KB

Download
memory/2564-8-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/2564-9-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/2564-22-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4008-38-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-31-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-32-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-39-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-40-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-41-0x0000000002520000-0x000000000252C000-memory.dmp

Filesize
48KB

Download
memory/4008-42-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-43-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-44-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-47-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-49-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-50-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-51-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-52-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-53-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-55-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-56-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-64-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/4008-67-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/4008-63-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-48-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-34-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-35-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-36-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-37-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-33-0x0000000002010000-0x0000000002198000-memory.dmp

Filesize
1.5MB

Download
memory/4008-30-0x0000000079BF0000-0x0000000079C0A000-memory.dmp

Filesize
104KB

Download
memory/4008-255-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads