darkcomet | dc3f0f158fe35f749b506e7f1e25a7506eab5a72ca2975cec089657447f6aabb

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe7970e2544e76469e920ed0b4c46e0f_JaffaCakes118.exe
Size

5.3MB
MD5

fe7970e2544e76469e920ed0b4c46e0f
SHA1

8c7c70fa2b1fe29d4ff2b85189f43c16b8cccb2e
SHA256

dc3f0f158fe35f749b506e7f1e25a7506eab5a72ca2975cec089657447f6aabb
SHA512

0b2bf9e39172642e5c7e62cf14126b8595157140b9087000d1fd78a43ba13cc026154b15e94e566d7ce0bb3166aa08093887f9588daa869cf49d862d6ec8fca1
SSDEEP

98304:/yo366ucUwk7AMbpnuFCxPl/lNU3cJnbhDNvQKyiVLLHkVVvZMa8PB:qGkHoSlNNUy9NoKycszi

Score

10^/10

darkcomet modiloader discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2848-9-0x0000000000400000-0x0000000000955000-memory.dmp	modiloader_stage2

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	d.exe

Executes dropped EXE 1 IoCs

pid	Process
1608	d.exe

Loads dropped DLL 2 IoCs

pid	Process
2848	fe7970e2544e76469e920ed0b4c46e0f_JaffaCakes118.exe
2848	fe7970e2544e76469e920ed0b4c46e0f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe7970e2544e76469e920ed0b4c46e0f_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	d.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2708	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2708	vlc.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1608	d.exe
Token: SeSecurityPrivilege	1608	d.exe
Token: SeTakeOwnershipPrivilege	1608	d.exe
Token: SeLoadDriverPrivilege	1608	d.exe
Token: SeSystemProfilePrivilege	1608	d.exe
Token: SeSystemtimePrivilege	1608	d.exe
Token: SeProfSingleProcessPrivilege	1608	d.exe
Token: SeIncBasePriorityPrivilege	1608	d.exe
Token: SeCreatePagefilePrivilege	1608	d.exe
Token: SeBackupPrivilege	1608	d.exe
Token: SeRestorePrivilege	1608	d.exe
Token: SeShutdownPrivilege	1608	d.exe
Token: SeDebugPrivilege	1608	d.exe
Token: SeSystemEnvironmentPrivilege	1608	d.exe
Token: SeChangeNotifyPrivilege	1608	d.exe
Token: SeRemoteShutdownPrivilege	1608	d.exe
Token: SeUndockPrivilege	1608	d.exe
Token: SeManageVolumePrivilege	1608	d.exe
Token: SeImpersonatePrivilege	1608	d.exe
Token: SeCreateGlobalPrivilege	1608	d.exe
Token: 33	1608	d.exe
Token: 34	1608	d.exe
Token: 35	1608	d.exe
Token: 33	2708	vlc.exe
Token: SeIncBasePriorityPrivilege	2708	vlc.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2708	vlc.exe
2708	vlc.exe
2708	vlc.exe
2708	vlc.exe
2708	vlc.exe
2708	vlc.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2708	vlc.exe
2708	vlc.exe
2708	vlc.exe
2708	vlc.exe
2708	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2708	vlc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1608	2848	fe7970e2544e76469e920ed0b4c46e0f_JaffaCakes118.exe	30
PID 2848 wrote to memory of 1608	2848	fe7970e2544e76469e920ed0b4c46e0f_JaffaCakes118.exe	30
PID 2848 wrote to memory of 1608	2848	fe7970e2544e76469e920ed0b4c46e0f_JaffaCakes118.exe	30
PID 2848 wrote to memory of 1608	2848	fe7970e2544e76469e920ed0b4c46e0f_JaffaCakes118.exe	30
PID 1608 wrote to memory of 2708	1608	d.exe	31
PID 1608 wrote to memory of 2708	1608	d.exe	31
PID 1608 wrote to memory of 2708	1608	d.exe	31
PID 1608 wrote to memory of 2708	1608	d.exe	31

C:\Users\Admin\AppData\Local\Temp\fe7970e2544e76469e920ed0b4c46e0f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe7970e2544e76469e920ed0b4c46e0f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\d.exe
  "C:\Users\Admin\AppData\Local\Temp\d.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\YA_SABRK.MP3"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YA_SABRK.MP3

Filesize
4.5MB

MD5
1a799ad4f3df77258e43a13d7226b8f7

SHA1
66248960bdd9c4e71c6a2f80ebce31974e87d0b9

SHA256
054ba28149f684238807e90c32c59fb3ba0c38688c1bb99241df2238b12e8b88

SHA512
5ae8b1f6bbf66d9266cfa7da809e8a2f6d971bcd8f1ccea279597fa1b28c9f07ae2a572b7fb7d6105eb51e7a1c3e01be2ceb4af6099eb8e197d52928dd3c733b

Download Submit
\Users\Admin\AppData\Local\Temp\d.exe

Filesize
5.2MB

MD5
abbb51d0411024c3fcb0e5368ae8ce3b

SHA1
31b0877459c62b5702856f180bec9f6257b16d27

SHA256
99ef0b0a9c9e51ab8f52fb88ef6b4aa83135a1c325fbaeaa919ab8f36d3ee0ec

SHA512
1a57221773a0e2bcd2f1ed66348e472588e1c8e7191da855a538e696eb116d6ce6dd1b9d82c7301091ecf9826a0c3ad8cc88ab572af5b838c38757d0bc34c1eb

Download Submit
memory/1608-58-0x0000000000400000-0x0000000000949000-memory.dmp

Filesize
5.3MB

Download
memory/1608-10-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1608-20-0x0000000000400000-0x0000000000949000-memory.dmp

Filesize
5.3MB

Download
memory/2708-42-0x000007FEF7070000-0x000007FEF70A0000-memory.dmp

Filesize
192KB

Download
memory/2708-56-0x000007FEF3270000-0x000007FEF3282000-memory.dmp

Filesize
72KB

Download
memory/2708-30-0x000007FEF7B30000-0x000007FEF7B41000-memory.dmp

Filesize
68KB

Download
memory/2708-29-0x000007FEF7B50000-0x000007FEF7B6D000-memory.dmp

Filesize
116KB

Download
memory/2708-28-0x000007FEF7B70000-0x000007FEF7B81000-memory.dmp

Filesize
68KB

Download
memory/2708-27-0x000007FEF7B90000-0x000007FEF7BA7000-memory.dmp

Filesize
92KB

Download
memory/2708-26-0x000007FEF7BB0000-0x000007FEF7BC1000-memory.dmp

Filesize
68KB

Download
memory/2708-23-0x000007FEF6540000-0x000007FEF67F6000-memory.dmp

Filesize
2.7MB

Download
memory/2708-25-0x000007FEF7BD0000-0x000007FEF7BE7000-memory.dmp

Filesize
92KB

Download
memory/2708-24-0x000007FEFB590000-0x000007FEFB5A8000-memory.dmp

Filesize
96KB

Download
memory/2708-47-0x000007FEF6AA0000-0x000007FEF6AB1000-memory.dmp

Filesize
68KB

Download
memory/2708-46-0x000007FEF6AC0000-0x000007FEF6AD8000-memory.dmp

Filesize
96KB

Download
memory/2708-45-0x000007FEF6AE0000-0x000007FEF6AF1000-memory.dmp

Filesize
68KB

Download
memory/2708-44-0x000007FEF6F80000-0x000007FEF6FFC000-memory.dmp

Filesize
496KB

Download
memory/2708-43-0x000007FEF7000000-0x000007FEF7067000-memory.dmp

Filesize
412KB

Download
memory/2708-22-0x000007FEF7D20000-0x000007FEF7D54000-memory.dmp

Filesize
208KB

Download
memory/2708-51-0x000007FEF51D0000-0x000007FEF51E1000-memory.dmp

Filesize
68KB

Download
memory/2708-50-0x000007FEF6A80000-0x000007FEF6A93000-memory.dmp

Filesize
76KB

Download
memory/2708-49-0x000007FEF51F0000-0x000007FEF521F000-memory.dmp

Filesize
188KB

Download
memory/2708-21-0x000000013FE40000-0x000000013FF38000-memory.dmp

Filesize
992KB

Download
memory/2708-55-0x000007FEF3290000-0x000007FEF32A1000-memory.dmp

Filesize
68KB

Download
memory/2708-54-0x000007FEF3470000-0x000007FEF3498000-memory.dmp

Filesize
160KB

Download
memory/2708-53-0x000007FEF34A0000-0x000007FEF34F7000-memory.dmp

Filesize
348KB

Download
memory/2708-52-0x000007FEF5100000-0x000007FEF51C5000-memory.dmp

Filesize
788KB

Download
memory/2708-57-0x000007FEF2F70000-0x000007FEF30EA000-memory.dmp

Filesize
1.5MB

Download
memory/2708-31-0x000007FEF5490000-0x000007FEF6540000-memory.dmp

Filesize
16.7MB

Download
memory/2708-32-0x000007FEF5280000-0x000007FEF548B000-memory.dmp

Filesize
2.0MB

Download
memory/2708-48-0x000007FEF5220000-0x000007FEF5277000-memory.dmp

Filesize
348KB

Download
memory/2708-41-0x000007FEF70A0000-0x000007FEF70B8000-memory.dmp

Filesize
96KB

Download
memory/2708-40-0x000007FEF70C0000-0x000007FEF70D1000-memory.dmp

Filesize
68KB

Download
memory/2708-39-0x000007FEF70E0000-0x000007FEF70FB000-memory.dmp

Filesize
108KB

Download
memory/2708-38-0x000007FEF7100000-0x000007FEF7111000-memory.dmp

Filesize
68KB

Download
memory/2708-37-0x000007FEF7120000-0x000007FEF7131000-memory.dmp

Filesize
68KB

Download
memory/2708-36-0x000007FEF7570000-0x000007FEF7581000-memory.dmp

Filesize
68KB

Download
memory/2708-35-0x000007FEF7A90000-0x000007FEF7AA8000-memory.dmp

Filesize
96KB

Download
memory/2708-34-0x000007FEF7AB0000-0x000007FEF7AD1000-memory.dmp

Filesize
132KB

Download
memory/2708-33-0x000007FEF7AE0000-0x000007FEF7B21000-memory.dmp

Filesize
260KB

Download
memory/2848-9-0x0000000000400000-0x0000000000955000-memory.dmp

Filesize
5.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads