darkcomet | a950ba583d40737b5e52aa9adda09d5b38d1a2a316a44fc0fc36c12f5e46693b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2025, 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Size

739KB
MD5

615d633b0e7337ef925cd3d5b2de15a1
SHA1

55dc10ff372c006b8fd7aabbfa6e2d66ba0ca7a1
SHA256

a950ba583d40737b5e52aa9adda09d5b38d1a2a316a44fc0fc36c12f5e46693b
SHA512

49e6bdfc51d6ac0fb62f2b54f0c647c1e127e26e58e393e59056a33306071a4f43a5aaa0ed66fe54f5b0116bbc1a8cfaa925785b1f46677a276a977a7eda1b72
SSDEEP

12288:C9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hF9Vel4Y:uZ1xuVVjfFoynPaVBUR8f+kN10EBXyld

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

lemonxrat.no-ip.org:4782

Mutex

DC_MUTEX-FWDE5J0

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
A8VBRQNxecXD
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	msdcsc.exe

Executes dropped EXE 4 IoCs

pid	Process
3188	MW2 PWNER.EXE
4640	msdcsc.exe
4168	MW2 PWNER.EXE
4796	MW2 PWNER.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4640 set thread context of 4048	4640	msdcsc.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeSecurityPrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeTakeOwnershipPrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeLoadDriverPrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeSystemProfilePrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeSystemtimePrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeProfSingleProcessPrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeIncBasePriorityPrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeCreatePagefilePrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeBackupPrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeRestorePrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeShutdownPrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeDebugPrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeSystemEnvironmentPrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeChangeNotifyPrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeRemoteShutdownPrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeUndockPrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeManageVolumePrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeImpersonatePrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeCreateGlobalPrivilege	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: 33	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: 34	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: 35	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: 36	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
Token: SeIncreaseQuotaPrivilege	4640	msdcsc.exe
Token: SeSecurityPrivilege	4640	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4640	msdcsc.exe
Token: SeLoadDriverPrivilege	4640	msdcsc.exe
Token: SeSystemProfilePrivilege	4640	msdcsc.exe
Token: SeSystemtimePrivilege	4640	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4640	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4640	msdcsc.exe
Token: SeCreatePagefilePrivilege	4640	msdcsc.exe
Token: SeBackupPrivilege	4640	msdcsc.exe
Token: SeRestorePrivilege	4640	msdcsc.exe
Token: SeShutdownPrivilege	4640	msdcsc.exe
Token: SeDebugPrivilege	4640	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4640	msdcsc.exe
Token: SeChangeNotifyPrivilege	4640	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4640	msdcsc.exe
Token: SeUndockPrivilege	4640	msdcsc.exe
Token: SeManageVolumePrivilege	4640	msdcsc.exe
Token: SeImpersonatePrivilege	4640	msdcsc.exe
Token: SeCreateGlobalPrivilege	4640	msdcsc.exe
Token: 33	4640	msdcsc.exe
Token: 34	4640	msdcsc.exe
Token: 35	4640	msdcsc.exe
Token: 36	4640	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	4048	iexplore.exe
Token: SeSecurityPrivilege	4048	iexplore.exe
Token: SeTakeOwnershipPrivilege	4048	iexplore.exe
Token: SeLoadDriverPrivilege	4048	iexplore.exe
Token: SeSystemProfilePrivilege	4048	iexplore.exe
Token: SeSystemtimePrivilege	4048	iexplore.exe
Token: SeProfSingleProcessPrivilege	4048	iexplore.exe
Token: SeIncBasePriorityPrivilege	4048	iexplore.exe
Token: SeCreatePagefilePrivilege	4048	iexplore.exe
Token: SeBackupPrivilege	4048	iexplore.exe
Token: SeRestorePrivilege	4048	iexplore.exe
Token: SeShutdownPrivilege	4048	iexplore.exe
Token: SeDebugPrivilege	4048	iexplore.exe
Token: SeSystemEnvironmentPrivilege	4048	iexplore.exe
Token: SeChangeNotifyPrivilege	4048	iexplore.exe
Token: SeRemoteShutdownPrivilege	4048	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4048	iexplore.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 3188	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe	83
PID 2364 wrote to memory of 3188	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe	83
PID 2364 wrote to memory of 4640	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe	84
PID 2364 wrote to memory of 4640	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe	84
PID 2364 wrote to memory of 4640	2364	JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe	84
PID 4640 wrote to memory of 4168	4640	msdcsc.exe	85
PID 4640 wrote to memory of 4168	4640	msdcsc.exe	85
PID 4640 wrote to memory of 4048	4640	msdcsc.exe	86
PID 4640 wrote to memory of 4048	4640	msdcsc.exe	86
PID 4640 wrote to memory of 4048	4640	msdcsc.exe	86
PID 4640 wrote to memory of 4048	4640	msdcsc.exe	86
PID 4640 wrote to memory of 4048	4640	msdcsc.exe	86
PID 4048 wrote to memory of 4796	4048	iexplore.exe	87
PID 4048 wrote to memory of 4796	4048	iexplore.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_615d633b0e7337ef925cd3d5b2de15a1.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\MW2 PWNER.EXE
  "C:\Users\Admin\AppData\Local\Temp\MW2 PWNER.EXE"
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
  "C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Users\Admin\AppData\Local\Temp\MW2 PWNER.EXE
    "C:\Users\Admin\AppData\Local\Temp\MW2 PWNER.EXE"
    3⤵
    - Executes dropped EXE
    PID:4168
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\MW2 PWNER.EXE
      "C:\Users\Admin\AppData\Local\Temp\MW2 PWNER.EXE"
      4⤵
      Executes dropped EXE
      PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

Filesize
739KB

MD5
615d633b0e7337ef925cd3d5b2de15a1

SHA1
55dc10ff372c006b8fd7aabbfa6e2d66ba0ca7a1

SHA256
a950ba583d40737b5e52aa9adda09d5b38d1a2a316a44fc0fc36c12f5e46693b

SHA512
49e6bdfc51d6ac0fb62f2b54f0c647c1e127e26e58e393e59056a33306071a4f43a5aaa0ed66fe54f5b0116bbc1a8cfaa925785b1f46677a276a977a7eda1b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW2 PWNER.EXE

Filesize
78KB

MD5
b1268f4dce4bfd64278b2c5166ef37da

SHA1
0fbc72144b9895db406ae2b1abc21e6471d96a54

SHA256
23077a8e0a8cc8bde06f079438f265886fd12fed8f65628b0009fe2812ec149b

SHA512
30fb7fe014c6a1c7bedfd01e964a86c01d9c8e419f120051f658febdf5b091aba0f5da407b3dd6ca348f13e21b8ef7734ca80df001657565f0db2bee2f37fd92

Download Submit
memory/2364-0-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2364-84-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3188-20-0x0000000001810000-0x0000000001818000-memory.dmp

Filesize
32KB

Download
memory/3188-17-0x000000001C3B0000-0x000000001C87E000-memory.dmp

Filesize
4.8MB

Download
memory/3188-18-0x000000001C960000-0x000000001C9FC000-memory.dmp

Filesize
624KB

Download
memory/3188-19-0x00007FFA20A60000-0x00007FFA21401000-memory.dmp

Filesize
9.6MB

Download
memory/3188-16-0x00007FFA20A60000-0x00007FFA21401000-memory.dmp

Filesize
9.6MB

Download
memory/3188-21-0x000000001CAC0000-0x000000001CB0C000-memory.dmp

Filesize
304KB

Download
memory/3188-15-0x000000001BE30000-0x000000001BED6000-memory.dmp

Filesize
664KB

Download
memory/3188-14-0x00007FFA20D15000-0x00007FFA20D16000-memory.dmp

Filesize
4KB

Download
memory/3188-85-0x00007FFA20D15000-0x00007FFA20D16000-memory.dmp

Filesize
4KB

Download
memory/3188-86-0x00007FFA20A60000-0x00007FFA21401000-memory.dmp

Filesize
9.6MB

Download
memory/4048-81-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4640-82-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads