darkcomet | f6d6ad10a2237754de27b1c7fe9f211529270a8175e2c867c010f04359856d5a

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4c50e4b915a3285495c9d2d568f395ef.exe
Size

965KB
MD5

4c50e4b915a3285495c9d2d568f395ef
SHA1

b4b226db5d76d2472dc34b185ff99946a9c9647c
SHA256

f6d6ad10a2237754de27b1c7fe9f211529270a8175e2c867c010f04359856d5a
SHA512

87dacf9aa3ab5ee70a14d3eef0f9b84d81cc937f665b542a0242e8c0e8a39b43ab12d5f691e7149aaf56aa1261575b6e961eb5617ffc753557fe05769e44a46c
SSDEEP

24576:UEWFcSkEGsKPK0RTnYxkL0n9x3JKEiwnezd:UDi90n96

Score

10^/10

darkcomet guest16_min discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

84.243.195.246:1604

Mutex

DCMIN_MUTEX-SWTNM8T

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
wn6iSM1gmue4
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	test4.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	test4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_4c50e4b915a3285495c9d2d568f395ef.exe

Executes dropped EXE 2 IoCs

pid	Process
2288	test4.exe
4496	IMDCSC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	test4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4c50e4b915a3285495c9d2d568f395ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	JaffaCakes118_4c50e4b915a3285495c9d2d568f395ef.exe
Token: SeIncreaseQuotaPrivilege	2288	test4.exe
Token: SeSecurityPrivilege	2288	test4.exe
Token: SeTakeOwnershipPrivilege	2288	test4.exe
Token: SeLoadDriverPrivilege	2288	test4.exe
Token: SeSystemProfilePrivilege	2288	test4.exe
Token: SeSystemtimePrivilege	2288	test4.exe
Token: SeProfSingleProcessPrivilege	2288	test4.exe
Token: SeIncBasePriorityPrivilege	2288	test4.exe
Token: SeCreatePagefilePrivilege	2288	test4.exe
Token: SeBackupPrivilege	2288	test4.exe
Token: SeRestorePrivilege	2288	test4.exe
Token: SeShutdownPrivilege	2288	test4.exe
Token: SeDebugPrivilege	2288	test4.exe
Token: SeSystemEnvironmentPrivilege	2288	test4.exe
Token: SeChangeNotifyPrivilege	2288	test4.exe
Token: SeRemoteShutdownPrivilege	2288	test4.exe
Token: SeUndockPrivilege	2288	test4.exe
Token: SeManageVolumePrivilege	2288	test4.exe
Token: SeImpersonatePrivilege	2288	test4.exe
Token: SeCreateGlobalPrivilege	2288	test4.exe
Token: 33	2288	test4.exe
Token: 34	2288	test4.exe
Token: 35	2288	test4.exe
Token: 36	2288	test4.exe
Token: SeIncreaseQuotaPrivilege	4496	IMDCSC.exe
Token: SeSecurityPrivilege	4496	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	4496	IMDCSC.exe
Token: SeLoadDriverPrivilege	4496	IMDCSC.exe
Token: SeSystemProfilePrivilege	4496	IMDCSC.exe
Token: SeSystemtimePrivilege	4496	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	4496	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	4496	IMDCSC.exe
Token: SeCreatePagefilePrivilege	4496	IMDCSC.exe
Token: SeBackupPrivilege	4496	IMDCSC.exe
Token: SeRestorePrivilege	4496	IMDCSC.exe
Token: SeShutdownPrivilege	4496	IMDCSC.exe
Token: SeDebugPrivilege	4496	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	4496	IMDCSC.exe
Token: SeChangeNotifyPrivilege	4496	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	4496	IMDCSC.exe
Token: SeUndockPrivilege	4496	IMDCSC.exe
Token: SeManageVolumePrivilege	4496	IMDCSC.exe
Token: SeImpersonatePrivilege	4496	IMDCSC.exe
Token: SeCreateGlobalPrivilege	4496	IMDCSC.exe
Token: 33	4496	IMDCSC.exe
Token: 34	4496	IMDCSC.exe
Token: 35	4496	IMDCSC.exe
Token: 36	4496	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4496	IMDCSC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 2288	4676	JaffaCakes118_4c50e4b915a3285495c9d2d568f395ef.exe	82
PID 4676 wrote to memory of 2288	4676	JaffaCakes118_4c50e4b915a3285495c9d2d568f395ef.exe	82
PID 4676 wrote to memory of 2288	4676	JaffaCakes118_4c50e4b915a3285495c9d2d568f395ef.exe	82
PID 2288 wrote to memory of 4496	2288	test4.exe	83
PID 2288 wrote to memory of 4496	2288	test4.exe	83
PID 2288 wrote to memory of 4496	2288	test4.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c50e4b915a3285495c9d2d568f395ef.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c50e4b915a3285495c9d2d568f395ef.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\test4.exe
  "C:\Users\Admin\AppData\Local\Temp\test4.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
    "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test4.exe

Filesize
658KB

MD5
090d17d11cf43a7a82d0315f7691e913

SHA1
9f6a85d3b417e0fa4dc16d0ffcab8348246e64cd

SHA256
ba15b4f4a0e7423d35746a67fc5d43b72b187bfd42cc66d10ab41cee8cb6ebb7

SHA512
3730daba9d45317847ae6aacfbaa46daf0ad336f768ca08a3d992bc4adfdfd28f0bdae3a9155efc3f0f835554c12dffc17d16acc17de4913210e864b7775d98c

Download Submit
memory/2288-14-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2288-27-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4496-26-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4496-30-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4496-32-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4676-0-0x0000000075182000-0x0000000075183000-memory.dmp

Filesize
4KB

Download
memory/4676-1-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4676-2-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4676-28-0x0000000075182000-0x0000000075183000-memory.dmp

Filesize
4KB

Download
memory/4676-29-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads