darkcomet | ca8fe5d792569f5e866d1a5b173de5fc9158b4e597e416fab89600abd7ac485c

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/01/2025, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_617c0618203542d377000e452828f790.exe
Size

952KB
MD5

617c0618203542d377000e452828f790
SHA1

79a66972ca16b3b43723e26aaf1701a36668746e
SHA256

ca8fe5d792569f5e866d1a5b173de5fc9158b4e597e416fab89600abd7ac485c
SHA512

eead965c2929d0b52cf823d7d08ce9c16c2ab4bcd579236266f0d2695060c2c4c6c6d310e9b82746436fc04d69c78d70caff0edebd72be272091ad1490857ec1
SSDEEP

12288:byyy7Z3z4I8NXOGjwwG/ZjXsAHHz79p9NM5Tz103j2CF4TxQUOfhVPOSAE//VAci:baCI2OewFJN4mkxyHnnew1SatLRzD

Score

10^/10

darkcomet discovery persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 3 IoCs

pid	Process
3520	micoffice.exe
408	micoffice.exe
3172	micoffice.exe

Loads dropped DLL 7 IoCs

pid	Process
3288	JaffaCakes118_617c0618203542d377000e452828f790.exe
3288	JaffaCakes118_617c0618203542d377000e452828f790.exe
3288	JaffaCakes118_617c0618203542d377000e452828f790.exe
3288	JaffaCakes118_617c0618203542d377000e452828f790.exe
3288	JaffaCakes118_617c0618203542d377000e452828f790.exe
3520	micoffice.exe
3520	micoffice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\msoffice = "C:\\Users\\Admin\\AppData\\Roaming\\MicrosoftOffice\\micoffice.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2788 set thread context of 3288	2788	JaffaCakes118_617c0618203542d377000e452828f790.exe	30
PID 3520 set thread context of 408	3520	micoffice.exe	35
PID 3520 set thread context of 3172	3520	micoffice.exe	36

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3288-432-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/3288-445-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/3288-443-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/3288-437-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/3288-430-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/3288-1036-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/408-1043-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_617c0618203542d377000e452828f790.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_617c0618203542d377000e452828f790.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	micoffice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	micoffice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	micoffice.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3172	micoffice.exe
Token: SeSecurityPrivilege	3172	micoffice.exe
Token: SeTakeOwnershipPrivilege	3172	micoffice.exe
Token: SeLoadDriverPrivilege	3172	micoffice.exe
Token: SeSystemProfilePrivilege	3172	micoffice.exe
Token: SeSystemtimePrivilege	3172	micoffice.exe
Token: SeProfSingleProcessPrivilege	3172	micoffice.exe
Token: SeIncBasePriorityPrivilege	3172	micoffice.exe
Token: SeCreatePagefilePrivilege	3172	micoffice.exe
Token: SeBackupPrivilege	3172	micoffice.exe
Token: SeRestorePrivilege	3172	micoffice.exe
Token: SeShutdownPrivilege	3172	micoffice.exe
Token: SeDebugPrivilege	3172	micoffice.exe
Token: SeSystemEnvironmentPrivilege	3172	micoffice.exe
Token: SeChangeNotifyPrivilege	3172	micoffice.exe
Token: SeRemoteShutdownPrivilege	3172	micoffice.exe
Token: SeUndockPrivilege	3172	micoffice.exe
Token: SeManageVolumePrivilege	3172	micoffice.exe
Token: SeImpersonatePrivilege	3172	micoffice.exe
Token: SeCreateGlobalPrivilege	3172	micoffice.exe
Token: 33	3172	micoffice.exe
Token: 34	3172	micoffice.exe
Token: 35	3172	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe
Token: SeDebugPrivilege	408	micoffice.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2788	JaffaCakes118_617c0618203542d377000e452828f790.exe
3288	JaffaCakes118_617c0618203542d377000e452828f790.exe
3520	micoffice.exe
408	micoffice.exe
3172	micoffice.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 3288	2788	JaffaCakes118_617c0618203542d377000e452828f790.exe	30
PID 2788 wrote to memory of 3288	2788	JaffaCakes118_617c0618203542d377000e452828f790.exe	30
PID 2788 wrote to memory of 3288	2788	JaffaCakes118_617c0618203542d377000e452828f790.exe	30
PID 2788 wrote to memory of 3288	2788	JaffaCakes118_617c0618203542d377000e452828f790.exe	30
PID 2788 wrote to memory of 3288	2788	JaffaCakes118_617c0618203542d377000e452828f790.exe	30
PID 2788 wrote to memory of 3288	2788	JaffaCakes118_617c0618203542d377000e452828f790.exe	30
PID 2788 wrote to memory of 3288	2788	JaffaCakes118_617c0618203542d377000e452828f790.exe	30
PID 2788 wrote to memory of 3288	2788	JaffaCakes118_617c0618203542d377000e452828f790.exe	30
PID 3288 wrote to memory of 3444	3288	JaffaCakes118_617c0618203542d377000e452828f790.exe	31
PID 3288 wrote to memory of 3444	3288	JaffaCakes118_617c0618203542d377000e452828f790.exe	31
PID 3288 wrote to memory of 3444	3288	JaffaCakes118_617c0618203542d377000e452828f790.exe	31
PID 3288 wrote to memory of 3444	3288	JaffaCakes118_617c0618203542d377000e452828f790.exe	31
PID 3444 wrote to memory of 3496	3444	cmd.exe	33
PID 3444 wrote to memory of 3496	3444	cmd.exe	33
PID 3444 wrote to memory of 3496	3444	cmd.exe	33
PID 3444 wrote to memory of 3496	3444	cmd.exe	33
PID 3288 wrote to memory of 3520	3288	JaffaCakes118_617c0618203542d377000e452828f790.exe	34
PID 3288 wrote to memory of 3520	3288	JaffaCakes118_617c0618203542d377000e452828f790.exe	34
PID 3288 wrote to memory of 3520	3288	JaffaCakes118_617c0618203542d377000e452828f790.exe	34
PID 3288 wrote to memory of 3520	3288	JaffaCakes118_617c0618203542d377000e452828f790.exe	34
PID 3520 wrote to memory of 408	3520	micoffice.exe	35
PID 3520 wrote to memory of 408	3520	micoffice.exe	35
PID 3520 wrote to memory of 408	3520	micoffice.exe	35
PID 3520 wrote to memory of 408	3520	micoffice.exe	35
PID 3520 wrote to memory of 408	3520	micoffice.exe	35
PID 3520 wrote to memory of 408	3520	micoffice.exe	35
PID 3520 wrote to memory of 408	3520	micoffice.exe	35
PID 3520 wrote to memory of 408	3520	micoffice.exe	35
PID 3520 wrote to memory of 3172	3520	micoffice.exe	36
PID 3520 wrote to memory of 3172	3520	micoffice.exe	36
PID 3520 wrote to memory of 3172	3520	micoffice.exe	36
PID 3520 wrote to memory of 3172	3520	micoffice.exe	36
PID 3520 wrote to memory of 3172	3520	micoffice.exe	36
PID 3520 wrote to memory of 3172	3520	micoffice.exe	36
PID 3520 wrote to memory of 3172	3520	micoffice.exe	36
PID 3520 wrote to memory of 3172	3520	micoffice.exe	36
PID 3520 wrote to memory of 3172	3520	micoffice.exe	36
PID 3520 wrote to memory of 3172	3520	micoffice.exe	36
PID 3520 wrote to memory of 3172	3520	micoffice.exe	36
PID 3520 wrote to memory of 3172	3520	micoffice.exe	36
PID 3520 wrote to memory of 3172	3520	micoffice.exe	36

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_617c0618203542d377000e452828f790.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_617c0618203542d377000e452828f790.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_617c0618203542d377000e452828f790.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_617c0618203542d377000e452828f790.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\TCOSP.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "msoffice" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3496
- - C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe
    "C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe
      "C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:408
  - - C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe
      "C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCOSP.bat

Filesize
155B

MD5
f07b93136766adced3c6f0d74d869da0

SHA1
787c530f33687d758b41295e01d7a9a1bba3a467

SHA256
cd603067047c028fe12d4b099d13b3681dd698d25bc32474184e9d8edd3ed701

SHA512
050105a5f14939a37f653421b24959cc90cb082b20df5bb1a81335fd0ad5e70c740b43f1d6df0fc7324551425894668acc3af0c533c7d90ff149d84e844c2d10

Download Submit
\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe

Filesize
952KB

MD5
f7de25ea2e0533ff495e626e2f252ba9

SHA1
21a8bc4ef453f0b97a941ea17a59d506e9d722dd

SHA256
3f6382d7ecfc5d9ed87ce4c8b02846f1aaa75c5971944f72fa1aeceb5ed6166e

SHA512
8d90443097efaa19af0476e7f8417d5ca511cb115ec662e972497a2a0d8d7d65751e0abf3a0bd5ddee82c16bf829aa58b4f63b2afaced0a22869875c64e4ba33

Download Submit
memory/408-1043-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2788-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2788-12-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2788-72-0x0000000003060000-0x0000000003061000-memory.dmp

Filesize
4KB

Download
memory/2788-62-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2788-52-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2788-44-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/2788-36-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2788-34-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2788-32-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/2788-30-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/2788-28-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2788-26-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2788-24-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/2788-22-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/2788-20-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2788-112-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2788-80-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/2788-14-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2788-8-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/2788-6-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/2788-4-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/2788-2-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/2788-104-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/2788-90-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download
memory/2788-438-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2788-434-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2788-435-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3288-436-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3288-430-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3288-428-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3288-437-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3288-443-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3288-445-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3288-1036-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3288-432-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads