darkcomet | 9018cde236258a5fa5b4be5a8a56d483a403b9324c779f98a9fb3898bc6ea1f8

Analysis

max time kernel
46s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/01/2025, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe
Size

326KB
MD5

62b5b1e2ce552524d16787ac662426c7
SHA1

7ca9e8938473837bd293e64d5c0980eb34a552c9
SHA256

9018cde236258a5fa5b4be5a8a56d483a403b9324c779f98a9fb3898bc6ea1f8
SHA512

a50f6e283f969315ba8ccf538ddf15583e09c7a25f09ecb40da631db36fc47fa3de6906c4713903013962766354b103a9ec9afdac53aa010ddc1d04aa1b69221
SSDEEP

6144:SDVak0cSWDokL405WHaIEEGb6UqCDeCV88zqLhTfKXroSFK:S5xoz0RIje6UqU8D9TfKboSFK

Score

10^/10

darkcomet discovery persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 3 IoCs

pid	Process
1632	flashp.exe
2904	flashp.exe
2104	flashp.exe

Loads dropped DLL 15 IoCs

pid	Process
2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe
2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe
2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe
2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe
1632	flashp.exe
1632	flashp.exe
1632	flashp.exe
1632	flashp.exe
1632	flashp.exe
2904	flashp.exe
2904	flashp.exe
2904	flashp.exe
2104	flashp.exe
2104	flashp.exe
2104	flashp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ds = "C:\\Users\\Admin\\AppData\\Roaming\\fs\\flashp.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 2104	1632	flashp.exe	35
PID 1632 set thread context of 2904	1632	flashp.exe	36

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2744-0-0x0000000000400000-0x0000000000578000-memory.dmp	upx
behavioral1/files/0x0008000000015d07-34.dat	upx
behavioral1/memory/2744-40-0x0000000000400000-0x0000000000578000-memory.dmp	upx
behavioral1/memory/1632-42-0x0000000000400000-0x0000000000578000-memory.dmp	upx
behavioral1/memory/2104-80-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2104-54-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2104-52-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/1632-78-0x0000000000400000-0x0000000000578000-memory.dmp	upx
behavioral1/memory/2104-87-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2104-88-0x0000000000A60000-0x0000000000BD8000-memory.dmp	upx
behavioral1/memory/2104-90-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2104-83-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2104-49-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2104-92-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2104-91-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2104-94-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2104-96-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2104-98-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2104-100-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2104-102-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2104-104-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flashp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flashp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flashp.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	flashp.exe
Token: SeIncreaseQuotaPrivilege	2104	flashp.exe
Token: SeSecurityPrivilege	2104	flashp.exe
Token: SeTakeOwnershipPrivilege	2104	flashp.exe
Token: SeLoadDriverPrivilege	2104	flashp.exe
Token: SeSystemProfilePrivilege	2104	flashp.exe
Token: SeSystemtimePrivilege	2104	flashp.exe
Token: SeProfSingleProcessPrivilege	2104	flashp.exe
Token: SeIncBasePriorityPrivilege	2104	flashp.exe
Token: SeCreatePagefilePrivilege	2104	flashp.exe
Token: SeBackupPrivilege	2104	flashp.exe
Token: SeRestorePrivilege	2104	flashp.exe
Token: SeShutdownPrivilege	2104	flashp.exe
Token: SeDebugPrivilege	2104	flashp.exe
Token: SeSystemEnvironmentPrivilege	2104	flashp.exe
Token: SeChangeNotifyPrivilege	2104	flashp.exe
Token: SeRemoteShutdownPrivilege	2104	flashp.exe
Token: SeUndockPrivilege	2104	flashp.exe
Token: SeManageVolumePrivilege	2104	flashp.exe
Token: SeImpersonatePrivilege	2104	flashp.exe
Token: SeCreateGlobalPrivilege	2104	flashp.exe
Token: 33	2104	flashp.exe
Token: 34	2104	flashp.exe
Token: 35	2104	flashp.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe
1632	flashp.exe
2904	flashp.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2820	2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	31
PID 2744 wrote to memory of 2820	2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	31
PID 2744 wrote to memory of 2820	2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	31
PID 2744 wrote to memory of 2820	2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	31
PID 2744 wrote to memory of 2820	2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	31
PID 2744 wrote to memory of 2820	2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	31
PID 2744 wrote to memory of 2820	2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	31
PID 2820 wrote to memory of 2976	2820	cmd.exe	33
PID 2820 wrote to memory of 2976	2820	cmd.exe	33
PID 2820 wrote to memory of 2976	2820	cmd.exe	33
PID 2820 wrote to memory of 2976	2820	cmd.exe	33
PID 2820 wrote to memory of 2976	2820	cmd.exe	33
PID 2820 wrote to memory of 2976	2820	cmd.exe	33
PID 2820 wrote to memory of 2976	2820	cmd.exe	33
PID 2744 wrote to memory of 1632	2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	34
PID 2744 wrote to memory of 1632	2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	34
PID 2744 wrote to memory of 1632	2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	34
PID 2744 wrote to memory of 1632	2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	34
PID 2744 wrote to memory of 1632	2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	34
PID 2744 wrote to memory of 1632	2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	34
PID 2744 wrote to memory of 1632	2744	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	34
PID 1632 wrote to memory of 2104	1632	flashp.exe	35
PID 1632 wrote to memory of 2104	1632	flashp.exe	35
PID 1632 wrote to memory of 2104	1632	flashp.exe	35
PID 1632 wrote to memory of 2104	1632	flashp.exe	35
PID 1632 wrote to memory of 2104	1632	flashp.exe	35
PID 1632 wrote to memory of 2104	1632	flashp.exe	35
PID 1632 wrote to memory of 2104	1632	flashp.exe	35
PID 1632 wrote to memory of 2104	1632	flashp.exe	35
PID 1632 wrote to memory of 2104	1632	flashp.exe	35
PID 1632 wrote to memory of 2104	1632	flashp.exe	35
PID 1632 wrote to memory of 2104	1632	flashp.exe	35
PID 1632 wrote to memory of 2904	1632	flashp.exe	36
PID 1632 wrote to memory of 2904	1632	flashp.exe	36
PID 1632 wrote to memory of 2904	1632	flashp.exe	36
PID 1632 wrote to memory of 2904	1632	flashp.exe	36
PID 1632 wrote to memory of 2904	1632	flashp.exe	36
PID 1632 wrote to memory of 2904	1632	flashp.exe	36
PID 1632 wrote to memory of 2904	1632	flashp.exe	36
PID 1632 wrote to memory of 2904	1632	flashp.exe	36
PID 1632 wrote to memory of 2904	1632	flashp.exe	36
PID 1632 wrote to memory of 2904	1632	flashp.exe	36
PID 1632 wrote to memory of 2904	1632	flashp.exe	36

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\259451721.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ds" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\fs\flashp.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2976
- C:\Users\Admin\AppData\Roaming\fs\flashp.exe
  "C:\Users\Admin\AppData\Roaming\fs\flashp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Admin\AppData\Roaming\fs\flashp.exe
    C:\Users\Admin\AppData\Roaming\fs\flashp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Users\Admin\AppData\Roaming\fs\flashp.exe
    C:\Users\Admin\AppData\Roaming\fs\flashp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259451721.bat

Filesize
131B

MD5
84912171051fbf66f6ed7554cbbb3ee9

SHA1
2aa96b932c6c2cfa6bc258b7b8f6f03a1385684a

SHA256
044ed6fcfbde2d33eb821338bafb5cbbf7b1e7c07059165d314dcaff8c0a5a78

SHA512
1219b17147a6c67a1d4892751a6a537415873c197b4e427341db08cf59a8d7447251eb8a35a8c6873267910c329d7e8ee2cd30a49ecd642819a2a297bb93ab6c

Download Submit
C:\Users\Admin\AppData\Roaming\fs\flashp.exe

Filesize
326KB

MD5
62b5b1e2ce552524d16787ac662426c7

SHA1
7ca9e8938473837bd293e64d5c0980eb34a552c9

SHA256
9018cde236258a5fa5b4be5a8a56d483a403b9324c779f98a9fb3898bc6ea1f8

SHA512
a50f6e283f969315ba8ccf538ddf15583e09c7a25f09ecb40da631db36fc47fa3de6906c4713903013962766354b103a9ec9afdac53aa010ddc1d04aa1b69221

Download Submit
memory/1632-38-0x0000000000C70000-0x0000000000DE8000-memory.dmp

Filesize
1.5MB

Download
memory/1632-72-0x0000000003970000-0x0000000003AE8000-memory.dmp

Filesize
1.5MB

Download
memory/1632-78-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/1632-43-0x0000000000C70000-0x0000000000DE8000-memory.dmp

Filesize
1.5MB

Download
memory/1632-42-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/1632-41-0x0000000000C70000-0x0000000000DE8000-memory.dmp

Filesize
1.5MB

Download
memory/2104-90-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2104-80-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2104-54-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2104-52-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2104-104-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2104-102-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2104-100-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2104-98-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2104-96-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2104-49-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2104-95-0x0000000000A60000-0x0000000000BD8000-memory.dmp

Filesize
1.5MB

Download
memory/2104-87-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2104-89-0x0000000000A60000-0x0000000000BD8000-memory.dmp

Filesize
1.5MB

Download
memory/2104-88-0x0000000000A60000-0x0000000000BD8000-memory.dmp

Filesize
1.5MB

Download
memory/2104-94-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2104-83-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2104-91-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2104-92-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2104-47-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2744-1-0x0000000000230000-0x00000000003A8000-memory.dmp

Filesize
1.5MB

Download
memory/2744-0-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2744-40-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2904-63-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2904-70-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2904-60-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2904-65-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2904-69-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2904-93-0x0000000000A10000-0x0000000000B88000-memory.dmp

Filesize
1.5MB

Download
memory/2904-56-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2904-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2904-97-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2904-73-0x0000000000A10000-0x0000000000B88000-memory.dmp

Filesize
1.5MB

Download
memory/2904-74-0x0000000000A10000-0x0000000000B88000-memory.dmp

Filesize
1.5MB

Download
memory/2904-75-0x0000000000A10000-0x0000000000B88000-memory.dmp

Filesize
1.5MB

Download
memory/2904-76-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2904-58-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads