darkcomet | 44cc68e03116de75d0c38f690ed6f09513d007422b938025f9933ad2b0239409

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/01/2025, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe
Size

952KB
MD5

63512ecc60dd21d0333b2dc7003f48a0
SHA1

636af8d4b6b9f19270d33a9bd611c19d153f1a17
SHA256

44cc68e03116de75d0c38f690ed6f09513d007422b938025f9933ad2b0239409
SHA512

bf79d24731c864cda3b756c66c5c4a14aa4601bd2130fbd521ea655e7b398d47337f24b3ad5fb3aa7e550cabc7e1557c5ba4a487a72d3d11c86ae16f3d13c520
SSDEEP

12288:byyy7Z3z4I8NXOGjwwG/ZjXsAHHz79p9NM5Tz103j2CF4TxQUOfhVPOSAE//VAci:baCI2OewFJN4mkxyHnnew1SatLRzD

Score

10^/10

darkcomet discovery persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 3 IoCs

pid	Process
3540	micoffice.exe
2956	micoffice.exe
3296	micoffice.exe

Loads dropped DLL 7 IoCs

pid	Process
3308	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe
3308	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe
3308	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe
3308	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe
3308	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe
3540	micoffice.exe
3540	micoffice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\msoffice = "C:\\Users\\Admin\\AppData\\Roaming\\MicrosoftOffice\\micoffice.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3012 set thread context of 3308	3012	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	30
PID 3540 set thread context of 2956	3540	micoffice.exe	35
PID 3540 set thread context of 3296	3540	micoffice.exe	36

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3308-443-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2956-1014-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/3308-1036-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2956-1043-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	micoffice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	micoffice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	micoffice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3296	micoffice.exe
Token: SeSecurityPrivilege	3296	micoffice.exe
Token: SeTakeOwnershipPrivilege	3296	micoffice.exe
Token: SeLoadDriverPrivilege	3296	micoffice.exe
Token: SeSystemProfilePrivilege	3296	micoffice.exe
Token: SeSystemtimePrivilege	3296	micoffice.exe
Token: SeProfSingleProcessPrivilege	3296	micoffice.exe
Token: SeIncBasePriorityPrivilege	3296	micoffice.exe
Token: SeCreatePagefilePrivilege	3296	micoffice.exe
Token: SeBackupPrivilege	3296	micoffice.exe
Token: SeRestorePrivilege	3296	micoffice.exe
Token: SeShutdownPrivilege	3296	micoffice.exe
Token: SeDebugPrivilege	3296	micoffice.exe
Token: SeSystemEnvironmentPrivilege	3296	micoffice.exe
Token: SeChangeNotifyPrivilege	3296	micoffice.exe
Token: SeRemoteShutdownPrivilege	3296	micoffice.exe
Token: SeUndockPrivilege	3296	micoffice.exe
Token: SeManageVolumePrivilege	3296	micoffice.exe
Token: SeImpersonatePrivilege	3296	micoffice.exe
Token: SeCreateGlobalPrivilege	3296	micoffice.exe
Token: 33	3296	micoffice.exe
Token: 34	3296	micoffice.exe
Token: 35	3296	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe
Token: SeDebugPrivilege	2956	micoffice.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3012	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe
3308	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe
3540	micoffice.exe
2956	micoffice.exe
3296	micoffice.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3308	3012	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	30
PID 3012 wrote to memory of 3308	3012	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	30
PID 3012 wrote to memory of 3308	3012	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	30
PID 3012 wrote to memory of 3308	3012	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	30
PID 3012 wrote to memory of 3308	3012	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	30
PID 3012 wrote to memory of 3308	3012	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	30
PID 3012 wrote to memory of 3308	3012	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	30
PID 3012 wrote to memory of 3308	3012	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	30
PID 3308 wrote to memory of 3464	3308	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	31
PID 3308 wrote to memory of 3464	3308	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	31
PID 3308 wrote to memory of 3464	3308	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	31
PID 3308 wrote to memory of 3464	3308	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	31
PID 3464 wrote to memory of 3516	3464	cmd.exe	33
PID 3464 wrote to memory of 3516	3464	cmd.exe	33
PID 3464 wrote to memory of 3516	3464	cmd.exe	33
PID 3464 wrote to memory of 3516	3464	cmd.exe	33
PID 3308 wrote to memory of 3540	3308	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	34
PID 3308 wrote to memory of 3540	3308	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	34
PID 3308 wrote to memory of 3540	3308	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	34
PID 3308 wrote to memory of 3540	3308	JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe	34
PID 3540 wrote to memory of 2956	3540	micoffice.exe	35
PID 3540 wrote to memory of 2956	3540	micoffice.exe	35
PID 3540 wrote to memory of 2956	3540	micoffice.exe	35
PID 3540 wrote to memory of 2956	3540	micoffice.exe	35
PID 3540 wrote to memory of 2956	3540	micoffice.exe	35
PID 3540 wrote to memory of 2956	3540	micoffice.exe	35
PID 3540 wrote to memory of 2956	3540	micoffice.exe	35
PID 3540 wrote to memory of 2956	3540	micoffice.exe	35
PID 3540 wrote to memory of 3296	3540	micoffice.exe	36
PID 3540 wrote to memory of 3296	3540	micoffice.exe	36
PID 3540 wrote to memory of 3296	3540	micoffice.exe	36
PID 3540 wrote to memory of 3296	3540	micoffice.exe	36
PID 3540 wrote to memory of 3296	3540	micoffice.exe	36
PID 3540 wrote to memory of 3296	3540	micoffice.exe	36
PID 3540 wrote to memory of 3296	3540	micoffice.exe	36
PID 3540 wrote to memory of 3296	3540	micoffice.exe	36
PID 3540 wrote to memory of 3296	3540	micoffice.exe	36
PID 3540 wrote to memory of 3296	3540	micoffice.exe	36
PID 3540 wrote to memory of 3296	3540	micoffice.exe	36
PID 3540 wrote to memory of 3296	3540	micoffice.exe	36
PID 3540 wrote to memory of 3296	3540	micoffice.exe	36

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\SDBGY.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "msoffice" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3516
- - C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe
    "C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe
      "C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2956
  - - C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe
      "C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SDBGY.bat

Filesize
155B

MD5
f07b93136766adced3c6f0d74d869da0

SHA1
787c530f33687d758b41295e01d7a9a1bba3a467

SHA256
cd603067047c028fe12d4b099d13b3681dd698d25bc32474184e9d8edd3ed701

SHA512
050105a5f14939a37f653421b24959cc90cb082b20df5bb1a81335fd0ad5e70c740b43f1d6df0fc7324551425894668acc3af0c533c7d90ff149d84e844c2d10

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe

Filesize
952KB

MD5
5bb3b66ffe96abedd50b4e349ff3c9d4

SHA1
95bbd149a82dfd63cf363b141b95be9e3e3a1d01

SHA256
0f2b79cdb75a6954b45f3b804e1947153fbbd2852aa86cd10f1f9de6e2a80371

SHA512
7cc78dc3f46edaa08ba4262f5e9063861e37f6965abeafb646c1fcc20d352fe42072215de972288fdff2114dc540f51cd3a361e965a63552c72e25870cfde1c7

Download Submit
memory/2956-1043-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2956-1014-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3012-28-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3012-26-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3012-112-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3012-104-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3012-90-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/3012-80-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/3012-72-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/3012-62-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3012-52-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/3012-44-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/3012-36-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3012-34-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3012-32-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/3012-30-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/3012-157-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/3012-122-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/3012-24-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3012-22-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3012-20-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/3012-18-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/3012-14-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/3012-12-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/3012-8-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3012-6-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3012-4-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/3012-2-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/3012-428-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/3012-136-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/3012-144-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/3012-150-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/3308-1036-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3308-443-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads