darkcomet | 86762e0fd9c84a4c7d7f97a08de496a90cdd77df0122da1746883a2d3956b08d

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/01/2025, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe
Size

695KB
MD5

67487fcba24f39352821477dd0928a3b
SHA1

0b66d88fab7aef3455e7695d9b469537a309bba8
SHA256

86762e0fd9c84a4c7d7f97a08de496a90cdd77df0122da1746883a2d3956b08d
SHA512

61e0c41b01d9eb82f871921718493a1f51cd5ae81ae6b62f684a9a5630a5b3091dbb92f1c2719e967191a29ad407cccfcfc309580e1b496a8b5428a89f37d898
SSDEEP

12288:3XAEwZ6ia5mWiOhGhpaZY+vQhZFaaolSXyOTrT6g3J7CDYhtEb:1nia48hGhpypvSFylSXyKT/IYsb

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 1 IoCs

pid	Process
1592	yo.jpg.exe

Loads dropped DLL 4 IoCs

pid	Process
2136	JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe
2136	JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe
2136	JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe
2136	JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yo.jpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: 33	2136	JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe
Token: SeIncBasePriorityPrivilege	2136	JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe
Token: 33	2136	JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe
Token: SeIncBasePriorityPrivilege	2136	JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe
Token: 33	2136	JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe
Token: SeIncBasePriorityPrivilege	2136	JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe
Token: SeIncreaseQuotaPrivilege	1592	yo.jpg.exe
Token: SeSecurityPrivilege	1592	yo.jpg.exe
Token: SeTakeOwnershipPrivilege	1592	yo.jpg.exe
Token: SeLoadDriverPrivilege	1592	yo.jpg.exe
Token: SeSystemProfilePrivilege	1592	yo.jpg.exe
Token: SeSystemtimePrivilege	1592	yo.jpg.exe
Token: SeProfSingleProcessPrivilege	1592	yo.jpg.exe
Token: SeIncBasePriorityPrivilege	1592	yo.jpg.exe
Token: SeCreatePagefilePrivilege	1592	yo.jpg.exe
Token: SeBackupPrivilege	1592	yo.jpg.exe
Token: SeRestorePrivilege	1592	yo.jpg.exe
Token: SeShutdownPrivilege	1592	yo.jpg.exe
Token: SeDebugPrivilege	1592	yo.jpg.exe
Token: SeSystemEnvironmentPrivilege	1592	yo.jpg.exe
Token: SeChangeNotifyPrivilege	1592	yo.jpg.exe
Token: SeRemoteShutdownPrivilege	1592	yo.jpg.exe
Token: SeUndockPrivilege	1592	yo.jpg.exe
Token: SeManageVolumePrivilege	1592	yo.jpg.exe
Token: SeImpersonatePrivilege	1592	yo.jpg.exe
Token: SeCreateGlobalPrivilege	1592	yo.jpg.exe
Token: 33	1592	yo.jpg.exe
Token: 34	1592	yo.jpg.exe
Token: 35	1592	yo.jpg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1996	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1592	yo.jpg.exe
1996	DllHost.exe
1996	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 1592	2136	JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe	30
PID 2136 wrote to memory of 1592	2136	JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe	30
PID 2136 wrote to memory of 1592	2136	JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe	30
PID 2136 wrote to memory of 1592	2136	JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\la mas wapa\1.0.0.0\2012.03.27T17.15\Virtual\STUBEXE\@DESKTOP@\yo.jpg.exe
  "C:\Users\Admin\Desktop\yo.jpg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1592

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IMGRES.JPG

Filesize
6KB

MD5
150ba2fee08ea1359b03a038f5ba7b5b

SHA1
a9bea1d06b55b0b6739a59cf8dd194f873cdf4de

SHA256
03d2494bf033255f33a0944cec7e183a05bce396a4a70ecf40cc0feeee09f09e

SHA512
58e5644634c656d2ba821ff19f9260f4744db8d47e8e45829a2e08cfb6cf512b581260cf517dcadb04b834d4f2414b82e289e2201a4ceb2919c88c4b306912fb

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\la mas wapa\1.0.0.0\2012.03.27T17.15\Virtual\MODIFIED\@DESKTOP@\yo.jpg.exe

Filesize
678KB

MD5
f314298b8d1d1625cf996ffb3a099be9

SHA1
9cf7d5f9f7180467f2f7ec7f3d3bbe84abe42bec

SHA256
15aba10d98fb3e095f91b3639b92c249a07db15196c2a78f2fbded351551c097

SHA512
01fc47cdca11f8f1d1fbeda5ff92f37266e1519a6a8b048d7979c4d9a6879856c89987e4595f0a3764ed59636a09a4e8a1f4de752b3905904932db6fca523ca8

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\la mas wapa\1.0.0.0\2012.03.27T17.15\Virtual\STUBEXE\@DESKTOP@\yo.jpg.exe

Filesize
17KB

MD5
d745f91c57f0044ef93bc7141b66b280

SHA1
344d3b4e00193a9197029996b4a69fb4dcd46d4f

SHA256
906175f44e34e09c85495a3135f60e3e50d1623fab65be9d003298881ecd115b

SHA512
4e86f15ba5e637698df740add3df878de31e8bf37c2b5013031f858514ffce9a7ddbcf3224007a0d3d42140a29eb3e762d398a6b4e99307f089f5c0ce6dfd7d3

Download Submit
memory/2136-21-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-17-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-57-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-53-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-51-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-49-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-47-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-45-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-43-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-41-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-39-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-37-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-35-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-33-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-31-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-29-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-27-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-25-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-23-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-11-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-58-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-15-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-19-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-13-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-9-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-7-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-5-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-3-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-1-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-0-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-64-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-66-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-276-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-263-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-252-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-234-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-217-0x0000000077060000-0x0000000077061000-memory.dmp

Filesize
4KB

Download
memory/2136-59-0x0000000077060000-0x0000000077061000-memory.dmp

Filesize
4KB

Download
memory/2136-60-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-62-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2136-616-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download