darkcomet | c4cf9bb4bd8f7f55d1ce288d7dede57fcf6e048e38d47fa00661dade54b9526f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90.exe
Size

456KB
MD5

698442d3c6267aafd2a2d6157bce2a90
SHA1

7586cb460785076c24be81aa3e8d7928c1d806c4
SHA256

c4cf9bb4bd8f7f55d1ce288d7dede57fcf6e048e38d47fa00661dade54b9526f
SHA512

a652379f986e75d09d9aa8bc1f71be2cc672ec256fc8c537e47d69fa69c94d155111f8e50543a9728f7eca91887bebd18bccc77e7e74332dce0f1a1c01025e3e
SSDEEP

6144:9gHNSzfilEOBuc37a8IaVWJk+1lFP+IjwVAItNZWcv7DVNDrZ+CtJSn8bp26:9ga2Ln3nIsWJk+xlwVAItNZ9vLuK

Score

10^/10

darkcomet clients defense_evasion discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Clients

donbiz.no-ip.biz:1604

Mutex

DC_MUTEX-B5WXAJQ

Attributes

gencode
wwPkqHq7l2zl
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	winlog.exe

Executes dropped EXE 2 IoCs

pid	Process
672	winlog.exe
4720	csrss.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Wins = "C:\\Users\\Admin\\AppData\\Roaming\\winlog.exe"	winlog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wins = "C:\\Users\\Admin\\AppData\\Roaming\\winlog.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Wins = "C:\\Users\\Admin\\AppData\\Roaming\\winlog.exe"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wins = "C:\\Users\\Admin\\AppData\\Roaming\\winlog.exe"	winlog.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 672 set thread context of 448	672	winlog.exe	98

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/448-24-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-29-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-25-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-31-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-35-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-34-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-37-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-36-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-26-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-72-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-73-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-74-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-75-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-76-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-77-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-78-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-79-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-80-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/448-81-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90.exe:ZONE.identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\winlog.exe:ZONE.identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlog.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\csrss.exe\:ZONE.identifier:$DATA	winlog.exe
File created	C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\winlog.exe\:ZONE.identifier:$DATA	JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\winlog.exe:ZONE.identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
672	winlog.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe
4720	csrss.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	672	winlog.exe
Token: SeIncreaseQuotaPrivilege	448	vbc.exe
Token: SeSecurityPrivilege	448	vbc.exe
Token: SeTakeOwnershipPrivilege	448	vbc.exe
Token: SeLoadDriverPrivilege	448	vbc.exe
Token: SeSystemProfilePrivilege	448	vbc.exe
Token: SeSystemtimePrivilege	448	vbc.exe
Token: SeProfSingleProcessPrivilege	448	vbc.exe
Token: SeIncBasePriorityPrivilege	448	vbc.exe
Token: SeCreatePagefilePrivilege	448	vbc.exe
Token: SeBackupPrivilege	448	vbc.exe
Token: SeRestorePrivilege	448	vbc.exe
Token: SeShutdownPrivilege	448	vbc.exe
Token: SeDebugPrivilege	448	vbc.exe
Token: SeSystemEnvironmentPrivilege	448	vbc.exe
Token: SeChangeNotifyPrivilege	448	vbc.exe
Token: SeRemoteShutdownPrivilege	448	vbc.exe
Token: SeUndockPrivilege	448	vbc.exe
Token: SeManageVolumePrivilege	448	vbc.exe
Token: SeImpersonatePrivilege	448	vbc.exe
Token: SeCreateGlobalPrivilege	448	vbc.exe
Token: 33	448	vbc.exe
Token: 34	448	vbc.exe
Token: 35	448	vbc.exe
Token: 36	448	vbc.exe
Token: SeDebugPrivilege	4720	csrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
448	vbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 2160	3760	JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90.exe	91
PID 3760 wrote to memory of 2160	3760	JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90.exe	91
PID 3760 wrote to memory of 2160	3760	JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90.exe	91
PID 3760 wrote to memory of 672	3760	JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90.exe	93
PID 3760 wrote to memory of 672	3760	JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90.exe	93
PID 3760 wrote to memory of 672	3760	JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90.exe	93
PID 672 wrote to memory of 2680	672	winlog.exe	96
PID 672 wrote to memory of 2680	672	winlog.exe	96
PID 672 wrote to memory of 2680	672	winlog.exe	96
PID 672 wrote to memory of 448	672	winlog.exe	98
PID 672 wrote to memory of 448	672	winlog.exe	98
PID 672 wrote to memory of 448	672	winlog.exe	98
PID 672 wrote to memory of 448	672	winlog.exe	98
PID 672 wrote to memory of 448	672	winlog.exe	98
PID 672 wrote to memory of 448	672	winlog.exe	98
PID 672 wrote to memory of 448	672	winlog.exe	98
PID 672 wrote to memory of 448	672	winlog.exe	98
PID 672 wrote to memory of 4720	672	winlog.exe	99
PID 672 wrote to memory of 4720	672	winlog.exe	99
PID 672 wrote to memory of 4720	672	winlog.exe	99

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90.exe":ZONE.identifier & exit
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2160
- C:\Users\Admin\AppData\Roaming\winlog.exe
  "C:\Users\Admin\AppData\Roaming\winlog.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\winlog.exe":ZONE.identifier & exit
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    PID:2680
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:448
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" -reg C:\Users\Admin\AppData\Roaming\winlog.exe -proc 448 C:\Users\Admin\AppData\Roaming\winlog.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90.exe

Filesize
456KB

MD5
698442d3c6267aafd2a2d6157bce2a90

SHA1
7586cb460785076c24be81aa3e8d7928c1d806c4

SHA256
c4cf9bb4bd8f7f55d1ce288d7dede57fcf6e048e38d47fa00661dade54b9526f

SHA512
a652379f986e75d09d9aa8bc1f71be2cc672ec256fc8c537e47d69fa69c94d155111f8e50543a9728f7eca91887bebd18bccc77e7e74332dce0f1a1c01025e3e

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe:ZONE.identifier

Filesize
28B

MD5
90fd34c6bd120fb6d41d18161a05296b

SHA1
346e55ea4c486d9f4ac7e65793c34fc18e5a28b1

SHA256
53c9dbb7d60a9fd6c12d2580557472f0132cc26c055e2e841b455be1b8713695

SHA512
74a0d8a648267a6c2a31cecd076a3d30d59951ca3e00b8e2e0a935a709cd105c6a8da2da6988f4c3bbef13aea3ad9a805547e8373e57a471d1f794db4ca4709e

Download Submit
memory/448-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-37-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-34-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-35-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-80-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-75-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-77-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-73-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-72-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-24-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-29-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-25-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-79-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-31-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-81-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-78-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-76-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-36-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/448-26-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/672-71-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/672-22-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/672-20-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/672-21-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/672-19-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3760-4-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3760-0-0x0000000074F92000-0x0000000074F93000-memory.dmp

Filesize
4KB

Download
memory/3760-3-0x0000000074F92000-0x0000000074F93000-memory.dmp

Filesize
4KB

Download
memory/3760-1-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3760-18-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3760-2-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download