darkcomet | 0a1da724132eca214511cff376c2ba53ae7fa63b96d6f60a3f51a205caf43e90

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe
Size

779KB
MD5

6b6a94ac17d74979c41f9df5dd987740
SHA1

f51f2ad7cb34073d5ef5fc900368369202331506
SHA256

0a1da724132eca214511cff376c2ba53ae7fa63b96d6f60a3f51a205caf43e90
SHA512

0e0329f21bd82ac2d7dd6dd67b9a5c49b09a92d2294b506176454d80420447a2746f2240353c64e16ce6714afbec9a5df5ccb87011dc0a39f76984282b31d69d
SSDEEP

12288:h4YJH6lgnTSwfC55c7nnoUIRk1WtEupY5saNLlSsl5HOYdyYLI:h4+H6lpwfC56DOq0tEupSB6Cf0

Score

10^/10

darkcomet hacked discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

HaCkEd

imasoldier.zapto.org:1065

Mutex

DC_MUTEX-F4Y6Y3U

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
NvNoWDafnVkg
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	1.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	msdcsc.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2916	attrib.exe
1040	attrib.exe

Executes dropped EXE 3 IoCs

pid	Process
840	2.exe
532	1.exe
2624	msdcsc.exe

Loads dropped DLL 6 IoCs

pid	Process
2716	cmd.exe
2716	cmd.exe
2560	cmd.exe
2560	cmd.exe
532	1.exe
532	1.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2624	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	532	1.exe
Token: SeSecurityPrivilege	532	1.exe
Token: SeTakeOwnershipPrivilege	532	1.exe
Token: SeLoadDriverPrivilege	532	1.exe
Token: SeSystemProfilePrivilege	532	1.exe
Token: SeSystemtimePrivilege	532	1.exe
Token: SeProfSingleProcessPrivilege	532	1.exe
Token: SeIncBasePriorityPrivilege	532	1.exe
Token: SeCreatePagefilePrivilege	532	1.exe
Token: SeBackupPrivilege	532	1.exe
Token: SeRestorePrivilege	532	1.exe
Token: SeShutdownPrivilege	532	1.exe
Token: SeDebugPrivilege	532	1.exe
Token: SeSystemEnvironmentPrivilege	532	1.exe
Token: SeChangeNotifyPrivilege	532	1.exe
Token: SeRemoteShutdownPrivilege	532	1.exe
Token: SeUndockPrivilege	532	1.exe
Token: SeManageVolumePrivilege	532	1.exe
Token: SeImpersonatePrivilege	532	1.exe
Token: SeCreateGlobalPrivilege	532	1.exe
Token: 33	532	1.exe
Token: 34	532	1.exe
Token: 35	532	1.exe
Token: SeIncreaseQuotaPrivilege	2624	msdcsc.exe
Token: SeSecurityPrivilege	2624	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2624	msdcsc.exe
Token: SeLoadDriverPrivilege	2624	msdcsc.exe
Token: SeSystemProfilePrivilege	2624	msdcsc.exe
Token: SeSystemtimePrivilege	2624	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2624	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2624	msdcsc.exe
Token: SeCreatePagefilePrivilege	2624	msdcsc.exe
Token: SeBackupPrivilege	2624	msdcsc.exe
Token: SeRestorePrivilege	2624	msdcsc.exe
Token: SeShutdownPrivilege	2624	msdcsc.exe
Token: SeDebugPrivilege	2624	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2624	msdcsc.exe
Token: SeChangeNotifyPrivilege	2624	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2624	msdcsc.exe
Token: SeUndockPrivilege	2624	msdcsc.exe
Token: SeManageVolumePrivilege	2624	msdcsc.exe
Token: SeImpersonatePrivilege	2624	msdcsc.exe
Token: SeCreateGlobalPrivilege	2624	msdcsc.exe
Token: 33	2624	msdcsc.exe
Token: 34	2624	msdcsc.exe
Token: 35	2624	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2624	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2716	2700	JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe	30
PID 2700 wrote to memory of 2716	2700	JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe	30
PID 2700 wrote to memory of 2716	2700	JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe	30
PID 2700 wrote to memory of 2716	2700	JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe	30
PID 2716 wrote to memory of 840	2716	cmd.exe	32
PID 2716 wrote to memory of 840	2716	cmd.exe	32
PID 2716 wrote to memory of 840	2716	cmd.exe	32
PID 2716 wrote to memory of 840	2716	cmd.exe	32
PID 840 wrote to memory of 2560	840	2.exe	33
PID 840 wrote to memory of 2560	840	2.exe	33
PID 840 wrote to memory of 2560	840	2.exe	33
PID 840 wrote to memory of 2560	840	2.exe	33
PID 2560 wrote to memory of 532	2560	cmd.exe	35
PID 2560 wrote to memory of 532	2560	cmd.exe	35
PID 2560 wrote to memory of 532	2560	cmd.exe	35
PID 2560 wrote to memory of 532	2560	cmd.exe	35
PID 532 wrote to memory of 2228	532	1.exe	36
PID 532 wrote to memory of 2228	532	1.exe	36
PID 532 wrote to memory of 2228	532	1.exe	36
PID 532 wrote to memory of 2228	532	1.exe	36
PID 532 wrote to memory of 2164	532	1.exe	37
PID 532 wrote to memory of 2164	532	1.exe	37
PID 532 wrote to memory of 2164	532	1.exe	37
PID 532 wrote to memory of 2164	532	1.exe	37
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 532 wrote to memory of 1816	532	1.exe	38
PID 2164 wrote to memory of 2916	2164	cmd.exe	40
PID 2164 wrote to memory of 2916	2164	cmd.exe	40
PID 2164 wrote to memory of 2916	2164	cmd.exe	40
PID 2164 wrote to memory of 2916	2164	cmd.exe	40
PID 2228 wrote to memory of 1040	2228	cmd.exe	42
PID 2228 wrote to memory of 1040	2228	cmd.exe	42
PID 2228 wrote to memory of 1040	2228	cmd.exe	42
PID 2228 wrote to memory of 1040	2228	cmd.exe	42
PID 532 wrote to memory of 2624	532	1.exe	43
PID 532 wrote to memory of 2624	532	1.exe	43
PID 532 wrote to memory of 2624	532	1.exe	43
PID 532 wrote to memory of 2624	532	1.exe	43
PID 2624 wrote to memory of 2256	2624	msdcsc.exe	44
PID 2624 wrote to memory of 2256	2624	msdcsc.exe	44
PID 2624 wrote to memory of 2256	2624	msdcsc.exe	44
PID 2624 wrote to memory of 2256	2624	msdcsc.exe	44
PID 2624 wrote to memory of 2256	2624	msdcsc.exe	44
PID 2624 wrote to memory of 2256	2624	msdcsc.exe	44
PID 2624 wrote to memory of 2256	2624	msdcsc.exe	44
PID 2624 wrote to memory of 2256	2624	msdcsc.exe	44
PID 2624 wrote to memory of 2256	2624	msdcsc.exe	44
PID 2624 wrote to memory of 2256	2624	msdcsc.exe	44

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2916	attrib.exe
1040	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ztmp\t3899.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\afolder\2.exe
    2.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ztmp\t5163.bat" "C:\Users\Admin\AppData\Local\Temp\afolder\2.exe" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Users\Admin\AppData\Local\Temp\afolder\1.exe
        
        1.exe
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\afolder\1.exe" +s +h
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp\afolder\1.exe" +s +h
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1040
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\afolder" +s +h
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp\afolder" +s +h
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2916
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2624
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afolder\1.exe

Filesize
659KB

MD5
a5c281dab973219f324282acea6e9d36

SHA1
0b295a4cfeab1953e8d0b2ee6e08c3f9002be9a0

SHA256
1d473afb1ffb75541405e7c0a24673dd266eccc00d386aff67016f1bd1e8153c

SHA512
3588d64d4a1bf91bc473d5734f7f7c457d2bd7d7a5e28443137410602a34ad90decf32c4bfb080ce3219cf3eede492773efc724d27f4c354bb42e9f3e36a5c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\2.exe

Filesize
719KB

MD5
37be355dc1b396e577b4fc4c10a05db0

SHA1
da566574177c5e5f1b61b639454fdff20cff2996

SHA256
d8b3e4f5a91aeebd08dfa46bb2269475a28d4ea21af9dbdb0a10413d38879fef

SHA512
897ba71b0baad9c64a3cf228dc5bfee7cf4282277899da984ad13a79e8ec40c749de926573b3498e92234c45c970e89ab801337a53ebfa3fe6e2af58566fdc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztmp\t3899.bat

Filesize
204B

MD5
2ef89a2e0bb9ad5b10339f6b0e4413f5

SHA1
40b9fb9ccea4c39fa65e5229d222c580dfce9e5b

SHA256
2c120ec4f3a5d2019592fed667eae808dafc1ccbbce82c7300adf9d72995e3b8

SHA512
da8b22599b861bdd0e3cbbc1990dc62eb8eade6969f3b13af3711f4bb4604fef0448b4b213ece647b894297705ed181b8ada899892bb47b4335bf93e17b2d5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztmp\t5163.bat

Filesize
204B

MD5
2cf1721b6a6287485fa9220da8b09d0d

SHA1
be1f93f553b8b16a3f66dcfb073f0459349a821c

SHA256
ad29905d09d33d2d8b685b215976d203b4379cb36910cc0d1f3d78fe5bf77e99

SHA512
64c1b16611d4c7cf1cc705326ddfcf9c3dd63b843c59e7feda34f681a620a5159c7380acf93249708842bf169b8d8eef3827063f918158566e7444501f2a1a5b

Download Submit
memory/1816-75-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1816-47-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads