darkcomet | 5938462ee18d19cf21ffd6a9850325f2413eee04747903e8a3563148b14b3227

Analysis

max time kernel
125s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Size

301KB
MD5

77c4ad9fa0364411adf59f27ab28bc56
SHA1

c09d1b976fc047e9a605e476bc8f605123654fbf
SHA256

5938462ee18d19cf21ffd6a9850325f2413eee04747903e8a3563148b14b3227
SHA512

66f7f3d1b59ff7d940a8bc95ddba491913a1cd7efeabf57d5e3df6f2e4991ba8837b77c9dab461318555f5c0abbe40fe64e2a36f998168aa59a54cfd799b875c
SSDEEP

6144:xbaepOgEy+AT5JPPiFrF6UTcz/DJZoAwDuRS/xrgvVMJ5b:9a2dEy+ATrPiFXEJZoAwDuigv

Score

10^/10

darkcomet discovery evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2892	attrib.exe
592	attrib.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	2380	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
528	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeSecurityPrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeTakeOwnershipPrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeLoadDriverPrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeSystemProfilePrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeSystemtimePrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeProfSingleProcessPrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeIncBasePriorityPrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeCreatePagefilePrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeBackupPrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeRestorePrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeShutdownPrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeDebugPrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeSystemEnvironmentPrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeChangeNotifyPrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeRemoteShutdownPrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeUndockPrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeManageVolumePrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeImpersonatePrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: SeCreateGlobalPrivilege	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: 33	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: 34	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
Token: 35	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
528	WINWORD.EXE
528	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2376	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	30
PID 2380 wrote to memory of 2376	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	30
PID 2380 wrote to memory of 2376	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	30
PID 2380 wrote to memory of 2376	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	30
PID 2380 wrote to memory of 2888	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	32
PID 2380 wrote to memory of 2888	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	32
PID 2380 wrote to memory of 2888	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	32
PID 2380 wrote to memory of 2888	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	32
PID 2376 wrote to memory of 2892	2376	cmd.exe	34
PID 2376 wrote to memory of 2892	2376	cmd.exe	34
PID 2376 wrote to memory of 2892	2376	cmd.exe	34
PID 2376 wrote to memory of 2892	2376	cmd.exe	34
PID 2888 wrote to memory of 592	2888	cmd.exe	35
PID 2888 wrote to memory of 592	2888	cmd.exe	35
PID 2888 wrote to memory of 592	2888	cmd.exe	35
PID 2888 wrote to memory of 592	2888	cmd.exe	35
PID 2380 wrote to memory of 528	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	36
PID 2380 wrote to memory of 528	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	36
PID 2380 wrote to memory of 528	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	36
PID 2380 wrote to memory of 528	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	36
PID 2380 wrote to memory of 2992	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	38
PID 2380 wrote to memory of 2992	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	38
PID 2380 wrote to memory of 2992	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	38
PID 2380 wrote to memory of 2992	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	38
PID 2380 wrote to memory of 2768	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	39
PID 2380 wrote to memory of 2768	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	39
PID 2380 wrote to memory of 2768	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	39
PID 2380 wrote to memory of 2768	2380	JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe	39
PID 528 wrote to memory of 2060	528	WINWORD.EXE	41
PID 528 wrote to memory of 2060	528	WINWORD.EXE	41
PID 528 wrote to memory of 2060	528	WINWORD.EXE	41
PID 528 wrote to memory of 2060	528	WINWORD.EXE	41

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2892	attrib.exe
592	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77c4ad9fa0364411adf59f27ab28bc56.exe"
1⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:592
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NEUES RTF-DOKUMENT.RTF"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2060
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  PID:2992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 732
  2⤵
  - Program crash
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEUES RTF-DOKUMENT.RTF

Filesize
7B

MD5
8274425de767b30b2fff1124ab54abb5

SHA1
2201589aa3ed709b3665e4ff979e10c6ad5137fc

SHA256
0d6afb7e939f0936f40afdc759b5a354ea5427ec250a47e7b904ab1ea800a01d

SHA512
16f1647b22ca8679352e232c7dcbcdcba224c9b045c70e572bf061b2996f251cbd65a152557409f17be9417b23460adebe5de08d2dea30d13a64e22f6607206b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
101B

MD5
e7dac7045e27fddb3b7dccb8ea9749a5

SHA1
2ac2aa00b4ab4a101b39bf141059c688125791ef

SHA256
00cb63d818958d1c90ba0064bcff979bb6ba68924fc52140b7036ec82654e749

SHA512
ef7664b45cac47e0b2d0b07b799e151d337938b0a558d100ea035f25222ecbe2c1ef334139012e4446dd0f0dc49342339a45c9b6d0dd360a45e55ba7da07b594

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
50B

MD5
b774ae3fb1da087e1f83b4f7b2060e5a

SHA1
97eb9be49ac3af9c851c9e1e84e32bfd53e325a8

SHA256
adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b

SHA512
f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701

Download Submit
memory/528-21-0x000000002F4F1000-0x000000002F4F2000-memory.dmp

Filesize
4KB

Download
memory/528-22-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/528-23-0x0000000070E2D000-0x0000000070E38000-memory.dmp

Filesize
44KB

Download
memory/528-33-0x0000000070E2D000-0x0000000070E38000-memory.dmp

Filesize
44KB

Download
memory/2380-0-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2380-1-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2380-31-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2380-32-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2380-35-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads