darkcomet | 776d7d11b5d27b5b3a713f3839fd7128e05fa6a9134fa2fed9b2928e59852322

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
04/01/2025, 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe
Size

797KB
MD5

7b2c058c92c0bfcdc36f6eb6bcd0f66b
SHA1

c7eb1f8c37df44d4f5560f1734dafdd12ed6477e
SHA256

776d7d11b5d27b5b3a713f3839fd7128e05fa6a9134fa2fed9b2928e59852322
SHA512

328816178c32125b73c01d03bd9670ae703e3a35c11c53e0ebbe43a9739b14ba2e77fa26be0cf215add3e2766035342253d668cb5b3f3012a172c18e60e8bec4
SSDEEP

12288:QQLcijICEZ+6vFkqeXGvyxngsm/CEUCR264lGYxtFYB6dsqvPMySJR2SePaG1vhW:ZcfZxFTKn8/+CR26gGYxUYFvPMygGBW

Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

imdaco.no-ip.org:1604

Mutex

DC_MUTEX-L9KM9Y7

Attributes

InstallPath
MSDCS\Rundll32.exe
gencode
LJp33LCadVtB
install
true
offline_keylogger
true
persistence
true
reg_key
Rundll32

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCS\\Rundll32.exe"	csc.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2632	attrib.exe
580	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
1580	Rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2804	csc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\MSDCS\\Rundll32.exe"	csc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 2804	2720	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe	30

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2804	csc.exe
Token: SeSecurityPrivilege	2804	csc.exe
Token: SeTakeOwnershipPrivilege	2804	csc.exe
Token: SeLoadDriverPrivilege	2804	csc.exe
Token: SeSystemProfilePrivilege	2804	csc.exe
Token: SeSystemtimePrivilege	2804	csc.exe
Token: SeProfSingleProcessPrivilege	2804	csc.exe
Token: SeIncBasePriorityPrivilege	2804	csc.exe
Token: SeCreatePagefilePrivilege	2804	csc.exe
Token: SeBackupPrivilege	2804	csc.exe
Token: SeRestorePrivilege	2804	csc.exe
Token: SeShutdownPrivilege	2804	csc.exe
Token: SeDebugPrivilege	2804	csc.exe
Token: SeSystemEnvironmentPrivilege	2804	csc.exe
Token: SeChangeNotifyPrivilege	2804	csc.exe
Token: SeRemoteShutdownPrivilege	2804	csc.exe
Token: SeUndockPrivilege	2804	csc.exe
Token: SeManageVolumePrivilege	2804	csc.exe
Token: SeImpersonatePrivilege	2804	csc.exe
Token: SeCreateGlobalPrivilege	2804	csc.exe
Token: 33	2804	csc.exe
Token: 34	2804	csc.exe
Token: 35	2804	csc.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2804	2720	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe	30
PID 2720 wrote to memory of 2804	2720	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe	30
PID 2720 wrote to memory of 2804	2720	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe	30
PID 2720 wrote to memory of 2804	2720	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe	30
PID 2720 wrote to memory of 2804	2720	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe	30
PID 2720 wrote to memory of 2804	2720	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe	30
PID 2720 wrote to memory of 2804	2720	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe	30
PID 2720 wrote to memory of 2804	2720	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe	30
PID 2720 wrote to memory of 2804	2720	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe	30
PID 2720 wrote to memory of 2804	2720	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe	30
PID 2720 wrote to memory of 2804	2720	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe	30
PID 2720 wrote to memory of 2804	2720	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe	30
PID 2720 wrote to memory of 2804	2720	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe	30
PID 2720 wrote to memory of 2804	2720	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe	30
PID 2720 wrote to memory of 2804	2720	JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe	30
PID 2804 wrote to memory of 2880	2804	csc.exe	31
PID 2804 wrote to memory of 2880	2804	csc.exe	31
PID 2804 wrote to memory of 2880	2804	csc.exe	31
PID 2804 wrote to memory of 2880	2804	csc.exe	31
PID 2804 wrote to memory of 2596	2804	csc.exe	32
PID 2804 wrote to memory of 2596	2804	csc.exe	32
PID 2804 wrote to memory of 2596	2804	csc.exe	32
PID 2804 wrote to memory of 2596	2804	csc.exe	32
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2804 wrote to memory of 2740	2804	csc.exe	34
PID 2880 wrote to memory of 2632	2880	cmd.exe	36
PID 2880 wrote to memory of 2632	2880	cmd.exe	36
PID 2880 wrote to memory of 2632	2880	cmd.exe	36
PID 2880 wrote to memory of 2632	2880	cmd.exe	36
PID 2596 wrote to memory of 580	2596	cmd.exe	37
PID 2596 wrote to memory of 580	2596	cmd.exe	37
PID 2596 wrote to memory of 580	2596	cmd.exe	37
PID 2596 wrote to memory of 580	2596	cmd.exe	37
PID 2804 wrote to memory of 1580	2804	csc.exe	38
PID 2804 wrote to memory of 1580	2804	csc.exe	38
PID 2804 wrote to memory of 1580	2804	csc.exe	38
PID 2804 wrote to memory of 1580	2804	csc.exe	38
PID 2804 wrote to memory of 1580	2804	csc.exe	38
PID 2804 wrote to memory of 1580	2804	csc.exe	38
PID 2804 wrote to memory of 1580	2804	csc.exe	38

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2632	attrib.exe
580	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:580
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740
- - C:\MSDCS\Rundll32.exe
    "C:\MSDCS\Rundll32.exe"
    3⤵
    - Executes dropped EXE
    PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSDCS\Rundll32.exe

Filesize
75KB

MD5
3d7d2e825c63ff501e896cf008c70d75

SHA1
24e1e56df2c1e85b224b4360235513e79f03d3fc

SHA256
037fc52b8fc6089338eb456f2b45638ed36c42a4dca7ace391d166b2329838a1

SHA512
57d06b2226221162e0b54eeea3de13af6386bd632d16f6ec0666da81e8e177157a778caf0e3df0fe6368ea0b0fd93dae92cbe3cbb8c484f9e1107ba371301f21

Download Submit
memory/2720-10-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/2720-1-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/2720-2-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/2720-0-0x0000000074011000-0x0000000074012000-memory.dmp

Filesize
4KB

Download
memory/2740-26-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2740-12-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2804-3-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2804-7-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2804-6-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2804-5-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2804-4-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2804-32-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads