darkcomet | a057f8785315b15d78cf51d4371dc8c52c6512c94b9d85757dc0328db97b46c8

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Size

246KB
MD5

0827cd0968f3c7519694f557f198773a
SHA1

401f4b753f6ff44313a41faad05123a2fa899973
SHA256

a057f8785315b15d78cf51d4371dc8c52c6512c94b9d85757dc0328db97b46c8
SHA512

b7748d3cb2c5d1c7bba5739900cf4a6dd3bc73bdb8cd57da806b738ad7bf31c691f801b90e9e69d4ec681c349dd439b86936cbb2bd2bf81d74544adec6786eaf
SSDEEP

6144:SMggLtESuJHedbXFN+xTHkPgVSf1wEC2G1Ydi:SMjLtExRedbXFYIvfby1

Score

10^/10

darkcomet discovery persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe"	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe

Executes dropped EXE 1 IoCs

pid	Process
4384	winupdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	winupdate.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3600-0-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral2/files/0x0007000000023ce4-6.dat	upx
behavioral2/memory/3600-37-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral2/memory/4384-39-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral2/memory/4384-40-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral2/memory/4384-41-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral2/memory/4384-43-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral2/memory/4384-44-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral2/memory/4384-47-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral2/memory/4384-48-0x0000000000400000-0x00000000004B9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3036	cmd.exe
668	cmd.exe
2092	PING.EXE
1656	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2092	PING.EXE
1656	PING.EXE

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeSecurityPrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeTakeOwnershipPrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeLoadDriverPrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeSystemProfilePrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeSystemtimePrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeProfSingleProcessPrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeIncBasePriorityPrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeCreatePagefilePrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeBackupPrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeRestorePrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeShutdownPrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeDebugPrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeSystemEnvironmentPrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeChangeNotifyPrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeRemoteShutdownPrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeUndockPrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeManageVolumePrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeImpersonatePrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeCreateGlobalPrivilege	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: 33	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: 34	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: 35	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: 36	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
Token: SeIncreaseQuotaPrivilege	4384	winupdate.exe
Token: SeSecurityPrivilege	4384	winupdate.exe
Token: SeTakeOwnershipPrivilege	4384	winupdate.exe
Token: SeLoadDriverPrivilege	4384	winupdate.exe
Token: SeSystemProfilePrivilege	4384	winupdate.exe
Token: SeSystemtimePrivilege	4384	winupdate.exe
Token: SeProfSingleProcessPrivilege	4384	winupdate.exe
Token: SeIncBasePriorityPrivilege	4384	winupdate.exe
Token: SeCreatePagefilePrivilege	4384	winupdate.exe
Token: SeBackupPrivilege	4384	winupdate.exe
Token: SeRestorePrivilege	4384	winupdate.exe
Token: SeShutdownPrivilege	4384	winupdate.exe
Token: SeDebugPrivilege	4384	winupdate.exe
Token: SeSystemEnvironmentPrivilege	4384	winupdate.exe
Token: SeChangeNotifyPrivilege	4384	winupdate.exe
Token: SeRemoteShutdownPrivilege	4384	winupdate.exe
Token: SeUndockPrivilege	4384	winupdate.exe
Token: SeManageVolumePrivilege	4384	winupdate.exe
Token: SeImpersonatePrivilege	4384	winupdate.exe
Token: SeCreateGlobalPrivilege	4384	winupdate.exe
Token: 33	4384	winupdate.exe
Token: 34	4384	winupdate.exe
Token: 35	4384	winupdate.exe
Token: 36	4384	winupdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4384	winupdate.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 3036	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe	85
PID 3600 wrote to memory of 3036	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe	85
PID 3600 wrote to memory of 3036	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe	85
PID 3600 wrote to memory of 668	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe	86
PID 3600 wrote to memory of 668	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe	86
PID 3600 wrote to memory of 668	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe	86
PID 3036 wrote to memory of 2092	3036	cmd.exe	89
PID 3036 wrote to memory of 2092	3036	cmd.exe	89
PID 3036 wrote to memory of 2092	3036	cmd.exe	89
PID 668 wrote to memory of 1656	668	cmd.exe	90
PID 668 wrote to memory of 1656	668	cmd.exe	90
PID 668 wrote to memory of 1656	668	cmd.exe	90
PID 3600 wrote to memory of 4384	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe	91
PID 3600 wrote to memory of 4384	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe	91
PID 3600 wrote to memory of 4384	3600	JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe	91
PID 4384 wrote to memory of 2164	4384	winupdate.exe	92
PID 4384 wrote to memory of 2164	4384	winupdate.exe	92
PID 4384 wrote to memory of 2164	4384	winupdate.exe	92
PID 4384 wrote to memory of 3132	4384	winupdate.exe	93
PID 4384 wrote to memory of 3132	4384	winupdate.exe	93
PID 668 wrote to memory of 4020	668	cmd.exe	95
PID 668 wrote to memory of 4020	668	cmd.exe	95
PID 668 wrote to memory of 4020	668	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&start "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0827cd0968f3c7519694f557f198773a.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4020
- C:\Windupdt\winupdate.exe
  "C:\Windupdt\winupdate.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2164
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windupdt\winupdate.exe

Filesize
246KB

MD5
0827cd0968f3c7519694f557f198773a

SHA1
401f4b753f6ff44313a41faad05123a2fa899973

SHA256
a057f8785315b15d78cf51d4371dc8c52c6512c94b9d85757dc0328db97b46c8

SHA512
b7748d3cb2c5d1c7bba5739900cf4a6dd3bc73bdb8cd57da806b738ad7bf31c691f801b90e9e69d4ec681c349dd439b86936cbb2bd2bf81d74544adec6786eaf

Download Submit
memory/3600-0-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3600-1-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3600-37-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4384-38-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/4384-39-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4384-40-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4384-41-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4384-43-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4384-44-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4384-47-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4384-48-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads