darkcomet | 01eeaec2582724bff9646c88fb477ea945f55915dfd0da9d619a404797820e5a

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/01/2025, 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe
Size

1.9MB
MD5

0fe6a2ad84739f138c16c693028072c2
SHA1

50ffc480400d902ce23dbabe7559a057850938d7
SHA256

01eeaec2582724bff9646c88fb477ea945f55915dfd0da9d619a404797820e5a
SHA512

80f92cd708f32bb6aa7398dda7a2652433f95ffcb178fb0186dcdcdd97ba7dcc0a448b02e4a754b379d568bf562ca173fc7517958326ecbc6f5c548c2bf165f3
SSDEEP

24576:kV1HEA3zhTIzjvfn+Hg5z8OdXGkTIjF66310:kDGyB1

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
2260	explorer.exe
2660	msdcsc.exe

Loads dropped DLL 3 IoCs

pid	Process
2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe
2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe
2260	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	explorer.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2340 set thread context of 2260	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2900	PING.EXE
1520	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1520	PING.EXE
2900	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe
2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe
2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe
2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe
2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe
2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe
2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe
2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe
2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe
Token: SeIncreaseQuotaPrivilege	2260	explorer.exe
Token: SeSecurityPrivilege	2260	explorer.exe
Token: SeTakeOwnershipPrivilege	2260	explorer.exe
Token: SeLoadDriverPrivilege	2260	explorer.exe
Token: SeSystemProfilePrivilege	2260	explorer.exe
Token: SeSystemtimePrivilege	2260	explorer.exe
Token: SeProfSingleProcessPrivilege	2260	explorer.exe
Token: SeIncBasePriorityPrivilege	2260	explorer.exe
Token: SeCreatePagefilePrivilege	2260	explorer.exe
Token: SeBackupPrivilege	2260	explorer.exe
Token: SeRestorePrivilege	2260	explorer.exe
Token: SeShutdownPrivilege	2260	explorer.exe
Token: SeDebugPrivilege	2260	explorer.exe
Token: SeSystemEnvironmentPrivilege	2260	explorer.exe
Token: SeChangeNotifyPrivilege	2260	explorer.exe
Token: SeRemoteShutdownPrivilege	2260	explorer.exe
Token: SeUndockPrivilege	2260	explorer.exe
Token: SeManageVolumePrivilege	2260	explorer.exe
Token: SeImpersonatePrivilege	2260	explorer.exe
Token: SeCreateGlobalPrivilege	2260	explorer.exe
Token: 33	2260	explorer.exe
Token: 34	2260	explorer.exe
Token: 35	2260	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2260	explorer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2260	explorer.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2524	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	31
PID 2340 wrote to memory of 2524	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	31
PID 2340 wrote to memory of 2524	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	31
PID 2340 wrote to memory of 2524	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	31
PID 2340 wrote to memory of 2260	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	32
PID 2340 wrote to memory of 2260	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	32
PID 2340 wrote to memory of 2260	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	32
PID 2340 wrote to memory of 2260	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	32
PID 2340 wrote to memory of 2260	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	32
PID 2340 wrote to memory of 2260	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	32
PID 2340 wrote to memory of 2260	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	32
PID 2340 wrote to memory of 2260	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	32
PID 2340 wrote to memory of 2260	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	32
PID 2340 wrote to memory of 2260	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	32
PID 2340 wrote to memory of 2260	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	32
PID 2340 wrote to memory of 2260	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	32
PID 2340 wrote to memory of 2260	2340	JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe	32
PID 2260 wrote to memory of 2052	2260	explorer.exe	33
PID 2260 wrote to memory of 2052	2260	explorer.exe	33
PID 2260 wrote to memory of 2052	2260	explorer.exe	33
PID 2260 wrote to memory of 2052	2260	explorer.exe	33
PID 2260 wrote to memory of 2784	2260	explorer.exe	35
PID 2260 wrote to memory of 2784	2260	explorer.exe	35
PID 2260 wrote to memory of 2784	2260	explorer.exe	35
PID 2260 wrote to memory of 2784	2260	explorer.exe	35
PID 2784 wrote to memory of 1520	2784	cmd.exe	37
PID 2784 wrote to memory of 1520	2784	cmd.exe	37
PID 2784 wrote to memory of 1520	2784	cmd.exe	37
PID 2784 wrote to memory of 1520	2784	cmd.exe	37
PID 2052 wrote to memory of 2900	2052	cmd.exe	38
PID 2052 wrote to memory of 2900	2052	cmd.exe	38
PID 2052 wrote to memory of 2900	2052	cmd.exe	38
PID 2052 wrote to memory of 2900	2052	cmd.exe	38
PID 2260 wrote to memory of 2660	2260	explorer.exe	39
PID 2260 wrote to memory of 2660	2260	explorer.exe	39
PID 2260 wrote to memory of 2660	2260	explorer.exe	39
PID 2260 wrote to memory of 2660	2260	explorer.exe	39

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0fe6a2ad84739f138c16c693028072c2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\winamp\explorer.exe
  C:\Users\Admin\AppData\Local\Temp\\winamp\explorer.exe
  2⤵
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\winamp\explorer.exe
  C:\Users\Admin\AppData\Local\Temp\\winamp\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 5
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 5
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1520
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
57B

MD5
587f169ca6df07509139537213fb2516

SHA1
37d2655f96dd86198d4fc32b8d4bcc420eaf05a1

SHA256
597bbec7fbee6a1c1b228449b33b9940f0b20918e2ca92f501ee413f823b4e57

SHA512
98ab34014bdd457b2f619fc39fe237cf6e53b00b422248456d737a7da089eeb5843ddcd728815ad9426647848629df747cec9bf65f60d7fb55dc14cbf42e5879

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
82B

MD5
35d96e874ae0a97b4464c075405abd90

SHA1
1bc253a3e046a221d448ff19509abd57994f203a

SHA256
a8cbec11cd44fcc0dbc150d99fde233c9cdfdbed5a78e87449a000f6993c7b34

SHA512
6e5f180cbc2c9cdde5fe2721092c6c0599f3c9900711082a4690a25478fd6fba7b3c6d75f771e474317ad27e5ac378bc19d4d6570cac7e8f76411da6fd8cd46a

Download Submit
\Users\Admin\AppData\Local\Temp\winamp\explorer.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/2260-26-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2260-22-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2260-29-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2260-58-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2260-30-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2260-20-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2260-28-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2260-11-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2260-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2260-16-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2260-14-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2260-13-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2260-12-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2260-18-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2340-0-0x00000000749E1000-0x00000000749E2000-memory.dmp

Filesize
4KB

Download
memory/2340-2-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-1-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-31-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download