darkcomet | 668bea6440d7fd00d66634d52a81c74f6adce39cbb23941d5387c1864f5084f2

Analysis

max time kernel
106s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_14f20e80c9c0b26ac7ec19a031e04f44.exe
Size

773KB
MD5

14f20e80c9c0b26ac7ec19a031e04f44
SHA1

a5321cf59576ff953507f18e06d88de66dd28a55
SHA256

668bea6440d7fd00d66634d52a81c74f6adce39cbb23941d5387c1864f5084f2
SHA512

41750f106ed747a5a5d94104d6594619b9e48bff3150cc34f698040ed3057935072bbdd496213513431747d2a02a181ec82dc22eb0ac6ad1691dcd5705ef29e2
SSDEEP

12288:4nEz6xzUj4DAXf7iD0LqRPLWXt1HOXoKxRDgTEN7mxj6lEicQnTmx/wr1k2EO24g:4aP7ii59Y8wZkR34B+OJaXKLTPuEtO

Score

10^/10

darkcomet hawkeye discovery keylogger persistence rat spyware stealer trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye

Executes dropped EXE 5 IoCs

pid	Process
2884	svchost.exe
2900	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2180	wmpmetwk.exe

Loads dropped DLL 7 IoCs

pid	Process
2108	JaffaCakes118_14f20e80c9c0b26ac7ec19a031e04f44.exe
2108	JaffaCakes118_14f20e80c9c0b26ac7ec19a031e04f44.exe
2884	svchost.exe
2884	svchost.exe
2772	audiodgi.exe
2772	audiodgi.exe
976	wmpmetwk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2884 set thread context of 2900	2884	svchost.exe	31
PID 976 set thread context of 2180	976	wmpmetwk.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_14f20e80c9c0b26ac7ec19a031e04f44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpmetwk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpmetwk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe
2772	audiodgi.exe
976	wmpmetwk.exe
2884	svchost.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	JaffaCakes118_14f20e80c9c0b26ac7ec19a031e04f44.exe
Token: SeDebugPrivilege	2884	svchost.exe
Token: SeIncreaseQuotaPrivilege	2900	svchost.exe
Token: SeSecurityPrivilege	2900	svchost.exe
Token: SeTakeOwnershipPrivilege	2900	svchost.exe
Token: SeLoadDriverPrivilege	2900	svchost.exe
Token: SeSystemProfilePrivilege	2900	svchost.exe
Token: SeSystemtimePrivilege	2900	svchost.exe
Token: SeProfSingleProcessPrivilege	2900	svchost.exe
Token: SeIncBasePriorityPrivilege	2900	svchost.exe
Token: SeCreatePagefilePrivilege	2900	svchost.exe
Token: SeBackupPrivilege	2900	svchost.exe
Token: SeRestorePrivilege	2900	svchost.exe
Token: SeShutdownPrivilege	2900	svchost.exe
Token: SeDebugPrivilege	2900	svchost.exe
Token: SeSystemEnvironmentPrivilege	2900	svchost.exe
Token: SeChangeNotifyPrivilege	2900	svchost.exe
Token: SeRemoteShutdownPrivilege	2900	svchost.exe
Token: SeUndockPrivilege	2900	svchost.exe
Token: SeManageVolumePrivilege	2900	svchost.exe
Token: SeImpersonatePrivilege	2900	svchost.exe
Token: SeCreateGlobalPrivilege	2900	svchost.exe
Token: 33	2900	svchost.exe
Token: 34	2900	svchost.exe
Token: 35	2900	svchost.exe
Token: SeDebugPrivilege	2772	audiodgi.exe
Token: SeDebugPrivilege	976	wmpmetwk.exe
Token: SeIncreaseQuotaPrivilege	2180	wmpmetwk.exe
Token: SeSecurityPrivilege	2180	wmpmetwk.exe
Token: SeTakeOwnershipPrivilege	2180	wmpmetwk.exe
Token: SeLoadDriverPrivilege	2180	wmpmetwk.exe
Token: SeSystemProfilePrivilege	2180	wmpmetwk.exe
Token: SeSystemtimePrivilege	2180	wmpmetwk.exe
Token: SeProfSingleProcessPrivilege	2180	wmpmetwk.exe
Token: SeIncBasePriorityPrivilege	2180	wmpmetwk.exe
Token: SeCreatePagefilePrivilege	2180	wmpmetwk.exe
Token: SeBackupPrivilege	2180	wmpmetwk.exe
Token: SeRestorePrivilege	2180	wmpmetwk.exe
Token: SeShutdownPrivilege	2180	wmpmetwk.exe
Token: SeDebugPrivilege	2180	wmpmetwk.exe
Token: SeSystemEnvironmentPrivilege	2180	wmpmetwk.exe
Token: SeChangeNotifyPrivilege	2180	wmpmetwk.exe
Token: SeRemoteShutdownPrivilege	2180	wmpmetwk.exe
Token: SeUndockPrivilege	2180	wmpmetwk.exe
Token: SeManageVolumePrivilege	2180	wmpmetwk.exe
Token: SeImpersonatePrivilege	2180	wmpmetwk.exe
Token: SeCreateGlobalPrivilege	2180	wmpmetwk.exe
Token: 33	2180	wmpmetwk.exe
Token: 34	2180	wmpmetwk.exe
Token: 35	2180	wmpmetwk.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2900	svchost.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2884	2108	JaffaCakes118_14f20e80c9c0b26ac7ec19a031e04f44.exe	30
PID 2108 wrote to memory of 2884	2108	JaffaCakes118_14f20e80c9c0b26ac7ec19a031e04f44.exe	30
PID 2108 wrote to memory of 2884	2108	JaffaCakes118_14f20e80c9c0b26ac7ec19a031e04f44.exe	30
PID 2108 wrote to memory of 2884	2108	JaffaCakes118_14f20e80c9c0b26ac7ec19a031e04f44.exe	30
PID 2884 wrote to memory of 2900	2884	svchost.exe	31
PID 2884 wrote to memory of 2900	2884	svchost.exe	31
PID 2884 wrote to memory of 2900	2884	svchost.exe	31
PID 2884 wrote to memory of 2900	2884	svchost.exe	31
PID 2884 wrote to memory of 2900	2884	svchost.exe	31
PID 2884 wrote to memory of 2900	2884	svchost.exe	31
PID 2884 wrote to memory of 2900	2884	svchost.exe	31
PID 2884 wrote to memory of 2900	2884	svchost.exe	31
PID 2884 wrote to memory of 2900	2884	svchost.exe	31
PID 2884 wrote to memory of 2900	2884	svchost.exe	31
PID 2884 wrote to memory of 2900	2884	svchost.exe	31
PID 2884 wrote to memory of 2900	2884	svchost.exe	31
PID 2884 wrote to memory of 2900	2884	svchost.exe	31
PID 2884 wrote to memory of 2772	2884	svchost.exe	32
PID 2884 wrote to memory of 2772	2884	svchost.exe	32
PID 2884 wrote to memory of 2772	2884	svchost.exe	32
PID 2884 wrote to memory of 2772	2884	svchost.exe	32
PID 2772 wrote to memory of 976	2772	audiodgi.exe	33
PID 2772 wrote to memory of 976	2772	audiodgi.exe	33
PID 2772 wrote to memory of 976	2772	audiodgi.exe	33
PID 2772 wrote to memory of 976	2772	audiodgi.exe	33
PID 976 wrote to memory of 2180	976	wmpmetwk.exe	34
PID 976 wrote to memory of 2180	976	wmpmetwk.exe	34
PID 976 wrote to memory of 2180	976	wmpmetwk.exe	34
PID 976 wrote to memory of 2180	976	wmpmetwk.exe	34
PID 976 wrote to memory of 2180	976	wmpmetwk.exe	34
PID 976 wrote to memory of 2180	976	wmpmetwk.exe	34
PID 976 wrote to memory of 2180	976	wmpmetwk.exe	34
PID 976 wrote to memory of 2180	976	wmpmetwk.exe	34
PID 976 wrote to memory of 2180	976	wmpmetwk.exe	34
PID 976 wrote to memory of 2180	976	wmpmetwk.exe	34
PID 976 wrote to memory of 2180	976	wmpmetwk.exe	34
PID 976 wrote to memory of 2180	976	wmpmetwk.exe	34
PID 976 wrote to memory of 2180	976	wmpmetwk.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14f20e80c9c0b26ac7ec19a031e04f44.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14f20e80c9c0b26ac7ec19a031e04f44.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2900
- - C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
      "C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
        
        C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
87B

MD5
57af7467f6c4033060811bfb9a021caf

SHA1
1be42c721330967f49158dfb5d9429cb6894a537

SHA256
4fe13a67b4cf71da00a79ab8ce446b33701d94679ab5ebf40974ecd594c33371

SHA512
4fd7c9153305fc12ebfbce41fe0d09bb43aa0d59d70fe5e1832a222c3913567e2f16f26ab805e5b8d61c3760274b139e03b7fef6500d73d2b5b9769028086563

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe

Filesize
8KB

MD5
13da1958462e33bd431ed429fbf0da06

SHA1
90699d7b1e43c53b3ed31acc19f3daf758bd4262

SHA256
9fd3a80e2e961f13a35d5637d2401b914d41a32662135c1fded655c73d5b1264

SHA512
84403df4cd56cdae97372b2b63201713d000588c2a7d135eabf65bd85ef70b0b70f30bd30742b0fe0aa0e30fbca1df95755c4c64e24599269b277d7bde9e7263

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
773KB

MD5
14f20e80c9c0b26ac7ec19a031e04f44

SHA1
a5321cf59576ff953507f18e06d88de66dd28a55

SHA256
668bea6440d7fd00d66634d52a81c74f6adce39cbb23941d5387c1864f5084f2

SHA512
41750f106ed747a5a5d94104d6594619b9e48bff3150cc34f698040ed3057935072bbdd496213513431747d2a02a181ec82dc22eb0ac6ad1691dcd5705ef29e2

Download Submit
memory/2108-0-0x0000000074E81000-0x0000000074E82000-memory.dmp

Filesize
4KB

Download
memory/2108-1-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2108-2-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2108-18-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-19-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-23-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-20-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-72-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2900-38-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2900-53-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2900-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2900-36-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2900-34-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2900-32-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2900-30-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2900-28-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2900-47-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2900-40-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2900-52-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2900-51-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2900-50-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2900-26-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2900-44-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2900-46-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2900-73-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download