darkcomet | 43dae29cd78435bf66ef5fe4f28a2450f2ef0817eb5464b199bc9cbf1bcb9b7d

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/01/2025, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe
Size

1016KB
MD5

19440ea43f191a1dfddab2d1304ce41d
SHA1

bfca30a3717e82bb1628ebe618b2ad643113111f
SHA256

43dae29cd78435bf66ef5fe4f28a2450f2ef0817eb5464b199bc9cbf1bcb9b7d
SHA512

63dc43aae9fc9c1878a6916857cbd74a74c9ce19abb91a4eb2d27a60cc7694f9e3889f918a2be41183b77d7c6214050546dcbb72eaf8d82d35677964c2f8c523
SSDEEP

12288:qkd9asya3CevNS8eIfkJMx3zUWOBv6KxYP2iq5zgDCTQqHBtveUK2/k1JHnKlKeN:Vcst3CMlx2qb8vxYvTDdqH6Ul/k3Hnh

Score

10^/10

darkcomet guest16 defense_evasion discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

monasalam.no-ip.org:443

192.168.80.128:443

Mutex

DC_MUTEX-9TJWCM4

Attributes

gencode
Qa5T4Rt0Td8L
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies firewall policy service 3 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	sarsaaasop.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	sarsaaasop.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	sarsaaasop.exe

Deletes itself 1 IoCs

pid	Process
2928	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FacbookUpdate.exe	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FacbookUpdate.exe	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d1.exe

Executes dropped EXE 2 IoCs

pid	Process
2720	sarsaaasop.exe
1776	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d1.exe

Loads dropped DLL 3 IoCs

pid	Process
2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe
2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe
2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 2720	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sarsaaasop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1992	PING.EXE
2928	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1992	PING.EXE

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2720	sarsaaasop.exe
Token: SeSecurityPrivilege	2720	sarsaaasop.exe
Token: SeTakeOwnershipPrivilege	2720	sarsaaasop.exe
Token: SeLoadDriverPrivilege	2720	sarsaaasop.exe
Token: SeSystemProfilePrivilege	2720	sarsaaasop.exe
Token: SeSystemtimePrivilege	2720	sarsaaasop.exe
Token: SeProfSingleProcessPrivilege	2720	sarsaaasop.exe
Token: SeIncBasePriorityPrivilege	2720	sarsaaasop.exe
Token: SeCreatePagefilePrivilege	2720	sarsaaasop.exe
Token: SeBackupPrivilege	2720	sarsaaasop.exe
Token: SeRestorePrivilege	2720	sarsaaasop.exe
Token: SeShutdownPrivilege	2720	sarsaaasop.exe
Token: SeDebugPrivilege	2720	sarsaaasop.exe
Token: SeSystemEnvironmentPrivilege	2720	sarsaaasop.exe
Token: SeChangeNotifyPrivilege	2720	sarsaaasop.exe
Token: SeRemoteShutdownPrivilege	2720	sarsaaasop.exe
Token: SeUndockPrivilege	2720	sarsaaasop.exe
Token: SeManageVolumePrivilege	2720	sarsaaasop.exe
Token: SeImpersonatePrivilege	2720	sarsaaasop.exe
Token: SeCreateGlobalPrivilege	2720	sarsaaasop.exe
Token: 33	2720	sarsaaasop.exe
Token: 34	2720	sarsaaasop.exe
Token: 35	2720	sarsaaasop.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2720	sarsaaasop.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2720	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	31
PID 2184 wrote to memory of 2720	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	31
PID 2184 wrote to memory of 2720	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	31
PID 2184 wrote to memory of 2720	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	31
PID 2184 wrote to memory of 2720	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	31
PID 2184 wrote to memory of 2720	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	31
PID 2184 wrote to memory of 2720	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	31
PID 2184 wrote to memory of 2720	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	31
PID 2184 wrote to memory of 2720	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	31
PID 2184 wrote to memory of 2720	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	31
PID 2184 wrote to memory of 2720	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	31
PID 2184 wrote to memory of 2720	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	31
PID 2184 wrote to memory of 2720	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	31
PID 2184 wrote to memory of 2820	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	32
PID 2184 wrote to memory of 2820	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	32
PID 2184 wrote to memory of 2820	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	32
PID 2184 wrote to memory of 2820	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	32
PID 2820 wrote to memory of 2580	2820	vbc.exe	34
PID 2820 wrote to memory of 2580	2820	vbc.exe	34
PID 2820 wrote to memory of 2580	2820	vbc.exe	34
PID 2820 wrote to memory of 2580	2820	vbc.exe	34
PID 2184 wrote to memory of 1776	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	35
PID 2184 wrote to memory of 1776	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	35
PID 2184 wrote to memory of 1776	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	35
PID 2184 wrote to memory of 1776	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	35
PID 2184 wrote to memory of 2928	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	36
PID 2184 wrote to memory of 2928	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	36
PID 2184 wrote to memory of 2928	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	36
PID 2184 wrote to memory of 2928	2184	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	36
PID 2928 wrote to memory of 1992	2928	cmd.exe	38
PID 2928 wrote to memory of 1992	2928	cmd.exe	38
PID 2928 wrote to memory of 1992	2928	cmd.exe	38
PID 2928 wrote to memory of 1992	2928	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\plugtemp\sarsaaasop.exe
  C:\Users\Admin\AppData\Local\Temp\\plugtemp\sarsaaasop.exe
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rdnsnsrr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES205.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc204.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
- C:\Users\Admin\AppData\Roaming\JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d1.exe
  "C:\Users\Admin\AppData\Roaming\JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d1.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES205.tmp

Filesize
1KB

MD5
f6e9fc7cb170f857fcf0a36c1df280b5

SHA1
733c43dd0d8fea4a8b5368f40a93946e25bd0da3

SHA256
55d976006c6b0d57cbe929a55e118e80a44bc5baa862f3d12ff614de3bdee29b

SHA512
4998c8208cf65f666f4c9c3bda363482542b222d269eb66e6cd2b80789ff1503f820ca7572722089731c019fa10679083aa12fe8a9f85300fbc1c76492b4b757

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdnsnsrr.0.vb

Filesize
348B

MD5
1b90b7c93fe53f8935f3459088971a3e

SHA1
99139c5a7e08e545958f8a9f6421e11526c2fb41

SHA256
922243616dc55b2e46b8bd123327c2f801ae2e7698a632d9d361777e68b4dfb8

SHA512
8b64721902e41199c7a72d903b77776d7c7d1cfa13a3e372e71e3b45f8dab76fe29c6d13bd12e7ac4fb5995de39c5bfa7cd38109e2d33045a506048ba3d298b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdnsnsrr.cmdline

Filesize
235B

MD5
8be627769ba97b9cf62fecbb382b0484

SHA1
5bede7d4f0a4f0e6cf26041a41b0106e79f0061b

SHA256
7895bd7e36d840f0267520b32009499c1c7ded04af6b0046a48c77a2bd50e02e

SHA512
f343324c88f63ba96c8c28b1dba3146d2abcc56d3f33c60b9f7776c6d68fb53fd51583e20d3803218f2b9861cc8adbf4450e6cad0ee07eee7a52048ab5986fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc204.tmp

Filesize
804B

MD5
88424db36dad77f72a23191d9a8c8581

SHA1
a607d742fa645ac5aa20ac14c5940d7e8707986e

SHA256
4e20865753d9e3dad8c7f150dd40873935135bb8c22cadd244dd032b2e33b772

SHA512
62a956ce322bf7a399d500a230db1dc2770e5e925b35bb6be46ff18cbe8f6aa465044eddb519d92322f9da12568a1e10bce62994c1ac780f32de84a4d588dfaf

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe

Filesize
1016KB

MD5
19440ea43f191a1dfddab2d1304ce41d

SHA1
bfca30a3717e82bb1628ebe618b2ad643113111f

SHA256
43dae29cd78435bf66ef5fe4f28a2450f2ef0817eb5464b199bc9cbf1bcb9b7d

SHA512
63dc43aae9fc9c1878a6916857cbd74a74c9ce19abb91a4eb2d27a60cc7694f9e3889f918a2be41183b77d7c6214050546dcbb72eaf8d82d35677964c2f8c523

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d1.exe

Filesize
6KB

MD5
7ad20fafe0ae87c501ee69ef930d6871

SHA1
16b0b82f34a68c51cfa8e79485000b9ea2c103a4

SHA256
fdc79d14d5d85bbca0fe422b1dfe9d9c885945d8332bcf4f30ab203513717f78

SHA512
4a8629ee612611c6de2a4881c0c2ebc580e0601e4f5f69514f2040c09a1eacf9475c1e948a98befee627348c4332d05958a279066cd06b862a1edef8ed2aa0b2

Download Submit
\Users\Admin\AppData\Local\Temp\plugtemp\sarsaaasop.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/2184-30-0x0000000074DF0000-0x000000007539B000-memory.dmp

Filesize
5.7MB

Download
memory/2184-1-0x0000000074DF0000-0x000000007539B000-memory.dmp

Filesize
5.7MB

Download
memory/2184-2-0x0000000074DF0000-0x000000007539B000-memory.dmp

Filesize
5.7MB

Download
memory/2184-53-0x0000000074DF0000-0x000000007539B000-memory.dmp

Filesize
5.7MB

Download
memory/2184-0-0x0000000074DF1000-0x0000000074DF2000-memory.dmp

Filesize
4KB

Download
memory/2720-17-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-24-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-26-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-29-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-28-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-13-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-15-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-16-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-18-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-10-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-21-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-23-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-54-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2720-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2820-45-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2820-36-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads