darkcomet | 43dae29cd78435bf66ef5fe4f28a2450f2ef0817eb5464b199bc9cbf1bcb9b7d

Analysis

max time kernel
147s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe
Size

1016KB
MD5

19440ea43f191a1dfddab2d1304ce41d
SHA1

bfca30a3717e82bb1628ebe618b2ad643113111f
SHA256

43dae29cd78435bf66ef5fe4f28a2450f2ef0817eb5464b199bc9cbf1bcb9b7d
SHA512

63dc43aae9fc9c1878a6916857cbd74a74c9ce19abb91a4eb2d27a60cc7694f9e3889f918a2be41183b77d7c6214050546dcbb72eaf8d82d35677964c2f8c523
SSDEEP

12288:qkd9asya3CevNS8eIfkJMx3zUWOBv6KxYP2iq5zgDCTQqHBtveUK2/k1JHnKlKeN:Vcst3CMlx2qb8vxYvTDdqH6Ul/k3Hnh

Score

10^/10

darkcomet guest16 defense_evasion discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

monasalam.no-ip.org:443

192.168.80.128:443

Mutex

DC_MUTEX-9TJWCM4

Attributes

gencode
Qa5T4Rt0Td8L
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies firewall policy service 3 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	sarsaaasop.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	sarsaaasop.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	sarsaaasop.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FacbookUpdate.exe	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FacbookUpdate.exe	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d1.exe

Executes dropped EXE 2 IoCs

pid	Process
2896	sarsaaasop.exe
1968	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d1.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 32 set thread context of 2896	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sarsaaasop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1864	cmd.exe
2884	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2884	PING.EXE

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2896	sarsaaasop.exe
Token: SeSecurityPrivilege	2896	sarsaaasop.exe
Token: SeTakeOwnershipPrivilege	2896	sarsaaasop.exe
Token: SeLoadDriverPrivilege	2896	sarsaaasop.exe
Token: SeSystemProfilePrivilege	2896	sarsaaasop.exe
Token: SeSystemtimePrivilege	2896	sarsaaasop.exe
Token: SeProfSingleProcessPrivilege	2896	sarsaaasop.exe
Token: SeIncBasePriorityPrivilege	2896	sarsaaasop.exe
Token: SeCreatePagefilePrivilege	2896	sarsaaasop.exe
Token: SeBackupPrivilege	2896	sarsaaasop.exe
Token: SeRestorePrivilege	2896	sarsaaasop.exe
Token: SeShutdownPrivilege	2896	sarsaaasop.exe
Token: SeDebugPrivilege	2896	sarsaaasop.exe
Token: SeSystemEnvironmentPrivilege	2896	sarsaaasop.exe
Token: SeChangeNotifyPrivilege	2896	sarsaaasop.exe
Token: SeRemoteShutdownPrivilege	2896	sarsaaasop.exe
Token: SeUndockPrivilege	2896	sarsaaasop.exe
Token: SeManageVolumePrivilege	2896	sarsaaasop.exe
Token: SeImpersonatePrivilege	2896	sarsaaasop.exe
Token: SeCreateGlobalPrivilege	2896	sarsaaasop.exe
Token: 33	2896	sarsaaasop.exe
Token: 34	2896	sarsaaasop.exe
Token: 35	2896	sarsaaasop.exe
Token: 36	2896	sarsaaasop.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2896	sarsaaasop.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 2896	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	84
PID 32 wrote to memory of 2896	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	84
PID 32 wrote to memory of 2896	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	84
PID 32 wrote to memory of 2896	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	84
PID 32 wrote to memory of 2896	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	84
PID 32 wrote to memory of 2896	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	84
PID 32 wrote to memory of 2896	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	84
PID 32 wrote to memory of 2896	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	84
PID 32 wrote to memory of 2896	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	84
PID 32 wrote to memory of 2896	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	84
PID 32 wrote to memory of 2896	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	84
PID 32 wrote to memory of 2896	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	84
PID 32 wrote to memory of 2896	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	84
PID 32 wrote to memory of 2896	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	84
PID 32 wrote to memory of 1504	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	86
PID 32 wrote to memory of 1504	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	86
PID 32 wrote to memory of 1504	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	86
PID 1504 wrote to memory of 1900	1504	vbc.exe	88
PID 1504 wrote to memory of 1900	1504	vbc.exe	88
PID 1504 wrote to memory of 1900	1504	vbc.exe	88
PID 32 wrote to memory of 1968	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	89
PID 32 wrote to memory of 1968	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	89
PID 32 wrote to memory of 1968	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	89
PID 32 wrote to memory of 1864	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	90
PID 32 wrote to memory of 1864	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	90
PID 32 wrote to memory of 1864	32	JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe	90
PID 1864 wrote to memory of 2884	1864	cmd.exe	92
PID 1864 wrote to memory of 2884	1864	cmd.exe	92
PID 1864 wrote to memory of 2884	1864	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:32
- C:\Users\Admin\AppData\Local\Temp\plugtemp\sarsaaasop.exe
  C:\Users\Admin\AppData\Local\Temp\\plugtemp\sarsaaasop.exe
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h5cxjmw-.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE0105C032D0A42BE9E60485BE5F1FA3C.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1900
- C:\Users\Admin\AppData\Roaming\JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d1.exe
  "C:\Users\Admin\AppData\Roaming\JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d1.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA0B4.tmp

Filesize
1KB

MD5
b277392ccab5b7d632e33fe041e692ba

SHA1
013f384272ad568c58908beaf8578e6c0ec05e8c

SHA256
374edff997b3e7a379d5f32cbec6176321ce297b477f241cacd04f6365b6bdfa

SHA512
2a5d8677872e5c3eb693bf4008ffad463c433c39312a36f4d7519b5f8e3e5aebba50133d625c3baa522663c9995e5e16068551d8712462d175924a73b9fa9b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\h5cxjmw-.0.vb

Filesize
348B

MD5
1b90b7c93fe53f8935f3459088971a3e

SHA1
99139c5a7e08e545958f8a9f6421e11526c2fb41

SHA256
922243616dc55b2e46b8bd123327c2f801ae2e7698a632d9d361777e68b4dfb8

SHA512
8b64721902e41199c7a72d903b77776d7c7d1cfa13a3e372e71e3b45f8dab76fe29c6d13bd12e7ac4fb5995de39c5bfa7cd38109e2d33045a506048ba3d298b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h5cxjmw-.cmdline

Filesize
235B

MD5
0e09c3e0001cb2d1cfc535ffb87e34c5

SHA1
885cf3e0319f02857b84705e00529e7e7eab8d81

SHA256
7ae1969f9b8382faa04b3d0cbe4fb5eb3e0f3affa45895e6e7945c8db83847fd

SHA512
23baf8b4ef9c82eb189f5f5d8ee3141158e2afaf6faf913606fe7959f1041cb2a1c6dddd80f66c5380686dc0d27274e4041c7b8f769cece0359c09ed3e3cca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugtemp\sarsaaasop.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE0105C032D0A42BE9E60485BE5F1FA3C.TMP

Filesize
804B

MD5
88424db36dad77f72a23191d9a8c8581

SHA1
a607d742fa645ac5aa20ac14c5940d7e8707986e

SHA256
4e20865753d9e3dad8c7f150dd40873935135bb8c22cadd244dd032b2e33b772

SHA512
62a956ce322bf7a399d500a230db1dc2770e5e925b35bb6be46ff18cbe8f6aa465044eddb519d92322f9da12568a1e10bce62994c1ac780f32de84a4d588dfaf

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d.exe

Filesize
1016KB

MD5
19440ea43f191a1dfddab2d1304ce41d

SHA1
bfca30a3717e82bb1628ebe618b2ad643113111f

SHA256
43dae29cd78435bf66ef5fe4f28a2450f2ef0817eb5464b199bc9cbf1bcb9b7d

SHA512
63dc43aae9fc9c1878a6916857cbd74a74c9ce19abb91a4eb2d27a60cc7694f9e3889f918a2be41183b77d7c6214050546dcbb72eaf8d82d35677964c2f8c523

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d1.exe

Filesize
6KB

MD5
ae622830a5b41c3d695d67506fd0336c

SHA1
118cc0a1c8827ccaa9cc41b38502cd20df99e1eb

SHA256
b3fa0233a6b659d4714874c578bde7b160ad8d2fbf3c706f19f8f035a33542a8

SHA512
58e36601d530b301ff1beb45becbb3d732ecd00baa12a7c0e8941c316303e892d311ef92910f2b213898dd80c2c38df9b5c3ca3493b2d119cd96aad67648db5f

Download Submit
memory/32-38-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/32-40-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/32-0-0x0000000074DE2000-0x0000000074DE3000-memory.dmp

Filesize
4KB

Download
memory/32-2-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/32-16-0x0000000074DE2000-0x0000000074DE3000-memory.dmp

Filesize
4KB

Download
memory/32-17-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/32-1-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/1504-23-0x00000000021F0000-0x0000000002200000-memory.dmp

Filesize
64KB

Download
memory/2896-14-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-15-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-13-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/2896-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-10-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-9-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-6-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-41-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-43-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-45-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-47-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-49-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-51-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads