darkcomet | 16d6ba49863d65c4377d5b4b3bc03882ce644435de0fa568a56dc597e0aa0b9e

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Size

743KB
MD5

3d50a9707cd3d351e41b1c03ac348747
SHA1

0b812ea13f265570dc3a2b856daf9eba681cc38b
SHA256

16d6ba49863d65c4377d5b4b3bc03882ce644435de0fa568a56dc597e0aa0b9e
SHA512

5e594923ab3bf14bef7f84fbe950bc82b2ecdd73781760e3571a4b87a5b054446bd107689fe6d1e4b7c50f950d052caef91595713f8679bc3f8d45a1cdbe7bfd
SSDEEP

12288:WK9n5bJYhJubTiKKe0Qz9sS8kEQ2LnbK5BO3V2V715a1jHxQ+Ga6L2uUYEHYhwy:55FY3ubTiKr0Qz9sPk72X3QUzyra6L2V

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

danielschmidt.sytes.net:1604

Mutex

DC_MUTEX-54QW4V1

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
SWwC3SJbg4EW
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1184	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe

Deletes itself 1 IoCs

pid	Process
2920	notepad.exe

Executes dropped EXE 1 IoCs

pid	Process
4112	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4112	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeSecurityPrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeTakeOwnershipPrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeLoadDriverPrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeSystemProfilePrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeSystemtimePrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeProfSingleProcessPrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeIncBasePriorityPrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeCreatePagefilePrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeBackupPrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeRestorePrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeShutdownPrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeDebugPrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeSystemEnvironmentPrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeChangeNotifyPrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeRemoteShutdownPrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeUndockPrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeManageVolumePrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeImpersonatePrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeCreateGlobalPrivilege	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: 33	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: 34	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: 35	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: 36	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
Token: SeIncreaseQuotaPrivilege	4112	msdcsc.exe
Token: SeSecurityPrivilege	4112	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4112	msdcsc.exe
Token: SeLoadDriverPrivilege	4112	msdcsc.exe
Token: SeSystemProfilePrivilege	4112	msdcsc.exe
Token: SeSystemtimePrivilege	4112	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4112	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4112	msdcsc.exe
Token: SeCreatePagefilePrivilege	4112	msdcsc.exe
Token: SeBackupPrivilege	4112	msdcsc.exe
Token: SeRestorePrivilege	4112	msdcsc.exe
Token: SeShutdownPrivilege	4112	msdcsc.exe
Token: SeDebugPrivilege	4112	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4112	msdcsc.exe
Token: SeChangeNotifyPrivilege	4112	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4112	msdcsc.exe
Token: SeUndockPrivilege	4112	msdcsc.exe
Token: SeManageVolumePrivilege	4112	msdcsc.exe
Token: SeImpersonatePrivilege	4112	msdcsc.exe
Token: SeCreateGlobalPrivilege	4112	msdcsc.exe
Token: 33	4112	msdcsc.exe
Token: 34	4112	msdcsc.exe
Token: 35	4112	msdcsc.exe
Token: 36	4112	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4112	msdcsc.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 4552	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	83
PID 4768 wrote to memory of 4552	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	83
PID 4768 wrote to memory of 4552	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	83
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4768 wrote to memory of 2920	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	85
PID 4552 wrote to memory of 1184	4552	cmd.exe	86
PID 4552 wrote to memory of 1184	4552	cmd.exe	86
PID 4552 wrote to memory of 1184	4552	cmd.exe	86
PID 4768 wrote to memory of 4112	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	87
PID 4768 wrote to memory of 4112	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	87
PID 4768 wrote to memory of 4112	4768	JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe	87
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88
PID 4112 wrote to memory of 1420	4112	msdcsc.exe	88

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1184	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d50a9707cd3d351e41b1c03ac348747.exe" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1184
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2920
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jI82l\PCGWIN32.LI5

Filesize
2KB

MD5
5b5609f4c9769c50c6fd33e43b8c1ca2

SHA1
adb5d2928279eff9e7f353e94e2e82fefb40df43

SHA256
778569aafcb4573122095d760a644129d37185e040e440eac5d30c39e3b64615

SHA512
97e85f5fec1c17e2cf5ae9caa9565e94ec0d120002541d5aa4a1bb187ff973a78b4a9378fe52e1f612e2cc5112709816d9f8a3d7a5d08fbe91c0fa1523277712

Download Submit
C:\ProgramData\jI82l\PCGWIN32.LI5

Filesize
2KB

MD5
36ac48596b40b623126c601b89392e31

SHA1
a01b1f06167f66c916363d31a6e0aee15d21e2b2

SHA256
90cfa543712bbb7600d5995d95af6b3388c52c73809478ae4ac3ac386f38c8ac

SHA512
dbfa91532c190381e5442fe1d6550cd660cec1e6d42119d965047aed8d5f0cfe48dc754eecb5df074b12bb6fedea521fb537aea569eff8ca951145527b5bdfc1

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
743KB

MD5
3d50a9707cd3d351e41b1c03ac348747

SHA1
0b812ea13f265570dc3a2b856daf9eba681cc38b

SHA256
16d6ba49863d65c4377d5b4b3bc03882ce644435de0fa568a56dc597e0aa0b9e

SHA512
5e594923ab3bf14bef7f84fbe950bc82b2ecdd73781760e3571a4b87a5b054446bd107689fe6d1e4b7c50f950d052caef91595713f8679bc3f8d45a1cdbe7bfd

Download Submit
memory/1420-80-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/2920-12-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/4112-87-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-89-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-98-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-97-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-84-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-85-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-86-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-96-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-88-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-71-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-90-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-91-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-92-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-93-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-94-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-95-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4768-0-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4768-82-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4768-8-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads