darkcomet | a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31/01/2025, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
Size

2.4MB
MD5

68288c29d8546aadc301eda4436def32
SHA1

b2f25aa72549ab250213e20850aa3e5beab1928f
SHA256

a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325
SHA512

d6b17aea77d4df88af97cebc0ecc40ec5bdb4e79f3ed44378c47438216eb03082544375327a93551c92ebe9e8003814781194983d88c12c525c95104bfa0b369
SSDEEP

49152:gX5TvrVpRCDhBeEJl+KVR/PKaF42Nt3XET4LTE7j5CS:gXxvrZeeEJRHa24sE71p

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	HKCMB.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	HKCMB.exe

Executes dropped EXE 2 IoCs

pid	Process
2128	Transaction mangement.exe
2784	HKCMB.exe

Loads dropped DLL 13 IoCs

pid	Process
1820	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
1820	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
2128	Transaction mangement.exe
2128	Transaction mangement.exe
2128	Transaction mangement.exe
2128	Transaction mangement.exe
2784	HKCMB.exe
2784	HKCMB.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	HKCMB.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	HKCMB.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	HKCMB.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	HKCMB.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 2784	2128	Transaction mangement.exe	32

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe	Transaction mangement.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe	Transaction mangement.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2240	2784	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HKCMB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transaction mangement.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1716	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2784	HKCMB.exe
Token: SeSecurityPrivilege	2784	HKCMB.exe
Token: SeTakeOwnershipPrivilege	2784	HKCMB.exe
Token: SeLoadDriverPrivilege	2784	HKCMB.exe
Token: SeSystemProfilePrivilege	2784	HKCMB.exe
Token: SeSystemtimePrivilege	2784	HKCMB.exe
Token: SeProfSingleProcessPrivilege	2784	HKCMB.exe
Token: SeIncBasePriorityPrivilege	2784	HKCMB.exe
Token: SeCreatePagefilePrivilege	2784	HKCMB.exe
Token: SeBackupPrivilege	2784	HKCMB.exe
Token: SeRestorePrivilege	2784	HKCMB.exe
Token: SeShutdownPrivilege	2784	HKCMB.exe
Token: SeDebugPrivilege	2784	HKCMB.exe
Token: SeSystemEnvironmentPrivilege	2784	HKCMB.exe
Token: SeChangeNotifyPrivilege	2784	HKCMB.exe
Token: SeRemoteShutdownPrivilege	2784	HKCMB.exe
Token: SeUndockPrivilege	2784	HKCMB.exe
Token: SeManageVolumePrivilege	2784	HKCMB.exe
Token: SeImpersonatePrivilege	2784	HKCMB.exe
Token: SeCreateGlobalPrivilege	2784	HKCMB.exe
Token: 33	2784	HKCMB.exe
Token: 34	2784	HKCMB.exe
Token: 35	2784	HKCMB.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2128	1820	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	30
PID 1820 wrote to memory of 2128	1820	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	30
PID 1820 wrote to memory of 2128	1820	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	30
PID 1820 wrote to memory of 2128	1820	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	30
PID 1820 wrote to memory of 2128	1820	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	30
PID 1820 wrote to memory of 2128	1820	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	30
PID 1820 wrote to memory of 2128	1820	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	30
PID 1820 wrote to memory of 1716	1820	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	31
PID 1820 wrote to memory of 1716	1820	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	31
PID 1820 wrote to memory of 1716	1820	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	31
PID 1820 wrote to memory of 1716	1820	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	31
PID 1820 wrote to memory of 1716	1820	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	31
PID 1820 wrote to memory of 1716	1820	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	31
PID 1820 wrote to memory of 1716	1820	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	31
PID 2128 wrote to memory of 2784	2128	Transaction mangement.exe	32
PID 2128 wrote to memory of 2784	2128	Transaction mangement.exe	32
PID 2128 wrote to memory of 2784	2128	Transaction mangement.exe	32
PID 2128 wrote to memory of 2784	2128	Transaction mangement.exe	32
PID 2128 wrote to memory of 2784	2128	Transaction mangement.exe	32
PID 2128 wrote to memory of 2784	2128	Transaction mangement.exe	32
PID 2128 wrote to memory of 2784	2128	Transaction mangement.exe	32
PID 2128 wrote to memory of 2784	2128	Transaction mangement.exe	32
PID 2128 wrote to memory of 2784	2128	Transaction mangement.exe	32
PID 2128 wrote to memory of 2784	2128	Transaction mangement.exe	32
PID 2128 wrote to memory of 2784	2128	Transaction mangement.exe	32
PID 2128 wrote to memory of 2784	2128	Transaction mangement.exe	32
PID 2128 wrote to memory of 2784	2128	Transaction mangement.exe	32
PID 2128 wrote to memory of 2784	2128	Transaction mangement.exe	32
PID 2128 wrote to memory of 2784	2128	Transaction mangement.exe	32
PID 2128 wrote to memory of 2784	2128	Transaction mangement.exe	32
PID 2784 wrote to memory of 2676	2784	HKCMB.exe	33
PID 2784 wrote to memory of 2676	2784	HKCMB.exe	33
PID 2784 wrote to memory of 2676	2784	HKCMB.exe	33
PID 2784 wrote to memory of 2676	2784	HKCMB.exe	33
PID 2784 wrote to memory of 2676	2784	HKCMB.exe	33
PID 2784 wrote to memory of 2676	2784	HKCMB.exe	33
PID 2784 wrote to memory of 2676	2784	HKCMB.exe	33
PID 2784 wrote to memory of 2240	2784	HKCMB.exe	35
PID 2784 wrote to memory of 2240	2784	HKCMB.exe	35
PID 2784 wrote to memory of 2240	2784	HKCMB.exe	35
PID 2784 wrote to memory of 2240	2784	HKCMB.exe	35
PID 2784 wrote to memory of 2240	2784	HKCMB.exe	35
PID 2784 wrote to memory of 2240	2784	HKCMB.exe	35
PID 2784 wrote to memory of 2240	2784	HKCMB.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68288c29d8546aadc301eda4436def32.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe
  "C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2676
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 624
      4⤵
      Loads dropped DLL
      Program crash
      PID:2240
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf

Filesize
194KB

MD5
8764991d86c925a5f8bbe847cd0f3cb3

SHA1
19e3f30d0baabc7c457fd61fecee8d1e8ab28d0e

SHA256
5e75cc26bca0932a6685e42e07d32b9e55c3eb3a4b4af5e2b80f0a48a4116f79

SHA512
f3f6f31f21935be78af1a792f45c481563a9653e624194588ff99e378cf7b0633fce7042e0b6dc01f04c14b4fa285964915e1b7ede8f29ae094b97cc15d11bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
72B

MD5
fce1348da4bb9cf3e1d986ef6497fe8c

SHA1
7f6b3383bd7e34ab31e82e1423a63a7776f147cf

SHA256
e6ab6964d84756b18c24e05d442ca43805260d167757edd856c3203e735c0733

SHA512
984cca90975f2b29dc2400532006700d765d0216b6e9c515a369548aa8835e476d963f4d95cbb3e04401c9a9ac94657bf1de3cf99dc455f67c0c2c4ec4c659be

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9ca26a953524d1abfc9d14e27c485d54

SHA1
25a8f14424fb118c50965f35196d7cc19b9bdc00

SHA256
d8b8d7cfbd3a6d72c1b7d656b073be62347489914ef9c3cc2dd60c0823d0b8b1

SHA512
c9d51f931bf3123a2d971fa954ef05598e7bf428f394ba8589a725fc1e1bfb4f49c2f0a8baa12f2675f70288cfb52bbcb43d4eb6937feccd3dcaef7ddf9a13fd

Download Submit
\Users\Admin\AppData\Local\Temp\Transaction mangement.exe

Filesize
2.2MB

MD5
9a540f97fb137ff20426f30e8db62dc8

SHA1
1cd77f98dc2797cceb083e6b949261e2ea49fe4e

SHA256
d19447e7601934db1ce2038f15ad1a57835df5330d1f8780941b127fbde7cc59

SHA512
467bdac8408f6e1b66b7075f5b9ff09ba141782209d90ff6570187e41f52e38bfb0c1dfd08b8b5366f9a25257090cd28f187506b6d2e823afcde74539fe6ba0d

Download Submit
\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/2784-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-25-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2784-36-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2784-43-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2784-33-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2784-31-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2784-29-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2784-38-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2784-23-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2784-21-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2784-19-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2784-27-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2784-78-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2784-79-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads