darkcomet | 8928b45380323bdcfd83430c2f76bd5ea9b5d011b4b3c4e575dc13d98cb04f5d

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05/02/2025, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe
Size

902KB
MD5

a12a55725a718d2a60609ee4abbbb445
SHA1

d429ca448c7ac0363280c10d82e36f92beff2614
SHA256

8928b45380323bdcfd83430c2f76bd5ea9b5d011b4b3c4e575dc13d98cb04f5d
SHA512

71730d78380a1bc455ec3e0eceb191041b8e64e8abf400f02b898e995d8f89574751c69ab8c4a42527469b78f661271aad652cfc063688401257a129c54cbe90
SSDEEP

12288:lZKhDHZODNZyY5qMeR59vz9jflkMY0rLnY9L73iW:8D5ONZyY5Fe39zHkMDrLY57SW

Score

10^/10

darkcomet 1.2 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

1.2

ahmedb123.no-ip.info:100

Mutex

DCMIN_MUTEX-78CGXEQ

Attributes

gencode
lcvuN82zr4Gu
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftUpdate.exe	JaffaCakes118_a12a55725a718d2a60609ee4abbbb4451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftUpdate.exe	JaffaCakes118_a12a55725a718d2a60609ee4abbbb4451.exe

Executes dropped EXE 2 IoCs

pid	Process
1248	Microsoft Office.exe
2720	JaffaCakes118_a12a55725a718d2a60609ee4abbbb4451.exe

Loads dropped DLL 3 IoCs

pid	Process
2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe
2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe
2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MicrosoftUpdate.exe"	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2600 set thread context of 1248	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsoft Office.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a12a55725a718d2a60609ee4abbbb4451.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2676	cmd.exe
1168	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1168	PING.EXE

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1248	Microsoft Office.exe
Token: SeSecurityPrivilege	1248	Microsoft Office.exe
Token: SeTakeOwnershipPrivilege	1248	Microsoft Office.exe
Token: SeLoadDriverPrivilege	1248	Microsoft Office.exe
Token: SeSystemProfilePrivilege	1248	Microsoft Office.exe
Token: SeSystemtimePrivilege	1248	Microsoft Office.exe
Token: SeProfSingleProcessPrivilege	1248	Microsoft Office.exe
Token: SeIncBasePriorityPrivilege	1248	Microsoft Office.exe
Token: SeCreatePagefilePrivilege	1248	Microsoft Office.exe
Token: SeBackupPrivilege	1248	Microsoft Office.exe
Token: SeRestorePrivilege	1248	Microsoft Office.exe
Token: SeShutdownPrivilege	1248	Microsoft Office.exe
Token: SeDebugPrivilege	1248	Microsoft Office.exe
Token: SeSystemEnvironmentPrivilege	1248	Microsoft Office.exe
Token: SeChangeNotifyPrivilege	1248	Microsoft Office.exe
Token: SeRemoteShutdownPrivilege	1248	Microsoft Office.exe
Token: SeUndockPrivilege	1248	Microsoft Office.exe
Token: SeManageVolumePrivilege	1248	Microsoft Office.exe
Token: SeImpersonatePrivilege	1248	Microsoft Office.exe
Token: SeCreateGlobalPrivilege	1248	Microsoft Office.exe
Token: 33	1248	Microsoft Office.exe
Token: 34	1248	Microsoft Office.exe
Token: 35	1248	Microsoft Office.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1248	Microsoft Office.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 1248	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	29
PID 2600 wrote to memory of 1248	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	29
PID 2600 wrote to memory of 1248	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	29
PID 2600 wrote to memory of 1248	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	29
PID 2600 wrote to memory of 1248	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	29
PID 2600 wrote to memory of 1248	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	29
PID 2600 wrote to memory of 1248	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	29
PID 2600 wrote to memory of 1248	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	29
PID 2600 wrote to memory of 1248	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	29
PID 2600 wrote to memory of 1248	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	29
PID 2600 wrote to memory of 1248	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	29
PID 2600 wrote to memory of 1248	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	29
PID 2600 wrote to memory of 1248	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	29
PID 2600 wrote to memory of 2836	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	30
PID 2600 wrote to memory of 2836	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	30
PID 2600 wrote to memory of 2836	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	30
PID 2600 wrote to memory of 2836	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	30
PID 2836 wrote to memory of 3016	2836	vbc.exe	32
PID 2836 wrote to memory of 3016	2836	vbc.exe	32
PID 2836 wrote to memory of 3016	2836	vbc.exe	32
PID 2836 wrote to memory of 3016	2836	vbc.exe	32
PID 2600 wrote to memory of 2720	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	33
PID 2600 wrote to memory of 2720	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	33
PID 2600 wrote to memory of 2720	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	33
PID 2600 wrote to memory of 2720	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	33
PID 2600 wrote to memory of 2676	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	34
PID 2600 wrote to memory of 2676	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	34
PID 2600 wrote to memory of 2676	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	34
PID 2600 wrote to memory of 2676	2600	JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe	34
PID 2676 wrote to memory of 1168	2676	cmd.exe	36
PID 2676 wrote to memory of 1168	2676	cmd.exe	36
PID 2676 wrote to memory of 1168	2676	cmd.exe	36
PID 2676 wrote to memory of 1168	2676	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
  "C:\Users\Admin\AppData\Local\Temp\\plugtemp\Microsoft Office.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1248
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xj_7vb71.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B58.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B57.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016
- C:\Users\Admin\AppData\Roaming\JaffaCakes118_a12a55725a718d2a60609ee4abbbb4451.exe
  "C:\Users\Admin\AppData\Roaming\JaffaCakes118_a12a55725a718d2a60609ee4abbbb4451.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7B58.tmp

Filesize
1KB

MD5
02657c159da56d0778daa713b98830d7

SHA1
7dc378637d3235d41314c1ca98812259e553b713

SHA256
2eb99f12fe3c24e99d59872a61b0b03daacfd0f1cdb4a7d3e70e701965ed47b8

SHA512
d5131fa30809a9931737dc7c7e8c2e75acdacdc8486dcd73da8343bbf01e307e73002b3706fb9a7feb1d6a84938d52a54446199d5554ff292df09b0c5465fea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7B57.tmp

Filesize
804B

MD5
49fccc8bfceb5baaab8d27b413f74252

SHA1
0d75af37c48d2035e99bf71993c1c372a45e67de

SHA256
b38f79a67cf2c9aa3df7f4b952fecdcdfb296ef5b4b53b8649e5027736bf6fa0

SHA512
46422cd5e85f99472fa12bf17eae054a3862f56708b5a0b986289464c8f2691ea3d868c196bded99dad26cc4d9a4e0f6d35c68ca421ce268e47832957532dc0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xj_7vb71.0.vb

Filesize
350B

MD5
5973dd9b71d2af33d73168f68803d583

SHA1
cd4c2824007a3f9f491bbfaeed7a7236db1cbed6

SHA256
54b9de83518dc40ec7d198c3952f317fd4fd450c8a2794b5a8d143dcf0aa4278

SHA512
b64e5fb30076fe4f703ac2dd342faaf59c0dc3897a91325c2b235ddb5c5cbabefb4a3c04f900fdd0cbad29a635040dd8cf7e2484cf0ec97112b457a80d72582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xj_7vb71.cmdline

Filesize
235B

MD5
4bc67305bb16fef74a5faf5919a2b8c4

SHA1
d2cb9a7c58426102b8846ec1918d2ba4a579fcfb

SHA256
5dc866858aec6b4d9f954b1286d76594a5dc38ec212d7bad1e81a56daba3ff9d

SHA512
dfcca38fef61cce1012c355be6e163cb349759b80ca0481cb8b9b2281b32e005466d9f8d36d3e0621fb3a8e865d390798671b9627db02c84db8363fbb2952ce6

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_a12a55725a718d2a60609ee4abbbb445.exe

Filesize
902KB

MD5
a12a55725a718d2a60609ee4abbbb445

SHA1
d429ca448c7ac0363280c10d82e36f92beff2614

SHA256
8928b45380323bdcfd83430c2f76bd5ea9b5d011b4b3c4e575dc13d98cb04f5d

SHA512
71730d78380a1bc455ec3e0eceb191041b8e64e8abf400f02b898e995d8f89574751c69ab8c4a42527469b78f661271aad652cfc063688401257a129c54cbe90

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_a12a55725a718d2a60609ee4abbbb4451.exe

Filesize
6KB

MD5
d77662005d052839053dd67e3ec7110f

SHA1
fce834711a2be85677867c9473b82bb9f4725f37

SHA256
83c201c4fc033afda3ba2811d301663374376d61719916dc8666aab78d9e4aac

SHA512
91c47ae0b94df2b2c45e796ddb86bc413e8eb247a0cb8f82ada2e2e24cbf30204ae82c3292dec234c799f1b3bc1fcdc874d47326d0831b96f1d906aad00dd379

Download Submit
\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1248-13-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-58-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-15-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-14-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-67-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-12-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-10-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-23-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-8-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-25-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-27-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-26-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-24-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1248-66-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-20-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-22-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-16-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-65-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-64-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-63-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-62-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-52-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-53-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-54-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-55-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-56-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-57-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-17-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-59-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-60-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1248-61-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2600-51-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-1-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-2-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-0-0x0000000074B31000-0x0000000074B32000-memory.dmp

Filesize
4KB

Download
memory/2836-42-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2836-33-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads