darkcomet | 466e6257dfac062a20d21f899d6fe9fe43d4dbc569622097f3d686e5503d8e0a

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/02/2025, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Size

1.6MB
MD5

b1251615adcaf2ce3855a3145a60cfed
SHA1

47b7ace3d539d4a976dfed91a1df01f6eb16a38b
SHA256

466e6257dfac062a20d21f899d6fe9fe43d4dbc569622097f3d686e5503d8e0a
SHA512

2bfff9ee2276a8584322ab1fa165d0280b131b45a006e3f5d8b8d203620a7a4e474251f03da37e2c2a8bd2578b7fef3cd8b31cf646485a984c65c6763c506ad2
SSDEEP

24576:MIuI3Y0qwEZmNj4hDPvHiQHyjeXDOuf2DdsmGFAPxFy7b2Tpju0bBKF5WpqSJYxr:F1o8mHnCQHLTzf2D/GEC0bsFMpqC017

Score

10^/10

darkcomet defense_evasion discovery persistence rat themida trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer\\iexplore.exe"	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2744	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
2848	iexplore.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	iexplore.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe

Themida packer 24 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2204-0-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2204-2-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2204-7-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2204-5-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2204-4-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2204-3-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/files/0x0008000000016cc4-13.dat	themida
behavioral1/memory/2204-19-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2204-18-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2848-21-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2848-22-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2848-23-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2848-24-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2848-25-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2848-26-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2848-27-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2848-28-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2848-29-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2848-30-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2848-31-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2848-32-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2848-33-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2848-34-0x0000000000400000-0x00000000005B2000-memory.dmp	themida
behavioral1/memory/2848-35-0x0000000000400000-0x00000000005B2000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\iexplore.exe = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer\\iexplore.exe"	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\iexplore.exe = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer\\iexplore.exe"	iexplore.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
2848	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
2848	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2848	iexplore.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeSecurityPrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeTakeOwnershipPrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeLoadDriverPrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeSystemProfilePrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeSystemtimePrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeProfSingleProcessPrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeIncBasePriorityPrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeCreatePagefilePrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeBackupPrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeRestorePrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeShutdownPrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeDebugPrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeSystemEnvironmentPrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeChangeNotifyPrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeRemoteShutdownPrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeUndockPrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeManageVolumePrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeImpersonatePrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeCreateGlobalPrivilege	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: 33	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: 34	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: 35	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
Token: SeIncreaseQuotaPrivilege	2848	iexplore.exe
Token: SeSecurityPrivilege	2848	iexplore.exe
Token: SeTakeOwnershipPrivilege	2848	iexplore.exe
Token: SeLoadDriverPrivilege	2848	iexplore.exe
Token: SeSystemProfilePrivilege	2848	iexplore.exe
Token: SeSystemtimePrivilege	2848	iexplore.exe
Token: SeProfSingleProcessPrivilege	2848	iexplore.exe
Token: SeIncBasePriorityPrivilege	2848	iexplore.exe
Token: SeCreatePagefilePrivilege	2848	iexplore.exe
Token: SeBackupPrivilege	2848	iexplore.exe
Token: SeRestorePrivilege	2848	iexplore.exe
Token: SeShutdownPrivilege	2848	iexplore.exe
Token: SeDebugPrivilege	2848	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2848	iexplore.exe
Token: SeChangeNotifyPrivilege	2848	iexplore.exe
Token: SeRemoteShutdownPrivilege	2848	iexplore.exe
Token: SeUndockPrivilege	2848	iexplore.exe
Token: SeManageVolumePrivilege	2848	iexplore.exe
Token: SeImpersonatePrivilege	2848	iexplore.exe
Token: SeCreateGlobalPrivilege	2848	iexplore.exe
Token: 33	2848	iexplore.exe
Token: 34	2848	iexplore.exe
Token: 35	2848	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2848	iexplore.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2876	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe	30
PID 2204 wrote to memory of 2876	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe	30
PID 2204 wrote to memory of 2876	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe	30
PID 2204 wrote to memory of 2876	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe	30
PID 2876 wrote to memory of 2744	2876	cmd.exe	32
PID 2876 wrote to memory of 2744	2876	cmd.exe	32
PID 2876 wrote to memory of 2744	2876	cmd.exe	32
PID 2876 wrote to memory of 2744	2876	cmd.exe	32
PID 2204 wrote to memory of 2848	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe	33
PID 2204 wrote to memory of 2848	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe	33
PID 2204 wrote to memory of 2848	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe	33
PID 2204 wrote to memory of 2848	2204	JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe	33

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2744	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe"
1⤵
- Modifies WinLogon for persistence
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b1251615adcaf2ce3855a3145a60cfed.exe" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2744
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Explorer\iexplore.exe
  "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Explorer\iexplore.exe"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Explorer\iexplore.exe

Filesize
1.6MB

MD5
b1251615adcaf2ce3855a3145a60cfed

SHA1
47b7ace3d539d4a976dfed91a1df01f6eb16a38b

SHA256
466e6257dfac062a20d21f899d6fe9fe43d4dbc569622097f3d686e5503d8e0a

SHA512
2bfff9ee2276a8584322ab1fa165d0280b131b45a006e3f5d8b8d203620a7a4e474251f03da37e2c2a8bd2578b7fef3cd8b31cf646485a984c65c6763c506ad2

Download Submit
memory/2204-0-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2204-1-0x0000000000401000-0x00000000004AA000-memory.dmp

Filesize
676KB

Download
memory/2204-2-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2204-7-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2204-5-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2204-4-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2204-3-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2204-20-0x0000000000401000-0x00000000004AA000-memory.dmp

Filesize
676KB

Download
memory/2204-19-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2204-18-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2848-22-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2848-28-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2848-23-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2848-24-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2848-25-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2848-26-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2848-27-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2848-21-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2848-29-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2848-30-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2848-31-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2848-32-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2848-33-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2848-34-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2848-35-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download