darkcomet | 69cbfbc1b1ab38241efbeeb9cf2bbd839448981f4f10ee6b1e4bc5d21f2acb3b

Analysis

max time kernel
141s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/02/2025, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe
Size

4.2MB
MD5

b4570a04fa7d1ac33afb101300c73d54
SHA1

4522fb0cf2c0aee291842688c20020651343c4a0
SHA256

69cbfbc1b1ab38241efbeeb9cf2bbd839448981f4f10ee6b1e4bc5d21f2acb3b
SHA512

5c768a29e0be735ac691cfbae2f40b238e9782b9b9d6c0edda98d595b3defd0324bd132180bd8d7e2944349940fa69645d31ade649828992b10bd2fdd0bb153f
SSDEEP

98304:5Ff3GTKdT1WUBSDiUpYCpjnjTyuGkQcdBDY2yP6uvrGNrAWsJA:5FuKdRWUBSDnbHfhjzyP6mWI

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 2 IoCs

pid	Process
2744	ǭȜƂƈӂ.exe
2864	taskmgr.exe

Loads dropped DLL 3 IoCs

pid	Process
1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe
1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe
1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\taskmgr.exe"	ǭȜƂƈӂ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1764 set thread context of 2864	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ǭȜƂƈӂ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2740	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2740	vlc.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe
Token: SeIncreaseQuotaPrivilege	2864	taskmgr.exe
Token: SeSecurityPrivilege	2864	taskmgr.exe
Token: SeTakeOwnershipPrivilege	2864	taskmgr.exe
Token: SeLoadDriverPrivilege	2864	taskmgr.exe
Token: SeSystemProfilePrivilege	2864	taskmgr.exe
Token: SeSystemtimePrivilege	2864	taskmgr.exe
Token: SeProfSingleProcessPrivilege	2864	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2864	taskmgr.exe
Token: SeCreatePagefilePrivilege	2864	taskmgr.exe
Token: SeBackupPrivilege	2864	taskmgr.exe
Token: SeRestorePrivilege	2864	taskmgr.exe
Token: SeShutdownPrivilege	2864	taskmgr.exe
Token: SeDebugPrivilege	2864	taskmgr.exe
Token: SeSystemEnvironmentPrivilege	2864	taskmgr.exe
Token: SeChangeNotifyPrivilege	2864	taskmgr.exe
Token: SeRemoteShutdownPrivilege	2864	taskmgr.exe
Token: SeUndockPrivilege	2864	taskmgr.exe
Token: SeManageVolumePrivilege	2864	taskmgr.exe
Token: SeImpersonatePrivilege	2864	taskmgr.exe
Token: SeCreateGlobalPrivilege	2864	taskmgr.exe
Token: 33	2864	taskmgr.exe
Token: 34	2864	taskmgr.exe
Token: 35	2864	taskmgr.exe
Token: 33	2740	vlc.exe
Token: SeIncBasePriorityPrivilege	2740	vlc.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2740	vlc.exe
2740	vlc.exe
2740	vlc.exe
2740	vlc.exe
2740	vlc.exe
2740	vlc.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2740	vlc.exe
2740	vlc.exe
2740	vlc.exe
2740	vlc.exe
2740	vlc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2864	taskmgr.exe
2740	vlc.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2628	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	31
PID 1764 wrote to memory of 2628	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	31
PID 1764 wrote to memory of 2628	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	31
PID 1764 wrote to memory of 2628	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	31
PID 2628 wrote to memory of 2992	2628	csc.exe	33
PID 2628 wrote to memory of 2992	2628	csc.exe	33
PID 2628 wrote to memory of 2992	2628	csc.exe	33
PID 2628 wrote to memory of 2992	2628	csc.exe	33
PID 1764 wrote to memory of 2744	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	34
PID 1764 wrote to memory of 2744	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	34
PID 1764 wrote to memory of 2744	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	34
PID 1764 wrote to memory of 2744	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	34
PID 1764 wrote to memory of 2864	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	35
PID 1764 wrote to memory of 2864	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	35
PID 1764 wrote to memory of 2864	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	35
PID 1764 wrote to memory of 2864	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	35
PID 1764 wrote to memory of 2864	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	35
PID 1764 wrote to memory of 2864	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	35
PID 1764 wrote to memory of 2864	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	35
PID 1764 wrote to memory of 2864	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	35
PID 1764 wrote to memory of 2864	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	35
PID 1764 wrote to memory of 2864	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	35
PID 1764 wrote to memory of 2864	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	35
PID 1764 wrote to memory of 2864	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	35
PID 1764 wrote to memory of 2864	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	35
PID 1764 wrote to memory of 2740	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	36
PID 1764 wrote to memory of 2740	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	36
PID 1764 wrote to memory of 2740	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	36
PID 1764 wrote to memory of 2740	1764	JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe	36

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4570a04fa7d1ac33afb101300c73d54.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ivuik_ex.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE580.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE57F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992
- C:\Users\Admin\AppData\Local\Temp\ǭȜƂƈӂ.exe
  "C:\Users\Admin\AppData\Local\Temp\ǭȜƂƈӂ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
  C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2864
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\מישל כהן יש מקום ביצוע הגמר.mp3"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE580.tmp

Filesize
1KB

MD5
54629bacf2ed09be61585514f8abdcc1

SHA1
87186b119115ab204a44720eded3dd4c165242dd

SHA256
a323886c48e7fd297e8aaf059d13bee3d1ff8026c371829d98c2928ff6c9d5b7

SHA512
0c5c38ee305370852b6e246ea5e727353554a970f556f3ba9be23f44bf612e721a2509a72e29ba5160d258fb6e99abd054f92c7ae2a933c5eb01134a534e0d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\ǭȜƂƈӂ.exe

Filesize
4KB

MD5
654bd951179d81eb22ac6067b089dc0f

SHA1
1ec0dc069a2adb230207c54ead0b5f593e22fba4

SHA256
a427cfdd5a5d64b9eed9677580e2ec6601331b0c34dff45adabbf6b814fd2785

SHA512
fad31318fe3a58c041e780b80a2cee6fd904f5df1be9e3f247ee3d569ac1389199f3a58940d7eb0b00d6abb20c83acc353d6000f4c58ed305269e3dcf7f07d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\מישל כהן יש מקום ביצוע הגמר.mp3

Filesize
3.1MB

MD5
dfd312879ce215a472ccfff1f6edcc83

SHA1
1ed6991e2876a8f3921e0629980acb7ea6482d19

SHA256
e707e9a797191b9f64d3a5fc48b09ca49a429b35b1d9bef250f30bd75278e23d

SHA512
b5d2e82e8be7b930f678cf2c227e59f0de2fadb7b3c5c9b408ded5396a2254b9bb3976c34d3c6412cf71968f0ae8446c1b197b969b464bc613f178898a52d736

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE57F.tmp

Filesize
636B

MD5
50363950c08ac8e50585c99d2ffa9f71

SHA1
d8f71b835a534ce0ff378c62a9a78558eda9c235

SHA256
ea2e0d4bf91002fa267b3ea49cd25d3ed3a4aaac88ff14fc7b14d09506eb0ae1

SHA512
96029d490fd171a02f42019a3b983d7dc3a638f1812527510aae571f7760bc72ecfd29e4bdb8ac1a3a2d5af83b931ac8fdfce0af9ec33247d0243e8f4bdbe025

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ivuik_ex.0.cs

Filesize
1KB

MD5
f89d88c9df4920a28f1e50bdd677686e

SHA1
956a7b21a6a243588db21f24eb19f36e75128367

SHA256
7b250b2607bb276cf970952c966eec884d9d1586eb2f27ee9155376a0e820537

SHA512
3ce3f52e9c440924dd47cd35ed78763b15eafbbcf1777c1e5fc7587b278108a1096aeeb81568e394532c75db1ffb785e24e66e752333e41971096556e3dee4ce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ivuik_ex.cmdline

Filesize
263B

MD5
9667e3e0104a9581a59f3d6750b4e417

SHA1
eaf2ffba9d37492e9d6747ae15ae05ff0063b9b8

SHA256
8a3b08efdcc4c767b298547b8ef3f1624c43264c52c92e0cc2fbbbe57eeffac1

SHA512
52d310cc1d47aa95f7f26e140cee871ea496f8aae46ba713b709d3229a10ee7071bda148de759806479a33378951dd8ee25b0f6ed0f1c49f1543fa7fd11f800d

Download Submit
\Users\Admin\AppData\Local\Temp\taskmgr.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/1764-47-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1764-2-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1764-0-0x0000000074571000-0x0000000074572000-memory.dmp

Filesize
4KB

Download
memory/1764-1-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-8-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-15-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-77-0x000007FEF60E0000-0x000007FEF60F1000-memory.dmp

Filesize
68KB

Download
memory/2740-81-0x000007FEF4910000-0x000007FEF498C000-memory.dmp

Filesize
496KB

Download
memory/2740-89-0x000007FEF4710000-0x000007FEF47D5000-memory.dmp

Filesize
788KB

Download
memory/2740-92-0x000007FEF2880000-0x000007FEF2891000-memory.dmp

Filesize
68KB

Download
memory/2740-93-0x000007FEF2860000-0x000007FEF2872000-memory.dmp

Filesize
72KB

Download
memory/2740-69-0x000007FEF4A50000-0x000007FEF5B00000-memory.dmp

Filesize
16.7MB

Download
memory/2740-94-0x000007FEF26E0000-0x000007FEF285A000-memory.dmp

Filesize
1.5MB

Download
memory/2740-91-0x000007FEF2A60000-0x000007FEF2A88000-memory.dmp

Filesize
160KB

Download
memory/2740-90-0x000007FEF2A90000-0x000007FEF2AE7000-memory.dmp

Filesize
348KB

Download
memory/2740-88-0x000007FEF47E0000-0x000007FEF47F1000-memory.dmp

Filesize
68KB

Download
memory/2740-87-0x000007FEF4800000-0x000007FEF4813000-memory.dmp

Filesize
76KB

Download
memory/2740-86-0x000007FEF4820000-0x000007FEF484F000-memory.dmp

Filesize
188KB

Download
memory/2740-85-0x000007FEF4850000-0x000007FEF48A7000-memory.dmp

Filesize
348KB

Download
memory/2740-84-0x000007FEF48B0000-0x000007FEF48C1000-memory.dmp

Filesize
68KB

Download
memory/2740-83-0x000007FEF48D0000-0x000007FEF48E8000-memory.dmp

Filesize
96KB

Download
memory/2740-59-0x000007FEF6A00000-0x000007FEF6A34000-memory.dmp

Filesize
208KB

Download
memory/2740-58-0x000000013F9E0000-0x000000013FAD8000-memory.dmp

Filesize
992KB

Download
memory/2740-66-0x000007FEF62B0000-0x000007FEF62CD000-memory.dmp

Filesize
116KB

Download
memory/2740-67-0x000007FEF6290000-0x000007FEF62A1000-memory.dmp

Filesize
68KB

Download
memory/2740-60-0x000007FEF5D10000-0x000007FEF5FC6000-memory.dmp

Filesize
2.7MB

Download
memory/2740-65-0x000007FEF6400000-0x000007FEF6411000-memory.dmp

Filesize
68KB

Download
memory/2740-68-0x000007FEF5B00000-0x000007FEF5D0B000-memory.dmp

Filesize
2.0MB

Download
memory/2740-64-0x000007FEF6420000-0x000007FEF6437000-memory.dmp

Filesize
92KB

Download
memory/2740-63-0x000007FEF6890000-0x000007FEF68A1000-memory.dmp

Filesize
68KB

Download
memory/2740-62-0x000007FEF68B0000-0x000007FEF68C7000-memory.dmp

Filesize
92KB

Download
memory/2740-61-0x000007FEF7780000-0x000007FEF7798000-memory.dmp

Filesize
96KB

Download
memory/2740-70-0x000007FEF61A0000-0x000007FEF61E1000-memory.dmp

Filesize
260KB

Download
memory/2740-71-0x000007FEF6260000-0x000007FEF6281000-memory.dmp

Filesize
132KB

Download
memory/2740-72-0x000007FEF6180000-0x000007FEF6198000-memory.dmp

Filesize
96KB

Download
memory/2740-75-0x000007FEF6120000-0x000007FEF6131000-memory.dmp

Filesize
68KB

Download
memory/2740-74-0x000007FEF6140000-0x000007FEF6151000-memory.dmp

Filesize
68KB

Download
memory/2740-73-0x000007FEF6160000-0x000007FEF6171000-memory.dmp

Filesize
68KB

Download
memory/2740-76-0x000007FEF6100000-0x000007FEF611B000-memory.dmp

Filesize
108KB

Download
memory/2740-79-0x000007FEF4A00000-0x000007FEF4A30000-memory.dmp

Filesize
192KB

Download
memory/2740-78-0x000007FEF4A30000-0x000007FEF4A48000-memory.dmp

Filesize
96KB

Download
memory/2740-82-0x000007FEF48F0000-0x000007FEF4901000-memory.dmp

Filesize
68KB

Download
memory/2740-80-0x000007FEF4990000-0x000007FEF49F7000-memory.dmp

Filesize
412KB

Download
memory/2864-49-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2864-27-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2864-57-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2864-42-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2864-34-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2864-48-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2864-25-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2864-35-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2864-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2864-45-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2864-50-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2864-29-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2864-31-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2864-37-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2864-39-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads