darkcomet | 886a19eebed17be999e169091faa097a5528e130eabfb407885b5f39a1ddc755

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/02/2025, 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe
Size

478KB
MD5

067cd6820fd4dceced36c1dc1862e1c0
SHA1

99b93339bca6e9513cd608467648b6946d362e51
SHA256

886a19eebed17be999e169091faa097a5528e130eabfb407885b5f39a1ddc755
SHA512

6076a23d133de86a0dc89b88acf34f152518878497a45f8b061b57b7d555976b953fe500997986e76b84f5f1636494ab328f609ac63dbb722f9b08d77ad2255c
SSDEEP

12288:UTFKfKr4/AmWt+ANJ/Jj0K3aMM0wuwPsqn33Fnox:oQft9u+ANb0KqoRwPsq31nK

Score

10^/10

darkcomet clubpenguingen discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

ClubPenguinGen

tallow23.no-ip.biz:1604

Mutex

DC_MUTEX-DJBCVUN

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
KVpqMwoulCBn
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	Stage1.exe

Deletes itself 1 IoCs

pid	Process
2452	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2028	Stage2.exe
328	Stage1.exe
2920	msdcsc.exe

Loads dropped DLL 6 IoCs

pid	Process
1968	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe
1968	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe
1968	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe
1968	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe
328	Stage1.exe
328	Stage1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	Stage1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000120d6-3.dat	upx
behavioral1/memory/2028-12-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2028-16-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/files/0x000800000001660e-17.dat	upx
behavioral1/memory/328-23-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/1968-20-0x0000000002530000-0x0000000002618000-memory.dmp	upx
behavioral1/memory/1968-26-0x0000000002530000-0x0000000002573000-memory.dmp	upx
behavioral1/memory/328-39-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2920-38-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2920-90-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2920-91-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2920-93-0x0000000000400000-0x00000000004E8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stage1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stage2.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	328	Stage1.exe
Token: SeSecurityPrivilege	328	Stage1.exe
Token: SeTakeOwnershipPrivilege	328	Stage1.exe
Token: SeLoadDriverPrivilege	328	Stage1.exe
Token: SeSystemProfilePrivilege	328	Stage1.exe
Token: SeSystemtimePrivilege	328	Stage1.exe
Token: SeProfSingleProcessPrivilege	328	Stage1.exe
Token: SeIncBasePriorityPrivilege	328	Stage1.exe
Token: SeCreatePagefilePrivilege	328	Stage1.exe
Token: SeBackupPrivilege	328	Stage1.exe
Token: SeRestorePrivilege	328	Stage1.exe
Token: SeShutdownPrivilege	328	Stage1.exe
Token: SeDebugPrivilege	328	Stage1.exe
Token: SeSystemEnvironmentPrivilege	328	Stage1.exe
Token: SeChangeNotifyPrivilege	328	Stage1.exe
Token: SeRemoteShutdownPrivilege	328	Stage1.exe
Token: SeUndockPrivilege	328	Stage1.exe
Token: SeManageVolumePrivilege	328	Stage1.exe
Token: SeImpersonatePrivilege	328	Stage1.exe
Token: SeCreateGlobalPrivilege	328	Stage1.exe
Token: 33	328	Stage1.exe
Token: 34	328	Stage1.exe
Token: 35	328	Stage1.exe
Token: SeIncreaseQuotaPrivilege	2920	msdcsc.exe
Token: SeSecurityPrivilege	2920	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2920	msdcsc.exe
Token: SeLoadDriverPrivilege	2920	msdcsc.exe
Token: SeSystemProfilePrivilege	2920	msdcsc.exe
Token: SeSystemtimePrivilege	2920	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2920	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2920	msdcsc.exe
Token: SeCreatePagefilePrivilege	2920	msdcsc.exe
Token: SeBackupPrivilege	2920	msdcsc.exe
Token: SeRestorePrivilege	2920	msdcsc.exe
Token: SeShutdownPrivilege	2920	msdcsc.exe
Token: SeDebugPrivilege	2920	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2920	msdcsc.exe
Token: SeChangeNotifyPrivilege	2920	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2920	msdcsc.exe
Token: SeUndockPrivilege	2920	msdcsc.exe
Token: SeManageVolumePrivilege	2920	msdcsc.exe
Token: SeImpersonatePrivilege	2920	msdcsc.exe
Token: SeCreateGlobalPrivilege	2920	msdcsc.exe
Token: 33	2920	msdcsc.exe
Token: 34	2920	msdcsc.exe
Token: 35	2920	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2920	msdcsc.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2028	1968	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe	28
PID 1968 wrote to memory of 2028	1968	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe	28
PID 1968 wrote to memory of 2028	1968	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe	28
PID 1968 wrote to memory of 2028	1968	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe	28
PID 1968 wrote to memory of 328	1968	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe	30
PID 1968 wrote to memory of 328	1968	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe	30
PID 1968 wrote to memory of 328	1968	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe	30
PID 1968 wrote to memory of 328	1968	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe	30
PID 328 wrote to memory of 2920	328	Stage1.exe	31
PID 328 wrote to memory of 2920	328	Stage1.exe	31
PID 328 wrote to memory of 2920	328	Stage1.exe	31
PID 328 wrote to memory of 2920	328	Stage1.exe	31
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 2920 wrote to memory of 2680	2920	msdcsc.exe	32
PID 1968 wrote to memory of 2452	1968	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe	33
PID 1968 wrote to memory of 2452	1968	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe	33
PID 1968 wrote to memory of 2452	1968	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe	33
PID 1968 wrote to memory of 2452	1968	JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067cd6820fd4dceced36c1dc1862e1c0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\Stage2.exe
  "C:\Users\Admin\AppData\Local\Temp\Stage2.exe" x -y -oC:\Users\Admin\AppData\Local\Temp -pxnq8rPMxVI87ciGwWJHxRTy3iauHcIirteOOELv3B5vkS9kJoHBUAahY1dWxj8yA
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\Stage1.exe
  "C:\Users\Admin\AppData\Local\Temp\Stage1.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
264B

MD5
646f819def6c21c6166fe02da581ccd1

SHA1
cc482bc7d981b211119bcf14312cbb20702d5416

SHA256
6e4f5014c97a37b2a834240fd7aadd1ee0507a7992bc37824f7e9593ec393452

SHA512
f2af5dee03d9852910e51af1ddce8e8749fa42f2eef484fe09c99c174d401810154992df41bd71dd30843931d66bc35c7e7a4bbfca77191e3a76c027d6491ed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stage1.exe

Filesize
349KB

MD5
7644ccb42c289aead0c8b9f3642b57da

SHA1
4279c3f42232e458ece6eb70aa4dd0355bda5530

SHA256
60c21325337bb1000a7c8aad8ccb1a2df251648da4928ce9920cbf7675a5c02e

SHA512
01c41098dbe6f0bee47b9b22208214ed2633ea6f70e7255fee64425bfa898098ef0bb2ca70d6023c8dcb5ddffcd60a7ebc60b489349187f6fa557d3a7af020cb

Download Submit
\Users\Admin\AppData\Local\Temp\Stage2.exe

Filesize
383KB

MD5
e704fba11c603023457a57b0e2405eaa

SHA1
bd8859206bac2a772fa86a859c06ca0490ca38f3

SHA256
37ebc01c2b29f9b27e73974c3ac48bf3c01d5e29c2d688ed225c5ca0cbc20a4f

SHA512
7983ef78d15285efc23eedb3d05251a46a0430fde1ad422e3eaeb35c16ab624376f66afb93c1d4e9db02d57a8efb91eced8394a45f37a12e83458432703bad66

Download Submit
memory/328-39-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/328-24-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/328-32-0x0000000005610000-0x00000000056F8000-memory.dmp

Filesize
928KB

Download
memory/328-23-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1968-20-0x0000000002530000-0x0000000002618000-memory.dmp

Filesize
928KB

Download
memory/1968-11-0x0000000002530000-0x0000000002573000-memory.dmp

Filesize
268KB

Download
memory/1968-21-0x0000000002530000-0x0000000002618000-memory.dmp

Filesize
928KB

Download
memory/1968-26-0x0000000002530000-0x0000000002573000-memory.dmp

Filesize
268KB

Download
memory/1968-27-0x0000000002530000-0x0000000002618000-memory.dmp

Filesize
928KB

Download
memory/1968-10-0x0000000002530000-0x0000000002573000-memory.dmp

Filesize
268KB

Download
memory/2028-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2028-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2680-41-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2680-79-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2920-38-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2920-90-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2920-91-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2920-93-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads