darkcomet | 30bb2e2f29dc5a233be29d20739d866e93f97c3de5617fbd1ba416938f1e63f2

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2025, 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0cf8200837cf0b24e688473dccf93052.exe
Size

1.1MB
MD5

0cf8200837cf0b24e688473dccf93052
SHA1

197087003ddeda2958de76b0e7ed333e80f25967
SHA256

30bb2e2f29dc5a233be29d20739d866e93f97c3de5617fbd1ba416938f1e63f2
SHA512

a81c08a19058b3eed0c2e5ebb9aa312a82eaf918cc280d9391747efcaadb2ed637fc4540dc82aa1bbedb3e740349b7c9f2e8a2fa44e63c7b51e064099b2052e3
SSDEEP

24576:ToVdK9HL6QN8LrQ5u1oGXBGurYIOaO9MlhvRMQPS:ToVdaHLqZ1JBGu0KlhZS

Score

10^/10

darkcomet ms-dos defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

ms-dos

pourmoi.zapto.org:2000

pourmoi.zapto.org:200

pourmoi.zapto.org:1604

pourmoi.zapto.org:164

pourmoi.zapto.org:80

Mutex

DC_MUTEX-4LYCH3H

Attributes

InstallPath
MSDCSC\msdos32.exe
gencode
c4l%H8N�Um6w
install
true
offline_keylogger
true
password
da06101266
persistence
true
reg_key
sysUpdate

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdos32.exe"	50.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2052	attrib.exe
2876	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	50.exe

Executes dropped EXE 2 IoCs

pid	Process
2344	50.exe
4836	msdos32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysUpdate = "C:\\Windows\\MSDCSC\\msdos32.exe"	50.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysUpdate = "C:\\Windows\\MSDCSC\\msdos32.exe"	msdos32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\MSDCSC\msdos32.exe	50.exe
File opened for modification	C:\Windows\MSDCSC\msdos32.exe	50.exe
File opened for modification	C:\Windows\MSDCSC\	50.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdos32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	50.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4836	msdos32.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	JaffaCakes118_0cf8200837cf0b24e688473dccf93052.exe
Token: 33	4068	JaffaCakes118_0cf8200837cf0b24e688473dccf93052.exe
Token: SeIncBasePriorityPrivilege	4068	JaffaCakes118_0cf8200837cf0b24e688473dccf93052.exe
Token: SeIncreaseQuotaPrivilege	2344	50.exe
Token: SeSecurityPrivilege	2344	50.exe
Token: SeTakeOwnershipPrivilege	2344	50.exe
Token: SeLoadDriverPrivilege	2344	50.exe
Token: SeSystemProfilePrivilege	2344	50.exe
Token: SeSystemtimePrivilege	2344	50.exe
Token: SeProfSingleProcessPrivilege	2344	50.exe
Token: SeIncBasePriorityPrivilege	2344	50.exe
Token: SeCreatePagefilePrivilege	2344	50.exe
Token: SeBackupPrivilege	2344	50.exe
Token: SeRestorePrivilege	2344	50.exe
Token: SeShutdownPrivilege	2344	50.exe
Token: SeDebugPrivilege	2344	50.exe
Token: SeSystemEnvironmentPrivilege	2344	50.exe
Token: SeChangeNotifyPrivilege	2344	50.exe
Token: SeRemoteShutdownPrivilege	2344	50.exe
Token: SeUndockPrivilege	2344	50.exe
Token: SeManageVolumePrivilege	2344	50.exe
Token: SeImpersonatePrivilege	2344	50.exe
Token: SeCreateGlobalPrivilege	2344	50.exe
Token: 33	2344	50.exe
Token: 34	2344	50.exe
Token: 35	2344	50.exe
Token: 36	2344	50.exe
Token: SeIncreaseQuotaPrivilege	4836	msdos32.exe
Token: SeSecurityPrivilege	4836	msdos32.exe
Token: SeTakeOwnershipPrivilege	4836	msdos32.exe
Token: SeLoadDriverPrivilege	4836	msdos32.exe
Token: SeSystemProfilePrivilege	4836	msdos32.exe
Token: SeSystemtimePrivilege	4836	msdos32.exe
Token: SeProfSingleProcessPrivilege	4836	msdos32.exe
Token: SeIncBasePriorityPrivilege	4836	msdos32.exe
Token: SeCreatePagefilePrivilege	4836	msdos32.exe
Token: SeBackupPrivilege	4836	msdos32.exe
Token: SeRestorePrivilege	4836	msdos32.exe
Token: SeShutdownPrivilege	4836	msdos32.exe
Token: SeDebugPrivilege	4836	msdos32.exe
Token: SeSystemEnvironmentPrivilege	4836	msdos32.exe
Token: SeChangeNotifyPrivilege	4836	msdos32.exe
Token: SeRemoteShutdownPrivilege	4836	msdos32.exe
Token: SeUndockPrivilege	4836	msdos32.exe
Token: SeManageVolumePrivilege	4836	msdos32.exe
Token: SeImpersonatePrivilege	4836	msdos32.exe
Token: SeCreateGlobalPrivilege	4836	msdos32.exe
Token: 33	4836	msdos32.exe
Token: 34	4836	msdos32.exe
Token: 35	4836	msdos32.exe
Token: 36	4836	msdos32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4836	msdos32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 2344	4068	JaffaCakes118_0cf8200837cf0b24e688473dccf93052.exe	90
PID 4068 wrote to memory of 2344	4068	JaffaCakes118_0cf8200837cf0b24e688473dccf93052.exe	90
PID 4068 wrote to memory of 2344	4068	JaffaCakes118_0cf8200837cf0b24e688473dccf93052.exe	90
PID 2344 wrote to memory of 8	2344	50.exe	92
PID 2344 wrote to memory of 8	2344	50.exe	92
PID 2344 wrote to memory of 8	2344	50.exe	92
PID 2344 wrote to memory of 4232	2344	50.exe	94
PID 2344 wrote to memory of 4232	2344	50.exe	94
PID 2344 wrote to memory of 4232	2344	50.exe	94
PID 8 wrote to memory of 2052	8	cmd.exe	96
PID 8 wrote to memory of 2052	8	cmd.exe	96
PID 8 wrote to memory of 2052	8	cmd.exe	96
PID 4232 wrote to memory of 2876	4232	cmd.exe	97
PID 4232 wrote to memory of 2876	4232	cmd.exe	97
PID 4232 wrote to memory of 2876	4232	cmd.exe	97
PID 2344 wrote to memory of 4836	2344	50.exe	98
PID 2344 wrote to memory of 4836	2344	50.exe	98
PID 2344 wrote to memory of 4836	2344	50.exe	98

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2052	attrib.exe
2876	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0cf8200837cf0b24e688473dccf93052.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0cf8200837cf0b24e688473dccf93052.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Local\Temp\50.exe
  C:\Users\Admin\AppData\Local\Temp\50.exe
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2876
- - C:\Windows\MSDCSC\msdos32.exe
    "C:\Windows\MSDCSC\msdos32.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\50.exe

Filesize
724KB

MD5
2bbb418d27370b074b04e00f952589d3

SHA1
33f9364ca6162ad034daddf7db703900fbe2b2db

SHA256
4ab9019218070ade17cd0cc442b1a967001b17e1bb1a14a64f4c1948a9cc0263

SHA512
513089f273c61b5fdd252c9c639d1cda859d92d704b1241b4c00b1ec4154ead846c1dc0be8e36f3bb6f78a504cce5ebc96403cba47f342c4e80b785a79ed0874

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
50B

MD5
b774ae3fb1da087e1f83b4f7b2060e5a

SHA1
97eb9be49ac3af9c851c9e1e84e32bfd53e325a8

SHA256
adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b

SHA512
f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701

Download Submit
memory/2344-9-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2344-81-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4068-0-0x00007FFD3FA95000-0x00007FFD3FA96000-memory.dmp

Filesize
4KB

Download
memory/4068-1-0x000000001B350000-0x000000001B3F6000-memory.dmp

Filesize
664KB

Download
memory/4068-2-0x00007FFD3F7E0000-0x00007FFD40181000-memory.dmp

Filesize
9.6MB

Download
memory/4068-3-0x000000001B940000-0x000000001BE0E000-memory.dmp

Filesize
4.8MB

Download
memory/4068-4-0x00007FFD3F7E0000-0x00007FFD40181000-memory.dmp

Filesize
9.6MB

Download
memory/4068-11-0x00007FFD3F7E0000-0x00007FFD40181000-memory.dmp

Filesize
9.6MB

Download
memory/4836-84-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4836-89-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4836-82-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4836-85-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4836-86-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4836-87-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4836-88-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4836-83-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4836-90-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4836-91-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4836-92-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4836-93-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4836-94-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4836-95-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads