darkcomet | 0c1f4d0d9fc0877e497c15bc89869c019a2a22ea0551af1c5a962689ca9ae328

Analysis

max time kernel
142s
max time network
140s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
25/02/2025, 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe
Size

1.8MB
MD5

227a0f7cb2cbcd3e3de05d9547e83799
SHA1

5a2be3bee31db9b50e068f1f2ad7a23f92b02c31
SHA256

0c1f4d0d9fc0877e497c15bc89869c019a2a22ea0551af1c5a962689ca9ae328
SHA512

daeba0b4948687345b26bedb722a89dddb3257dbd2624bf261e478db9592e17b53f632d5401e0d72b6bc1d4bda252a502089b5665603b79e3eb23efcc4288c9e
SSDEEP

24576:gMC6/tIm6YL6SAhk70Trc/n6Ib6eYWxWhQU/5+eAO3gptmsNpdm0zRndLJbe7g:gM1L+S2kQTArahz5JYz77

Score

10^/10

darkcomet guest16_min discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

178.32.175.242:1604

Mutex

DCMIN_MUTEX-TB6MLVQ

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
M9CjskNV6E0C
install
true
offline_keylogger
true
persistence
false
reg_key
eternalspy

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	sam.exe

Executes dropped EXE 4 IoCs

pid	Process
1944	GR2CRYPTERBYROXAS.EXE
2124	SAMFUD.EXE
1368	sam.exe
2232	IMDCSC.exe

Loads dropped DLL 6 IoCs

pid	Process
324	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe
324	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe
2124	SAMFUD.EXE
2124	SAMFUD.EXE
1368	sam.exe
1368	sam.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\eternalspy = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	sam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SAMFUD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	SAMFUD.EXE
Token: SeIncreaseQuotaPrivilege	1368	sam.exe
Token: SeSecurityPrivilege	1368	sam.exe
Token: SeTakeOwnershipPrivilege	1368	sam.exe
Token: SeLoadDriverPrivilege	1368	sam.exe
Token: SeSystemProfilePrivilege	1368	sam.exe
Token: SeSystemtimePrivilege	1368	sam.exe
Token: SeProfSingleProcessPrivilege	1368	sam.exe
Token: SeIncBasePriorityPrivilege	1368	sam.exe
Token: SeCreatePagefilePrivilege	1368	sam.exe
Token: SeBackupPrivilege	1368	sam.exe
Token: SeRestorePrivilege	1368	sam.exe
Token: SeShutdownPrivilege	1368	sam.exe
Token: SeDebugPrivilege	1368	sam.exe
Token: SeSystemEnvironmentPrivilege	1368	sam.exe
Token: SeChangeNotifyPrivilege	1368	sam.exe
Token: SeRemoteShutdownPrivilege	1368	sam.exe
Token: SeUndockPrivilege	1368	sam.exe
Token: SeManageVolumePrivilege	1368	sam.exe
Token: SeImpersonatePrivilege	1368	sam.exe
Token: SeCreateGlobalPrivilege	1368	sam.exe
Token: 33	1368	sam.exe
Token: 34	1368	sam.exe
Token: 35	1368	sam.exe
Token: SeIncreaseQuotaPrivilege	2232	IMDCSC.exe
Token: SeSecurityPrivilege	2232	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	2232	IMDCSC.exe
Token: SeLoadDriverPrivilege	2232	IMDCSC.exe
Token: SeSystemProfilePrivilege	2232	IMDCSC.exe
Token: SeSystemtimePrivilege	2232	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	2232	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	2232	IMDCSC.exe
Token: SeCreatePagefilePrivilege	2232	IMDCSC.exe
Token: SeBackupPrivilege	2232	IMDCSC.exe
Token: SeRestorePrivilege	2232	IMDCSC.exe
Token: SeShutdownPrivilege	2232	IMDCSC.exe
Token: SeDebugPrivilege	2232	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	2232	IMDCSC.exe
Token: SeChangeNotifyPrivilege	2232	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	2232	IMDCSC.exe
Token: SeUndockPrivilege	2232	IMDCSC.exe
Token: SeManageVolumePrivilege	2232	IMDCSC.exe
Token: SeImpersonatePrivilege	2232	IMDCSC.exe
Token: SeCreateGlobalPrivilege	2232	IMDCSC.exe
Token: 33	2232	IMDCSC.exe
Token: 34	2232	IMDCSC.exe
Token: 35	2232	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2232	IMDCSC.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 1944	324	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe	30
PID 324 wrote to memory of 1944	324	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe	30
PID 324 wrote to memory of 1944	324	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe	30
PID 324 wrote to memory of 1944	324	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe	30
PID 324 wrote to memory of 2124	324	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe	32
PID 324 wrote to memory of 2124	324	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe	32
PID 324 wrote to memory of 2124	324	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe	32
PID 324 wrote to memory of 2124	324	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe	32
PID 2124 wrote to memory of 1368	2124	SAMFUD.EXE	33
PID 2124 wrote to memory of 1368	2124	SAMFUD.EXE	33
PID 2124 wrote to memory of 1368	2124	SAMFUD.EXE	33
PID 2124 wrote to memory of 1368	2124	SAMFUD.EXE	33
PID 1368 wrote to memory of 2232	1368	sam.exe	34
PID 1368 wrote to memory of 2232	1368	sam.exe	34
PID 1368 wrote to memory of 2232	1368	sam.exe	34
PID 1368 wrote to memory of 2232	1368	sam.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:324
- C:\Users\Admin\AppData\Local\Temp\GR2CRYPTERBYROXAS.EXE
  "C:\Users\Admin\AppData\Local\Temp\GR2CRYPTERBYROXAS.EXE"
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\SAMFUD.EXE
  "C:\Users\Admin\AppData\Local\Temp\SAMFUD.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\sam.exe
    "C:\Users\Admin\AppData\Local\Temp\sam.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
      "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\GR2CRYPTERBYROXAS.EXE

Filesize
368KB

MD5
9ea1813bb9dc4305808f6fe26aa54e81

SHA1
83b31a029c17bc2cfb94d3d1862bc480442ba11c

SHA256
c157e89aabee96d6329054a9c0a4ceec2ebc9715e8be4b50a3ff47993f2eb5e1

SHA512
0a659eb6b43bf12fba632f0e0fee38c5d34cef9192b8195b207fcb303c7e9dcd649a7f330599226e4cd3f2feb9ef7cedd92802059c120a089d5dc4742203b4ea

Download Submit
\Users\Admin\AppData\Local\Temp\SAMFUD.EXE

Filesize
1.1MB

MD5
9b395f2f7145c7e8c852f4f381f1338a

SHA1
3e444095b362cd66d7201af1c51f67c4d64760bd

SHA256
97f98c9dcbcbed1262311f6b39e756dd644c54eef7491c9c1d07aafaa072f3fb

SHA512
56e115df00683fb26f3c888f2847b0f97f0cfce92122c65623dba9e58e830395ec6ac41bbe97b9d98df0ef946983290ac96beaed040b0e19a764903bd6420718

Download Submit
\Users\Admin\AppData\Local\Temp\sam.exe

Filesize
658KB

MD5
832e0351b142d29d19782cf0678c2d71

SHA1
20d138799f9bc9fe97d7e5b7af4823a9fe1ef7ec

SHA256
ef6ea1abc5912fa7b98f6a597a51ffb2bf2af4e2c71cf04365b594ba36c4ccd9

SHA512
d55e8f0bd98afeab322e8264c78eb251d61d9ac85f1f7adf7f09feb24434cb08ef700215672705c444c2d226705e6e28b2b4c32438bc78959c1b69232f5c7d4d

Download Submit
memory/2124-53-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-55-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-15-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2124-16-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-74-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-79-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-77-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-75-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-71-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-69-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-67-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-65-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-63-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-61-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-59-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-57-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-49-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-13-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2124-14-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2124-51-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-41-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-45-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-43-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-47-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-39-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-37-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-35-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-33-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-31-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-29-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-27-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-25-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-23-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-21-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-19-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-17-0x00000000020B0000-0x00000000020E4000-memory.dmp

Filesize
208KB

Download
memory/2124-138-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2124-12-0x0000000074771000-0x0000000074772000-memory.dmp

Filesize
4KB

Download
memory/2124-161-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads