darkcomet | 0c1f4d0d9fc0877e497c15bc89869c019a2a22ea0551af1c5a962689ca9ae328

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2025, 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe
Size

1.8MB
MD5

227a0f7cb2cbcd3e3de05d9547e83799
SHA1

5a2be3bee31db9b50e068f1f2ad7a23f92b02c31
SHA256

0c1f4d0d9fc0877e497c15bc89869c019a2a22ea0551af1c5a962689ca9ae328
SHA512

daeba0b4948687345b26bedb722a89dddb3257dbd2624bf261e478db9592e17b53f632d5401e0d72b6bc1d4bda252a502089b5665603b79e3eb23efcc4288c9e
SSDEEP

24576:gMC6/tIm6YL6SAhk70Trc/n6Ib6eYWxWhQU/5+eAO3gptmsNpdm0zRndLJbe7g:gM1L+S2kQTArahz5JYz77

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	sam.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	sam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	SAMFUD.EXE

Executes dropped EXE 4 IoCs

pid	Process
4252	GR2CRYPTERBYROXAS.EXE
3956	SAMFUD.EXE
4156	sam.exe
4436	IMDCSC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eternalspy = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	sam.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	SAMFUD.EXE
File opened for modification	C:\Windows\assembly\Desktop.ini	SAMFUD.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	SAMFUD.EXE
File created	C:\Windows\assembly\Desktop.ini	SAMFUD.EXE
File opened for modification	C:\Windows\assembly\Desktop.ini	SAMFUD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SAMFUD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GR2CRYPTERBYROXAS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	3956	SAMFUD.EXE
Token: SeIncreaseQuotaPrivilege	4156	sam.exe
Token: SeSecurityPrivilege	4156	sam.exe
Token: SeTakeOwnershipPrivilege	4156	sam.exe
Token: SeLoadDriverPrivilege	4156	sam.exe
Token: SeSystemProfilePrivilege	4156	sam.exe
Token: SeSystemtimePrivilege	4156	sam.exe
Token: SeProfSingleProcessPrivilege	4156	sam.exe
Token: SeIncBasePriorityPrivilege	4156	sam.exe
Token: SeCreatePagefilePrivilege	4156	sam.exe
Token: SeBackupPrivilege	4156	sam.exe
Token: SeRestorePrivilege	4156	sam.exe
Token: SeShutdownPrivilege	4156	sam.exe
Token: SeDebugPrivilege	4156	sam.exe
Token: SeSystemEnvironmentPrivilege	4156	sam.exe
Token: SeChangeNotifyPrivilege	4156	sam.exe
Token: SeRemoteShutdownPrivilege	4156	sam.exe
Token: SeUndockPrivilege	4156	sam.exe
Token: SeManageVolumePrivilege	4156	sam.exe
Token: SeImpersonatePrivilege	4156	sam.exe
Token: SeCreateGlobalPrivilege	4156	sam.exe
Token: 33	4156	sam.exe
Token: 34	4156	sam.exe
Token: 35	4156	sam.exe
Token: 36	4156	sam.exe
Token: SeIncreaseQuotaPrivilege	4436	IMDCSC.exe
Token: SeSecurityPrivilege	4436	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	4436	IMDCSC.exe
Token: SeLoadDriverPrivilege	4436	IMDCSC.exe
Token: SeSystemProfilePrivilege	4436	IMDCSC.exe
Token: SeSystemtimePrivilege	4436	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	4436	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	4436	IMDCSC.exe
Token: SeCreatePagefilePrivilege	4436	IMDCSC.exe
Token: SeBackupPrivilege	4436	IMDCSC.exe
Token: SeRestorePrivilege	4436	IMDCSC.exe
Token: SeShutdownPrivilege	4436	IMDCSC.exe
Token: SeDebugPrivilege	4436	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	4436	IMDCSC.exe
Token: SeChangeNotifyPrivilege	4436	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	4436	IMDCSC.exe
Token: SeUndockPrivilege	4436	IMDCSC.exe
Token: SeManageVolumePrivilege	4436	IMDCSC.exe
Token: SeImpersonatePrivilege	4436	IMDCSC.exe
Token: SeCreateGlobalPrivilege	4436	IMDCSC.exe
Token: 33	4436	IMDCSC.exe
Token: 34	4436	IMDCSC.exe
Token: 35	4436	IMDCSC.exe
Token: 36	4436	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4436	IMDCSC.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 4252	2748	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe	84
PID 2748 wrote to memory of 4252	2748	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe	84
PID 2748 wrote to memory of 4252	2748	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe	84
PID 2748 wrote to memory of 3956	2748	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe	86
PID 2748 wrote to memory of 3956	2748	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe	86
PID 2748 wrote to memory of 3956	2748	JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe	86
PID 3956 wrote to memory of 4156	3956	SAMFUD.EXE	90
PID 3956 wrote to memory of 4156	3956	SAMFUD.EXE	90
PID 3956 wrote to memory of 4156	3956	SAMFUD.EXE	90
PID 4156 wrote to memory of 4436	4156	sam.exe	93
PID 4156 wrote to memory of 4436	4156	sam.exe	93
PID 4156 wrote to memory of 4436	4156	sam.exe	93

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\GR2CRYPTERBYROXAS.EXE
  "C:\Users\Admin\AppData\Local\Temp\GR2CRYPTERBYROXAS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4252
- C:\Users\Admin\AppData\Local\Temp\SAMFUD.EXE
  "C:\Users\Admin\AppData\Local\Temp\SAMFUD.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\sam.exe
    "C:\Users\Admin\AppData\Local\Temp\sam.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
      "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GR2CRYPTERBYROXAS.EXE

Filesize
368KB

MD5
9ea1813bb9dc4305808f6fe26aa54e81

SHA1
83b31a029c17bc2cfb94d3d1862bc480442ba11c

SHA256
c157e89aabee96d6329054a9c0a4ceec2ebc9715e8be4b50a3ff47993f2eb5e1

SHA512
0a659eb6b43bf12fba632f0e0fee38c5d34cef9192b8195b207fcb303c7e9dcd649a7f330599226e4cd3f2feb9ef7cedd92802059c120a089d5dc4742203b4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAMFUD.EXE

Filesize
1.1MB

MD5
9b395f2f7145c7e8c852f4f381f1338a

SHA1
3e444095b362cd66d7201af1c51f67c4d64760bd

SHA256
97f98c9dcbcbed1262311f6b39e756dd644c54eef7491c9c1d07aafaa072f3fb

SHA512
56e115df00683fb26f3c888f2847b0f97f0cfce92122c65623dba9e58e830395ec6ac41bbe97b9d98df0ef946983290ac96beaed040b0e19a764903bd6420718

Download Submit
C:\Users\Admin\AppData\Local\Temp\sam.exe

Filesize
658KB

MD5
832e0351b142d29d19782cf0678c2d71

SHA1
20d138799f9bc9fe97d7e5b7af4823a9fe1ef7ec

SHA256
ef6ea1abc5912fa7b98f6a597a51ffb2bf2af4e2c71cf04365b594ba36c4ccd9

SHA512
d55e8f0bd98afeab322e8264c78eb251d61d9ac85f1f7adf7f09feb24434cb08ef700215672705c444c2d226705e6e28b2b4c32438bc78959c1b69232f5c7d4d

Download Submit
memory/3956-64-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-58-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-24-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/3956-25-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/3956-26-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/3956-56-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-90-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-88-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-86-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-84-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-82-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-80-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-78-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-76-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-74-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-72-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-70-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-60-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-66-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-20-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/3956-21-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/3956-62-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-68-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-54-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-52-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-50-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-48-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-46-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-44-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-42-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-40-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-38-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-36-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-34-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-32-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-30-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-28-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-27-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3956-149-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/3956-19-0x00000000747C2000-0x00000000747C3000-memory.dmp

Filesize
4KB

Download
memory/3956-175-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/3956-174-0x00000000747C2000-0x00000000747C3000-memory.dmp

Filesize
4KB

Download
memory/4156-161-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads