darkcomet | e4cf8e9573badd4fd4da52424dc3e8cdeb7c843bb19a6c5cb82301e8fb47468c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2025, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Size

306KB
MD5

22bca2960fd9a379c328beceee3f5493
SHA1

e2e6bcd165e3969db4fa1bacdba2316799578cfa
SHA256

e4cf8e9573badd4fd4da52424dc3e8cdeb7c843bb19a6c5cb82301e8fb47468c
SHA512

b6919232f05778fc872e8fd9a94f2e05329d3dfd2349a089f7807090dcd15755fd8af1bc82fb401d0ee99f5320272b67e8ad581eaac11f4bbaadc89140d901a9
SSDEEP

6144:I/9XQh+fOZTb4rVfYn33rVRRF5GPXpkHg0Sme9k4GgzsdHXTvLRUQSOObAIAWgcV:qawXlw7CHUNmBO/122BhFwp

Score

10^/10

darkcomet guest16 discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

lapisha.no-ip.biz:33333

Mutex

DC_MUTEX-1LJGJ4F

Attributes

gencode
qZGUY/TE8Gdi
install
false
offline_keylogger
false
password
rob56
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	audiodgi.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	audiodgi.exe

Executes dropped EXE 3 IoCs

pid	Process
5092	audiodgi.exe
2516	wmpmetwk.exe
212	wmpmetwk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 940 set thread context of 2136	940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe	90
PID 2516 set thread context of 212	2516	wmpmetwk.exe	94

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2136-7-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/2136-8-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/2136-11-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/2136-10-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/2136-14-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/2136-13-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/2136-9-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpmetwk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpmetwk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
5092	audiodgi.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
5092	audiodgi.exe
2516	wmpmetwk.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
2516	wmpmetwk.exe
5092	audiodgi.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
2516	wmpmetwk.exe
2516	wmpmetwk.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
5092	audiodgi.exe
5092	audiodgi.exe
2516	wmpmetwk.exe
2516	wmpmetwk.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
5092	audiodgi.exe
5092	audiodgi.exe
2516	wmpmetwk.exe
2516	wmpmetwk.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
2516	wmpmetwk.exe
2516	wmpmetwk.exe
5092	audiodgi.exe
5092	audiodgi.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
2516	wmpmetwk.exe
2516	wmpmetwk.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
5092	audiodgi.exe
5092	audiodgi.exe
2516	wmpmetwk.exe
2516	wmpmetwk.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
5092	audiodgi.exe
5092	audiodgi.exe
2516	wmpmetwk.exe
2516	wmpmetwk.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
2516	wmpmetwk.exe
2516	wmpmetwk.exe
5092	audiodgi.exe
5092	audiodgi.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
2516	wmpmetwk.exe
2516	wmpmetwk.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
5092	audiodgi.exe
5092	audiodgi.exe
2516	wmpmetwk.exe
2516	wmpmetwk.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
5092	audiodgi.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeIncreaseQuotaPrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeSecurityPrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeTakeOwnershipPrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeLoadDriverPrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeSystemProfilePrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeSystemtimePrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeProfSingleProcessPrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeIncBasePriorityPrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeCreatePagefilePrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeBackupPrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeRestorePrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeShutdownPrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeDebugPrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeSystemEnvironmentPrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeChangeNotifyPrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeRemoteShutdownPrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeUndockPrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeManageVolumePrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeImpersonatePrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeCreateGlobalPrivilege	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: 33	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: 34	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: 35	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: 36	2136	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
Token: SeDebugPrivilege	5092	audiodgi.exe
Token: SeDebugPrivilege	2516	wmpmetwk.exe
Token: SeIncreaseQuotaPrivilege	212	wmpmetwk.exe
Token: SeSecurityPrivilege	212	wmpmetwk.exe
Token: SeTakeOwnershipPrivilege	212	wmpmetwk.exe
Token: SeLoadDriverPrivilege	212	wmpmetwk.exe
Token: SeSystemProfilePrivilege	212	wmpmetwk.exe
Token: SeSystemtimePrivilege	212	wmpmetwk.exe
Token: SeProfSingleProcessPrivilege	212	wmpmetwk.exe
Token: SeIncBasePriorityPrivilege	212	wmpmetwk.exe
Token: SeCreatePagefilePrivilege	212	wmpmetwk.exe
Token: SeBackupPrivilege	212	wmpmetwk.exe
Token: SeRestorePrivilege	212	wmpmetwk.exe
Token: SeShutdownPrivilege	212	wmpmetwk.exe
Token: SeDebugPrivilege	212	wmpmetwk.exe
Token: SeSystemEnvironmentPrivilege	212	wmpmetwk.exe
Token: SeChangeNotifyPrivilege	212	wmpmetwk.exe
Token: SeRemoteShutdownPrivilege	212	wmpmetwk.exe
Token: SeUndockPrivilege	212	wmpmetwk.exe
Token: SeManageVolumePrivilege	212	wmpmetwk.exe
Token: SeImpersonatePrivilege	212	wmpmetwk.exe
Token: SeCreateGlobalPrivilege	212	wmpmetwk.exe
Token: 33	212	wmpmetwk.exe
Token: 34	212	wmpmetwk.exe
Token: 35	212	wmpmetwk.exe
Token: 36	212	wmpmetwk.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 2136	940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe	90
PID 940 wrote to memory of 2136	940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe	90
PID 940 wrote to memory of 2136	940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe	90
PID 940 wrote to memory of 2136	940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe	90
PID 940 wrote to memory of 2136	940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe	90
PID 940 wrote to memory of 2136	940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe	90
PID 940 wrote to memory of 2136	940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe	90
PID 940 wrote to memory of 2136	940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe	90
PID 940 wrote to memory of 5092	940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe	91
PID 940 wrote to memory of 5092	940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe	91
PID 940 wrote to memory of 5092	940	JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe	91
PID 5092 wrote to memory of 2516	5092	audiodgi.exe	93
PID 5092 wrote to memory of 2516	5092	audiodgi.exe	93
PID 5092 wrote to memory of 2516	5092	audiodgi.exe	93
PID 2516 wrote to memory of 212	2516	wmpmetwk.exe	94
PID 2516 wrote to memory of 212	2516	wmpmetwk.exe	94
PID 2516 wrote to memory of 212	2516	wmpmetwk.exe	94
PID 2516 wrote to memory of 212	2516	wmpmetwk.exe	94
PID 2516 wrote to memory of 212	2516	wmpmetwk.exe	94
PID 2516 wrote to memory of 212	2516	wmpmetwk.exe	94
PID 2516 wrote to memory of 212	2516	wmpmetwk.exe	94
PID 2516 wrote to memory of 212	2516	wmpmetwk.exe	94

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22bca2960fd9a379c328beceee3f5493.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  "C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"
  2⤵
  - Adds policy Run key to start application
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
    "C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
      C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe

Filesize
7KB

MD5
d9f8d8a30db8fb5daebe3d30f7fb8409

SHA1
11920679d52db7c304a9d7687ab5ee41c3cae8d4

SHA256
2ac171ff0ad23ad0b2e2766383e3569e7b5f6ced05abfcdff344986f1ad6df4f

SHA512
c4e0ac2a4a37199ed4d61e3ce0e2dd7d91542f2c3b490d0c8fe4ae1c9cda174348b463aa63bd704a47938853ebb429dfcca07fb3cffc430449dcb5474e96be81

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe

Filesize
306KB

MD5
22bca2960fd9a379c328beceee3f5493

SHA1
e2e6bcd165e3969db4fa1bacdba2316799578cfa

SHA256
e4cf8e9573badd4fd4da52424dc3e8cdeb7c843bb19a6c5cb82301e8fb47468c

SHA512
b6919232f05778fc872e8fd9a94f2e05329d3dfd2349a089f7807090dcd15755fd8af1bc82fb401d0ee99f5320272b67e8ad581eaac11f4bbaadc89140d901a9

Download Submit
memory/940-1-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/940-2-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/940-39-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/940-38-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/940-37-0x0000000074B12000-0x0000000074B13000-memory.dmp

Filesize
4KB

Download
memory/940-0-0x0000000074B12000-0x0000000074B13000-memory.dmp

Filesize
4KB

Download
memory/2136-10-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2136-8-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2136-14-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2136-7-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2136-13-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2136-11-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2136-9-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2136-12-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/2516-30-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/2516-43-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/5092-27-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/5092-26-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/5092-25-0x0000000074B12000-0x0000000074B13000-memory.dmp

Filesize
4KB

Download
memory/5092-41-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/5092-40-0x0000000074B12000-0x0000000074B13000-memory.dmp

Filesize
4KB

Download
memory/5092-42-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download