darkcomet | bffdb13b50fb76a4e85e4e027e166271dbe2cc9ccaf19fbff4ba8cfeeb6ea297

Analysis

max time kernel
64s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe
Size

1.0MB
MD5

37969e3e1072e63d7b7cb3a4589da868
SHA1

7322c4e785f823a88bac1a1905b6a9552a813ff6
SHA256

bffdb13b50fb76a4e85e4e027e166271dbe2cc9ccaf19fbff4ba8cfeeb6ea297
SHA512

9b20b52d83a740cea6f7757c71d8b6a218f4b179c44d32487fd7127d2e3701bcc67d211840c214e5986f609e18ba33d01a271f8f163a45e2108935d1d475046d
SSDEEP

12288:YPUrHQD3AQlabjnJnIP5BfjdXmwmwGsqp/UAQQf9y0yaln2qnqGG41I9SOHlhCUC:YsTjTNebdhmMov1Cc0zdQL98hpyX

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

drkcmt.no-ip.org:1604

Mutex

DC_MUTEX-XRH4NSY

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
WY7jPoPv6hlA
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	vbc.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2208	attrib.exe
2640	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
3028	msdcsc.exe

Loads dropped DLL 1 IoCs

pid	Process
1492	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1680 set thread context of 1492	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	33

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	attrib.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1492	vbc.exe
Token: SeSecurityPrivilege	1492	vbc.exe
Token: SeTakeOwnershipPrivilege	1492	vbc.exe
Token: SeLoadDriverPrivilege	1492	vbc.exe
Token: SeSystemProfilePrivilege	1492	vbc.exe
Token: SeSystemtimePrivilege	1492	vbc.exe
Token: SeProfSingleProcessPrivilege	1492	vbc.exe
Token: SeIncBasePriorityPrivilege	1492	vbc.exe
Token: SeCreatePagefilePrivilege	1492	vbc.exe
Token: SeBackupPrivilege	1492	vbc.exe
Token: SeRestorePrivilege	1492	vbc.exe
Token: SeShutdownPrivilege	1492	vbc.exe
Token: SeDebugPrivilege	1492	vbc.exe
Token: SeSystemEnvironmentPrivilege	1492	vbc.exe
Token: SeChangeNotifyPrivilege	1492	vbc.exe
Token: SeRemoteShutdownPrivilege	1492	vbc.exe
Token: SeUndockPrivilege	1492	vbc.exe
Token: SeManageVolumePrivilege	1492	vbc.exe
Token: SeImpersonatePrivilege	1492	vbc.exe
Token: SeCreateGlobalPrivilege	1492	vbc.exe
Token: 33	1492	vbc.exe
Token: 34	1492	vbc.exe
Token: 35	1492	vbc.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2932	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	30
PID 1680 wrote to memory of 2932	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	30
PID 1680 wrote to memory of 2932	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	30
PID 1680 wrote to memory of 2932	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	30
PID 2932 wrote to memory of 2876	2932	csc.exe	32
PID 2932 wrote to memory of 2876	2932	csc.exe	32
PID 2932 wrote to memory of 2876	2932	csc.exe	32
PID 2932 wrote to memory of 2876	2932	csc.exe	32
PID 1680 wrote to memory of 1492	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	33
PID 1680 wrote to memory of 1492	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	33
PID 1680 wrote to memory of 1492	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	33
PID 1680 wrote to memory of 1492	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	33
PID 1680 wrote to memory of 1492	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	33
PID 1680 wrote to memory of 1492	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	33
PID 1680 wrote to memory of 1492	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	33
PID 1680 wrote to memory of 1492	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	33
PID 1680 wrote to memory of 1492	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	33
PID 1680 wrote to memory of 1492	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	33
PID 1680 wrote to memory of 1492	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	33
PID 1680 wrote to memory of 1492	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	33
PID 1680 wrote to memory of 1492	1680	JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe	33
PID 1492 wrote to memory of 2836	1492	vbc.exe	34
PID 1492 wrote to memory of 2836	1492	vbc.exe	34
PID 1492 wrote to memory of 2836	1492	vbc.exe	34
PID 1492 wrote to memory of 2836	1492	vbc.exe	34
PID 1492 wrote to memory of 2704	1492	vbc.exe	35
PID 1492 wrote to memory of 2704	1492	vbc.exe	35
PID 1492 wrote to memory of 2704	1492	vbc.exe	35
PID 1492 wrote to memory of 2704	1492	vbc.exe	35
PID 2704 wrote to memory of 2208	2704	cmd.exe	38
PID 2704 wrote to memory of 2208	2704	cmd.exe	38
PID 2704 wrote to memory of 2208	2704	cmd.exe	38
PID 2704 wrote to memory of 2208	2704	cmd.exe	38
PID 2836 wrote to memory of 2640	2836	cmd.exe	39
PID 2836 wrote to memory of 2640	2836	cmd.exe	39
PID 2836 wrote to memory of 2640	2836	cmd.exe	39
PID 2836 wrote to memory of 2640	2836	cmd.exe	39
PID 1492 wrote to memory of 3028	1492	vbc.exe	40
PID 1492 wrote to memory of 3028	1492	vbc.exe	40
PID 1492 wrote to memory of 3028	1492	vbc.exe	40
PID 1492 wrote to memory of 3028	1492	vbc.exe	40

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2208	attrib.exe
2640	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uthv5ulj\uthv5ulj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67D7.tmp" "c:\Users\Admin\AppData\Local\Temp\uthv5ulj\CSC611A5B993A8748969C5B7492A1C03C21.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2208
- - C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
    "C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES67D7.tmp

Filesize
1KB

MD5
55ac2fa1c8ec9bd874b7637526af95bd

SHA1
0be19a8e6cacbdd24bd3418553ca00d1ed5524ac

SHA256
59f1287bcdd3c0670fdd60166301c640d6510c0ae3f6dd7527bd50fdc762244d

SHA512
ce62b2cf0a26a227ac626bdd3d046a3a65f60fbeb6b7a4d0374202e1f290d23de8ad8b43a09cbd28994a0f52c853d2ac32180c176b6a84180950abc8f556405c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uthv5ulj\uthv5ulj.dll

Filesize
5KB

MD5
9c9f86d31abc94dc2a450c2f957caba1

SHA1
aafa44781d8ed3ab7b975ea6f5ecd81d4a40f813

SHA256
b169ca4c43ad0fb39e8298e4d6b0dc601dd9acca1096389fba11d94ba795d7e9

SHA512
f7847b9e07d12d11999b990f7e6b89e3e3117ba4d1e2d30c040f34c6ca20ec51717d767c4d84f823de025dbcc80fcb2c8276702a9c42868fe420bd66a71949c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uthv5ulj\CSC611A5B993A8748969C5B7492A1C03C21.TMP

Filesize
652B

MD5
67674598d46ac43798275c4db02cf508

SHA1
051f140f2fba34cdb9c6e9b0bb418a566e5259a1

SHA256
ea6b4c99394a5f52773ff75744f75901dfa53a08e3d12fbfb453f44403ab4b04

SHA512
bfcbe48dec5d5208a15cfe427a5e93c4c0ee71288f1aa9a095b9768933304e06d5719c5373307696964610ef77d814eefc0263c92c7160380fc4df1ceb6d6197

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uthv5ulj\uthv5ulj.0.cs

Filesize
4KB

MD5
f60a1218bfdab4f9b0176d4e1a15ec68

SHA1
2222a76846b6caf120589f7120a5a41f8811761d

SHA256
fa9031f18b423c4d078667222b009f1d285149b93d60029feab549fc6d46a927

SHA512
c082a09f8e8b20776d5d1397b6a781c293df15a421c1f93e069df8df8fe59580100c7347deef3185c8104ecce2eae6fabfc44994805d21a23123a6a9cd763bc6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uthv5ulj\uthv5ulj.cmdline

Filesize
224B

MD5
a3d3552b879688f2de8596c2c146afd4

SHA1
3ce4d602ea4f163b97c572c5f9a830494b78b35e

SHA256
ae002cee780c9d95b723c51ccd92565a9ffe6906de98a0254c4e1c17176096d8

SHA512
cbeff8adc53b6456dfa0123b0d002a62510c4a3484334c582127bbaa978c850670815c64b08e91eb815c20f2df43453201a4336eb086cc81f155fe811b34ac98

Download Submit
memory/1492-29-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1492-23-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1492-50-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1492-35-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1492-36-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1492-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1492-39-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1492-27-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1492-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1492-40-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1492-21-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1492-19-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1492-17-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1492-31-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1492-37-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1680-38-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-4-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-0-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/1680-1-0x00000000003F0000-0x0000000000502000-memory.dmp

Filesize
1.1MB

Download
memory/1680-15-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads