Malware Analysis Report

2025-04-13 22:43

Sample ID 250301-jbt6hst1hy
Target JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868
SHA256 bffdb13b50fb76a4e85e4e027e166271dbe2cc9ccaf19fbff4ba8cfeeb6ea297
Tags
darkcomet guest16 defense_evasion discovery persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bffdb13b50fb76a4e85e4e027e166271dbe2cc9ccaf19fbff4ba8cfeeb6ea297

Threat Level: Known bad

The file JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868 was found to be: Known bad.

Malicious Activity Summary

darkcomet guest16 defense_evasion discovery persistence rat trojan

Darkcomet family

Darkcomet

Modifies WinLogon for persistence

Sets file to hidden

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-01 07:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-01 07:30

Reported

2025-03-01 07:32

Platform

win7-20241010-en

Max time kernel

64s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe"

Signatures

Darkcomet

trojan rat darkcomet

Darkcomet family

darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1680 set thread context of 1492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\attrib.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1680 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1680 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1680 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2932 wrote to memory of 2876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2932 wrote to memory of 2876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2932 wrote to memory of 2876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2932 wrote to memory of 2876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1680 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1680 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1680 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1680 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1680 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1680 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1680 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1680 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1680 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1680 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1680 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1680 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1680 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1492 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 2704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 2704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 2704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 2704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2704 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2704 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2704 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2836 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2836 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2836 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2836 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1492 wrote to memory of 3028 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
PID 1492 wrote to memory of 3028 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
PID 1492 wrote to memory of 3028 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
PID 1492 wrote to memory of 3028 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uthv5ulj\uthv5ulj.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67D7.tmp" "c:\Users\Admin\AppData\Local\Temp\uthv5ulj\CSC611A5B993A8748969C5B7492A1C03C21.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"

Network

N/A

Files

memory/1680-0-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

memory/1680-1-0x00000000003F0000-0x0000000000502000-memory.dmp

memory/1680-4-0x0000000073F60000-0x000000007464E000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\uthv5ulj\uthv5ulj.cmdline

MD5 a3d3552b879688f2de8596c2c146afd4
SHA1 3ce4d602ea4f163b97c572c5f9a830494b78b35e
SHA256 ae002cee780c9d95b723c51ccd92565a9ffe6906de98a0254c4e1c17176096d8
SHA512 cbeff8adc53b6456dfa0123b0d002a62510c4a3484334c582127bbaa978c850670815c64b08e91eb815c20f2df43453201a4336eb086cc81f155fe811b34ac98

\??\c:\Users\Admin\AppData\Local\Temp\uthv5ulj\uthv5ulj.0.cs

MD5 f60a1218bfdab4f9b0176d4e1a15ec68
SHA1 2222a76846b6caf120589f7120a5a41f8811761d
SHA256 fa9031f18b423c4d078667222b009f1d285149b93d60029feab549fc6d46a927
SHA512 c082a09f8e8b20776d5d1397b6a781c293df15a421c1f93e069df8df8fe59580100c7347deef3185c8104ecce2eae6fabfc44994805d21a23123a6a9cd763bc6

\??\c:\Users\Admin\AppData\Local\Temp\uthv5ulj\CSC611A5B993A8748969C5B7492A1C03C21.TMP

MD5 67674598d46ac43798275c4db02cf508
SHA1 051f140f2fba34cdb9c6e9b0bb418a566e5259a1
SHA256 ea6b4c99394a5f52773ff75744f75901dfa53a08e3d12fbfb453f44403ab4b04
SHA512 bfcbe48dec5d5208a15cfe427a5e93c4c0ee71288f1aa9a095b9768933304e06d5719c5373307696964610ef77d814eefc0263c92c7160380fc4df1ceb6d6197

C:\Users\Admin\AppData\Local\Temp\RES67D7.tmp

MD5 55ac2fa1c8ec9bd874b7637526af95bd
SHA1 0be19a8e6cacbdd24bd3418553ca00d1ed5524ac
SHA256 59f1287bcdd3c0670fdd60166301c640d6510c0ae3f6dd7527bd50fdc762244d
SHA512 ce62b2cf0a26a227ac626bdd3d046a3a65f60fbeb6b7a4d0374202e1f290d23de8ad8b43a09cbd28994a0f52c853d2ac32180c176b6a84180950abc8f556405c

C:\Users\Admin\AppData\Local\Temp\uthv5ulj\uthv5ulj.dll

MD5 9c9f86d31abc94dc2a450c2f957caba1
SHA1 aafa44781d8ed3ab7b975ea6f5ecd81d4a40f813
SHA256 b169ca4c43ad0fb39e8298e4d6b0dc601dd9acca1096389fba11d94ba795d7e9
SHA512 f7847b9e07d12d11999b990f7e6b89e3e3117ba4d1e2d30c040f34c6ca20ec51717d767c4d84f823de025dbcc80fcb2c8276702a9c42868fe420bd66a71949c2

memory/1680-15-0x00000000003D0000-0x00000000003D8000-memory.dmp

memory/1492-35-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1492-36-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1492-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1492-29-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1492-27-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1492-25-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1492-23-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1492-21-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1492-19-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1492-17-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1492-31-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1492-37-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1680-38-0x0000000073F60000-0x000000007464E000-memory.dmp

memory/1492-40-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1492-39-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

MD5 34aa912defa18c2c129f1e09d75c1d7e
SHA1 9c3046324657505a30ecd9b1fdb46c05bde7d470
SHA256 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512 d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

memory/1492-50-0x0000000000400000-0x00000000004B2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-01 07:30

Reported

2025-03-01 07:32

Platform

win10v2004-20250217-en

Max time kernel

120s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe"

Signatures

Darkcomet

trojan rat darkcomet

Darkcomet family

darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1452 set thread context of 4552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 C:\Windows\SysWOW64\attrib.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 36 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1452 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1452 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1452 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1904 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1904 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1904 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1452 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4552 wrote to memory of 1944 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 1944 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 1944 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 4608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 4608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 4608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4608 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4608 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1944 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1944 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1944 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4552 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
PID 4552 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
PID 4552 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\04fdikmx\04fdikmx.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6EB8.tmp" "c:\Users\Admin\AppData\Local\Temp\04fdikmx\CSC815E8200991A41CEA99D9F1AB8EFF7EE.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp

Files

memory/1452-0-0x000000007473E000-0x000000007473F000-memory.dmp

memory/1452-1-0x0000000000260000-0x0000000000372000-memory.dmp

memory/1452-2-0x0000000004D30000-0x0000000004DCC000-memory.dmp

memory/1452-6-0x0000000074730000-0x0000000074EE0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\04fdikmx\04fdikmx.cmdline

MD5 970797d6fe506b798585f556d5f8b974
SHA1 ff17371ae2915ed118a4f881c02317625c7af08c
SHA256 71fc03136bb2d0142863b0d53b1065d2c460e0f384f7b628124202857c24dfc5
SHA512 360576ae861a9d337c065e1ae22ae86df79e166a84709b73a89058d332d7faa022c2e2f0f300064b50976c43bfc182532411284d98426c300577a4efcf749d70

\??\c:\Users\Admin\AppData\Local\Temp\04fdikmx\04fdikmx.0.cs

MD5 f60a1218bfdab4f9b0176d4e1a15ec68
SHA1 2222a76846b6caf120589f7120a5a41f8811761d
SHA256 fa9031f18b423c4d078667222b009f1d285149b93d60029feab549fc6d46a927
SHA512 c082a09f8e8b20776d5d1397b6a781c293df15a421c1f93e069df8df8fe59580100c7347deef3185c8104ecce2eae6fabfc44994805d21a23123a6a9cd763bc6

\??\c:\Users\Admin\AppData\Local\Temp\04fdikmx\CSC815E8200991A41CEA99D9F1AB8EFF7EE.TMP

MD5 3c8a5dfaaf48e41086594de9f97e29c6
SHA1 a6814592b5a64d8752e0bd371bcb408b057f3ddb
SHA256 1a756e8274706986a39749ad42cb36a95d6ef91b1824d238d825da9ac2ff02f6
SHA512 a02f6ab135fcce155b90a156c4bcb1c37bb3b3495e9533b82463c1d62ac1234f3a5b75275fac3c3b7fbd2e25f57034e73d89da0786a66b825cce9ecabb887fa7

C:\Users\Admin\AppData\Local\Temp\RES6EB8.tmp

MD5 23dca0039787962e6b56c3f4faa7c6a6
SHA1 f3c66040f28ce16456427ee9749def89f6bd91c1
SHA256 0d89705db1207728b06cbc48d7daeb54bdba3db3484a49a7d0c27b7f1c0afdd4
SHA512 384f5609659baeb5daf7c917c34099ed7b752b59390ecc52dc304b738ca3a62d5719e8b984be1b6c3474edf0f98f87cf14c20697d25fa009a82ae457ca697b23

C:\Users\Admin\AppData\Local\Temp\04fdikmx\04fdikmx.dll

MD5 a596f6e581c6dcde21fd4877bfc2487a
SHA1 499b359cc2c91e718ed0cab8b336a21c81699a74
SHA256 d254c1812dd93abaf928b59f3e462183f8640c9bb628b9f093b50c8c39f33594
SHA512 5d2112262d3ab7e52e138d8eda2ffb4336cbb45faef67ff81096402708668d0e7f5324df4d47d5abe84caf77146dbf260cabb69e3547e42d2143a0aab9331ef8

memory/1452-16-0x0000000002630000-0x0000000002638000-memory.dmp

memory/4552-18-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4552-19-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1452-22-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/4552-21-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4552-23-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4552-24-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

MD5 d881de17aa8f2e2c08cbb7b265f928f9
SHA1 08936aebc87decf0af6e8eada191062b5e65ac2a
SHA256 b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA512 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

memory/4552-86-0x0000000000400000-0x00000000004B2000-memory.dmp