darkcomet | e2236606539122ba5145f8ae6e199aabfdd9db7105f911bb6a06b82d87c3167f

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/03/2025, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_42d10d52100b5cf6b769b998de9aca34.exe
Size

1016KB
MD5

42d10d52100b5cf6b769b998de9aca34
SHA1

253c9b1910b0a033de2530c45bb5bce41697d052
SHA256

e2236606539122ba5145f8ae6e199aabfdd9db7105f911bb6a06b82d87c3167f
SHA512

50f417efdd72584f4295ef639934bb042bc76038dbf168ca3b0b3c0678e6ec866ec0d0bf38ad1835b347d81b58b4710a2e2763a7863738b6f62405744f2d2f7e
SSDEEP

12288:jbFpfgjxFRpQqrfd0MzmUOLhnK2higmjQlQHeQ1ag4fobTJm6LbagtbEL+sT:FyjtxqLhnphigwQljAbR

Score

10^/10

darkcomet hf defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

127.0.0.1:83

Mutex

DC_MUTEX-CNAFSEW

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
hfG43Pabbqku
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	455.exe

Modifies firewall policy service 3 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msdcsc.exe

Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 2 IoCs

pid	Process
804	455.exe
2876	msdcsc.exe

Loads dropped DLL 2 IoCs

pid	Process
804	455.exe
804	455.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	455.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	455.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
340	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	340	NETSTAT.EXE
Token: SeIncreaseQuotaPrivilege	804	455.exe
Token: SeSecurityPrivilege	804	455.exe
Token: SeTakeOwnershipPrivilege	804	455.exe
Token: SeLoadDriverPrivilege	804	455.exe
Token: SeSystemProfilePrivilege	804	455.exe
Token: SeSystemtimePrivilege	804	455.exe
Token: SeProfSingleProcessPrivilege	804	455.exe
Token: SeIncBasePriorityPrivilege	804	455.exe
Token: SeCreatePagefilePrivilege	804	455.exe
Token: SeBackupPrivilege	804	455.exe
Token: SeRestorePrivilege	804	455.exe
Token: SeShutdownPrivilege	804	455.exe
Token: SeDebugPrivilege	804	455.exe
Token: SeSystemEnvironmentPrivilege	804	455.exe
Token: SeChangeNotifyPrivilege	804	455.exe
Token: SeRemoteShutdownPrivilege	804	455.exe
Token: SeUndockPrivilege	804	455.exe
Token: SeManageVolumePrivilege	804	455.exe
Token: SeImpersonatePrivilege	804	455.exe
Token: SeCreateGlobalPrivilege	804	455.exe
Token: 33	804	455.exe
Token: 34	804	455.exe
Token: 35	804	455.exe
Token: SeIncreaseQuotaPrivilege	2876	msdcsc.exe
Token: SeSecurityPrivilege	2876	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2876	msdcsc.exe
Token: SeLoadDriverPrivilege	2876	msdcsc.exe
Token: SeSystemProfilePrivilege	2876	msdcsc.exe
Token: SeSystemtimePrivilege	2876	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2876	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2876	msdcsc.exe
Token: SeCreatePagefilePrivilege	2876	msdcsc.exe
Token: SeBackupPrivilege	2876	msdcsc.exe
Token: SeRestorePrivilege	2876	msdcsc.exe
Token: SeShutdownPrivilege	2876	msdcsc.exe
Token: SeDebugPrivilege	2876	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2876	msdcsc.exe
Token: SeChangeNotifyPrivilege	2876	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2876	msdcsc.exe
Token: SeUndockPrivilege	2876	msdcsc.exe
Token: SeManageVolumePrivilege	2876	msdcsc.exe
Token: SeImpersonatePrivilege	2876	msdcsc.exe
Token: SeCreateGlobalPrivilege	2876	msdcsc.exe
Token: 33	2876	msdcsc.exe
Token: 34	2876	msdcsc.exe
Token: 35	2876	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2876	msdcsc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 804	2524	JaffaCakes118_42d10d52100b5cf6b769b998de9aca34.exe	30
PID 2524 wrote to memory of 804	2524	JaffaCakes118_42d10d52100b5cf6b769b998de9aca34.exe	30
PID 2524 wrote to memory of 804	2524	JaffaCakes118_42d10d52100b5cf6b769b998de9aca34.exe	30
PID 2524 wrote to memory of 804	2524	JaffaCakes118_42d10d52100b5cf6b769b998de9aca34.exe	30
PID 2524 wrote to memory of 2388	2524	JaffaCakes118_42d10d52100b5cf6b769b998de9aca34.exe	31
PID 2524 wrote to memory of 2388	2524	JaffaCakes118_42d10d52100b5cf6b769b998de9aca34.exe	31
PID 2524 wrote to memory of 2388	2524	JaffaCakes118_42d10d52100b5cf6b769b998de9aca34.exe	31
PID 2388 wrote to memory of 340	2388	cmd.exe	33
PID 2388 wrote to memory of 340	2388	cmd.exe	33
PID 2388 wrote to memory of 340	2388	cmd.exe	33
PID 804 wrote to memory of 2876	804	455.exe	34
PID 804 wrote to memory of 2876	804	455.exe	34
PID 804 wrote to memory of 2876	804	455.exe	34
PID 804 wrote to memory of 2876	804	455.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d10d52100b5cf6b769b998de9aca34.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d10d52100b5cf6b769b998de9aca34.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\455.exe
  "C:\Users\Admin\AppData\Local\Temp\455.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Modifies firewall policy service
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2876
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Check IP.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\NETSTAT.EXE
    netstat -n
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\455.exe

Filesize
658KB

MD5
9fab6879dccfa902967ca10ac3ed6d24

SHA1
c1cf898319a72d960dbd4daa03eb9d614c9e707e

SHA256
e67868ebde24deeb43ce1ccfdbcc4ee414f2e8ce6ad50877b120ca2840637af0

SHA512
05000b0c5da1eb6e2288a01fd8d5da0c1d488f58f7c6b4be10c8d5a8f7500fa87e4e30d45a6dfd7bd680315530528a8a84061466fd43da0afa955eb1d104137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Check IP.bat

Filesize
73B

MD5
21d68ec389c6eedba5b6666680c740e9

SHA1
2882e02e9a933d8597d5d11feb66de5520193254

SHA256
c11ab867c8357c44f2d7beae7b4007bac31822ae7b79a94ec7d5afc69a313bbe

SHA512
3a1c34055dd2827796c5a10eed77030be787eaa1a6e762fd473c36432617eee3d27a0fd0459acf7184f270a7a5e66d00c7e198bf6b0f0ad231a44b312cc0804d

Download Submit
memory/804-18-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/804-32-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2524-0-0x000007FEF5EFE000-0x000007FEF5EFF000-memory.dmp

Filesize
4KB

Download
memory/2524-17-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

Filesize
9.6MB

Download
memory/2876-33-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2876-34-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2876-38-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2876-42-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2876-44-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads