darkcomet | 284e32551c772a3e28c6d0ee0d660f73506f839de74dad456194a9e8c211c0dc

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14/03/2025, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_72d59f77aa8c7bbf843c8e0003141a83.exe
Size

728KB
MD5

72d59f77aa8c7bbf843c8e0003141a83
SHA1

c10fbfd523ce525c663b3cf76b5056cabaf705bf
SHA256

284e32551c772a3e28c6d0ee0d660f73506f839de74dad456194a9e8c211c0dc
SHA512

17d7aa721b232cc9c200b57f2506803397b1cd8452b4afa4fa7d40ffa0255b15f7af2206f0b4aae7a13cacd27f1897627bc90bc0c39b5d58aece32bd88c14f91
SSDEEP

12288:D+phd3a9X/NkaWgRBzQOz/AZf8au0/6DDyBtt9WhVRO+kysTvOEMvwrKO2/oOgw7:gd3ENIWhQp8avowttUhVRO+kyefKO2lb

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

eman.no-ip.info:1604

Mutex

DC_MUTEX-F54S21D

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Z9EGiPSC1Xr4
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	1.exe

Executes dropped EXE 2 IoCs

pid	Process
2984	1.exe
2884	msdcsc.exe

Loads dropped DLL 7 IoCs

pid	Process
2220	JaffaCakes118_72d59f77aa8c7bbf843c8e0003141a83.exe
2220	JaffaCakes118_72d59f77aa8c7bbf843c8e0003141a83.exe
2220	JaffaCakes118_72d59f77aa8c7bbf843c8e0003141a83.exe
2220	JaffaCakes118_72d59f77aa8c7bbf843c8e0003141a83.exe
2220	JaffaCakes118_72d59f77aa8c7bbf843c8e0003141a83.exe
2984	1.exe
2984	1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_72d59f77aa8c7bbf843c8e0003141a83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: 33	2220	JaffaCakes118_72d59f77aa8c7bbf843c8e0003141a83.exe
Token: SeIncBasePriorityPrivilege	2220	JaffaCakes118_72d59f77aa8c7bbf843c8e0003141a83.exe
Token: SeIncreaseQuotaPrivilege	2984	1.exe
Token: SeSecurityPrivilege	2984	1.exe
Token: SeTakeOwnershipPrivilege	2984	1.exe
Token: SeLoadDriverPrivilege	2984	1.exe
Token: SeSystemProfilePrivilege	2984	1.exe
Token: SeSystemtimePrivilege	2984	1.exe
Token: SeProfSingleProcessPrivilege	2984	1.exe
Token: SeIncBasePriorityPrivilege	2984	1.exe
Token: SeCreatePagefilePrivilege	2984	1.exe
Token: SeBackupPrivilege	2984	1.exe
Token: SeRestorePrivilege	2984	1.exe
Token: SeShutdownPrivilege	2984	1.exe
Token: SeDebugPrivilege	2984	1.exe
Token: SeSystemEnvironmentPrivilege	2984	1.exe
Token: SeChangeNotifyPrivilege	2984	1.exe
Token: SeRemoteShutdownPrivilege	2984	1.exe
Token: SeUndockPrivilege	2984	1.exe
Token: SeManageVolumePrivilege	2984	1.exe
Token: SeImpersonatePrivilege	2984	1.exe
Token: SeCreateGlobalPrivilege	2984	1.exe
Token: 33	2984	1.exe
Token: 34	2984	1.exe
Token: 35	2984	1.exe
Token: SeIncreaseQuotaPrivilege	2884	msdcsc.exe
Token: SeSecurityPrivilege	2884	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2884	msdcsc.exe
Token: SeLoadDriverPrivilege	2884	msdcsc.exe
Token: SeSystemProfilePrivilege	2884	msdcsc.exe
Token: SeSystemtimePrivilege	2884	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2884	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2884	msdcsc.exe
Token: SeCreatePagefilePrivilege	2884	msdcsc.exe
Token: SeBackupPrivilege	2884	msdcsc.exe
Token: SeRestorePrivilege	2884	msdcsc.exe
Token: SeShutdownPrivilege	2884	msdcsc.exe
Token: SeDebugPrivilege	2884	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2884	msdcsc.exe
Token: SeChangeNotifyPrivilege	2884	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2884	msdcsc.exe
Token: SeUndockPrivilege	2884	msdcsc.exe
Token: SeManageVolumePrivilege	2884	msdcsc.exe
Token: SeImpersonatePrivilege	2884	msdcsc.exe
Token: SeCreateGlobalPrivilege	2884	msdcsc.exe
Token: 33	2884	msdcsc.exe
Token: 34	2884	msdcsc.exe
Token: 35	2884	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2884	msdcsc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2984	2220	JaffaCakes118_72d59f77aa8c7bbf843c8e0003141a83.exe	29
PID 2220 wrote to memory of 2984	2220	JaffaCakes118_72d59f77aa8c7bbf843c8e0003141a83.exe	29
PID 2220 wrote to memory of 2984	2220	JaffaCakes118_72d59f77aa8c7bbf843c8e0003141a83.exe	29
PID 2220 wrote to memory of 2984	2220	JaffaCakes118_72d59f77aa8c7bbf843c8e0003141a83.exe	29
PID 2984 wrote to memory of 2884	2984	1.exe	30
PID 2984 wrote to memory of 2884	2984	1.exe	30
PID 2984 wrote to memory of 2884	2984	1.exe	30
PID 2984 wrote to memory of 2884	2984	1.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72d59f77aa8c7bbf843c8e0003141a83.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72d59f77aa8c7bbf843c8e0003141a83.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.08T14.42\Virtual\STUBEXE\8.0.1135\@DESKTOP@\1.exe
  "C:\Users\Admin\Desktop\1.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984
- - \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.08T14.42\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.08T14.42\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe

Filesize
17KB

MD5
acca5366fd4314e7ea23068cd31370cc

SHA1
ca1d31bf1334172b23a1ad35a7036bb67819340f

SHA256
70ce4ee7aacea56c5d433f333370ec55fd0352e5bac250958c23ab3d4c94b5fb

SHA512
517363bf9eff7bf364f2d0e6a27a966bc32bf6b25959bec84e988e9f60011cbeca448fbce308be84bab04e55ad04b87b2682afb8ea1ccceeecf318aff45aecfd

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.08T14.42\Virtual\MODIFIED\@DESKTOP@\1.exe

Filesize
692KB

MD5
4f6dcc174bc26fad473bf45838a8a0bc

SHA1
4e700ec2c8f9d0cd8a14815dec4a50d46c3a4e95

SHA256
8ee827363907353eadc69d328d63ceb6f3f6bc59e49aa6648c735097e8a53bef

SHA512
349c21a46f6989151f485df69ab60d0842c666f5b05bd6bb8ba95c82e47330bb4e7c02f23e556c632547a7fcd1acc5d682a899c12c36d11634d8cc9af6c1dc51

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.09.08T14.42\Virtual\STUBEXE\8.0.1135\@DESKTOP@\1.exe

Filesize
17KB

MD5
3b9e86e2e58a6c0987abb1b32d861815

SHA1
91de7c426f4d3bfe4555e795cb16b0d18e731198

SHA256
470c7d2b1138ca484f347e5881ada076b0af70baa5b62436a2aac9eb32231fa9

SHA512
3735eca1cb868c7cbe50573a5779e05e3e85231f40db13ffc689ea99e6324e0063ae352243d14f49e68794d1c72ac6cd135170742cbc0bb2cae171fcb04dbad5

Download Submit
memory/2220-0-0x00000000005B0000-0x0000000000622000-memory.dmp

Filesize
456KB

Download
memory/2220-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2220-1-0x0000000077510000-0x0000000077511000-memory.dmp

Filesize
4KB

Download
memory/2220-3-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2220-5-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2220-7-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2220-8-0x00000000005B0000-0x0000000000622000-memory.dmp

Filesize
456KB

Download
memory/2220-6-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2220-4-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2220-52-0x00000000005B0000-0x0000000000622000-memory.dmp

Filesize
456KB

Download
memory/2220-111-0x00000000005B0000-0x0000000000622000-memory.dmp

Filesize
456KB

Download
memory/2984-44-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-33-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-43-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-42-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-41-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-47-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-46-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-45-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-48-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-69-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-67-0x0000000000530000-0x00000000005A2000-memory.dmp

Filesize
456KB

Download
memory/2984-53-0x0000000000530000-0x00000000005A2000-memory.dmp

Filesize
456KB

Download
memory/2984-24-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-40-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-38-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-37-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-36-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-35-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-34-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-39-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-32-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-31-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-29-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-28-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-27-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-26-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-25-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-23-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-22-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-21-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-20-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-19-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-18-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-16-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-15-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-30-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-13-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-12-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2984-17-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads