darkcomet | de09d1e89d28c805c5e76a55e3de5af8f1b9e2d985bac19a88e42411c2697af6

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/03/2025, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe
Size

1.0MB
MD5

94bd603778fd677fb9ae2ba9dea1a90b
SHA1

a435f6f7fe94e12cfe6127531b04d2de85ed4859
SHA256

de09d1e89d28c805c5e76a55e3de5af8f1b9e2d985bac19a88e42411c2697af6
SHA512

96f4e2aa9fee022b089b5ecfbb917581ecfa8f3553349cc15d4310bed3565ed49ecf574df1939fcefadc3a19fae8ddc8c5ddc9ba79bf4748e9a4ab8b85419d62
SSDEEP

12288:3JIgwDM1afm34GNzONSFm9lAIpeSXLzdMWdSJ1iRraB:3SgYM1alyzhmYsPqWdSbiRraB

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

testehff.no-ip.biz:1604

94.225.115.130:1604

Mutex

DC_MUTEX-TML3K84

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
KmYpD1WH9wHk
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\msdcsc.exe"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
2380	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1924	JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1924 set thread context of 2380	1924	JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2828	explorer.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2380	svchost.exe
Token: SeSecurityPrivilege	2380	svchost.exe
Token: SeTakeOwnershipPrivilege	2380	svchost.exe
Token: SeLoadDriverPrivilege	2380	svchost.exe
Token: SeSystemProfilePrivilege	2380	svchost.exe
Token: SeSystemtimePrivilege	2380	svchost.exe
Token: SeProfSingleProcessPrivilege	2380	svchost.exe
Token: SeIncBasePriorityPrivilege	2380	svchost.exe
Token: SeCreatePagefilePrivilege	2380	svchost.exe
Token: SeBackupPrivilege	2380	svchost.exe
Token: SeRestorePrivilege	2380	svchost.exe
Token: SeShutdownPrivilege	2380	svchost.exe
Token: SeDebugPrivilege	2380	svchost.exe
Token: SeSystemEnvironmentPrivilege	2380	svchost.exe
Token: SeChangeNotifyPrivilege	2380	svchost.exe
Token: SeRemoteShutdownPrivilege	2380	svchost.exe
Token: SeUndockPrivilege	2380	svchost.exe
Token: SeManageVolumePrivilege	2380	svchost.exe
Token: SeImpersonatePrivilege	2380	svchost.exe
Token: SeCreateGlobalPrivilege	2380	svchost.exe
Token: 33	2380	svchost.exe
Token: 34	2380	svchost.exe
Token: 35	2380	svchost.exe
Token: SeShutdownPrivilege	2828	explorer.exe
Token: SeShutdownPrivilege	2828	explorer.exe
Token: SeShutdownPrivilege	2828	explorer.exe
Token: SeShutdownPrivilege	2828	explorer.exe
Token: SeShutdownPrivilege	2828	explorer.exe
Token: SeShutdownPrivilege	2828	explorer.exe
Token: SeShutdownPrivilege	2828	explorer.exe
Token: SeShutdownPrivilege	2828	explorer.exe
Token: SeShutdownPrivilege	2828	explorer.exe
Token: SeShutdownPrivilege	2828	explorer.exe
Token: SeShutdownPrivilege	2828	explorer.exe
Token: SeShutdownPrivilege	2828	explorer.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2380	1924	JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe	30
PID 1924 wrote to memory of 2380	1924	JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe	30
PID 1924 wrote to memory of 2380	1924	JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe	30
PID 1924 wrote to memory of 2380	1924	JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe	30
PID 1924 wrote to memory of 2380	1924	JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe	30
PID 1924 wrote to memory of 2380	1924	JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe	30
PID 1924 wrote to memory of 2380	1924	JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe	30
PID 1924 wrote to memory of 2380	1924	JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe	30
PID 1924 wrote to memory of 2380	1924	JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe	30
PID 1924 wrote to memory of 2380	1924	JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe	30
PID 1924 wrote to memory of 2380	1924	JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe	30
PID 1924 wrote to memory of 2380	1924	JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe	30
PID 1924 wrote to memory of 2380	1924	JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe	30

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94bd603778fd677fb9ae2ba9dea1a90b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\plugtemp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\plugtemp\svchost.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2380

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\plugtemp\svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1924-0-0x0000000074291000-0x0000000074292000-memory.dmp

Filesize
4KB

Download
memory/1924-1-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-2-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-29-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-28-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2380-14-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2380-11-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2380-16-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2380-15-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2380-19-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2380-13-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2380-22-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2380-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2380-23-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2380-24-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2380-9-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2380-12-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2380-21-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2380-7-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2380-30-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2828-47-0x0000000003BB0000-0x0000000003BC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads