darkcomet | 1fe23f2a3cae5c252fce011484c5e25f545bb6b45b4f28fd73901ebe2bafccf8

Analysis

max time kernel
1s
max time network
4s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/03/2025, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe
Size

501KB
MD5

94ec8fdf1581f256ea078ee520e2666e
SHA1

61cbc6e9652f435b7a524e22726bb25aa5ad507d
SHA256

1fe23f2a3cae5c252fce011484c5e25f545bb6b45b4f28fd73901ebe2bafccf8
SHA512

662bfba1f73c910473a93ee24b73e631c1cb0b40774a12a8d503259a5d87d22a4b380151558215a169b241bd6aa5f9ad92b39a257181bcae82af6a4d45c025a7
SSDEEP

12288:7FEuFzdodXf3wxH5fKy86zgbAL5EDWeSizzA78LH0tDsBQJ:7FPzdo1f3aH5VTga5EDoiPA4L0XJ

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1592	1284	JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe	28
PID 1284 wrote to memory of 1592	1284	JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe	28
PID 1284 wrote to memory of 1592	1284	JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe	28
PID 1284 wrote to memory of 1592	1284	JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe	28
PID 1284 wrote to memory of 1592	1284	JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe	28
PID 1284 wrote to memory of 1592	1284	JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe	28
PID 1284 wrote to memory of 1592	1284	JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe	28
PID 1284 wrote to memory of 1592	1284	JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe	28

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94ec8fdf1581f256ea078ee520e2666e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1284-0-0x0000000074421000-0x0000000074422000-memory.dmp

Filesize
4KB

Download
memory/1284-1-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/1284-2-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/1592-3-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1592-17-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1592-22-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1592-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1592-15-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1592-13-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1592-11-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1592-9-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1592-21-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1592-5-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1592-7-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1592-24-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1592-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1592-26-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download