darkcomet | 9c790e52f85186e54147c1bc6dd5aa324107979d88f482b26514dcb3a280dd68

Analysis

max time kernel
149s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_988f08c71b487bb22b9228638056f698.exe
Size

1.4MB
MD5

988f08c71b487bb22b9228638056f698
SHA1

34d6fa78c457f0a65ec6cb889101b0566ea4303c
SHA256

9c790e52f85186e54147c1bc6dd5aa324107979d88f482b26514dcb3a280dd68
SHA512

68610dd0331714477c1a90b680b40ba0d0c09c595360da14a8a86c568cb1e19a02e2eeaeb90f544c9c9fd262d05a9344a5fcd9080a9d2f67a6cb121a59d5d604
SSDEEP

24576:rs/yLn3xnI9bO7pus5DGd3T1cKvJwIUclPuZg1It9xAwl8reoApx5:IKLlGbGJydD1QMCgO9N

Score

10^/10

darkcomet living room pc discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Living Room PC

192.168.1.106:1604

Mutex

DC_MUTEX-6GSK0WX

Attributes

InstallPath
DarkComet Server\DarkComet Server.exe
gencode
8YY5R9UWixVK
install
true
offline_keylogger
true
persistence
true
reg_key
DarkComet Server

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\DarkComet Server\\DarkComet Server.exe"	DARKCO~1.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	DARKCO~1.EXE

Executes dropped EXE 3 IoCs

pid	Process
3092	DARKCO~1.EXE
4408	DarkComet Server.exe
2044	DARKCO~1.EXE

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DarkComet Server\\DarkComet Server.exe"	DarkComet Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_988f08c71b487bb22b9228638056f698.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DarkComet Server\\DarkComet Server.exe"	DARKCO~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DARKCO~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkComet Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DARKCO~1.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3092	DARKCO~1.EXE
Token: SeSecurityPrivilege	3092	DARKCO~1.EXE
Token: SeTakeOwnershipPrivilege	3092	DARKCO~1.EXE
Token: SeLoadDriverPrivilege	3092	DARKCO~1.EXE
Token: SeSystemProfilePrivilege	3092	DARKCO~1.EXE
Token: SeSystemtimePrivilege	3092	DARKCO~1.EXE
Token: SeProfSingleProcessPrivilege	3092	DARKCO~1.EXE
Token: SeIncBasePriorityPrivilege	3092	DARKCO~1.EXE
Token: SeCreatePagefilePrivilege	3092	DARKCO~1.EXE
Token: SeBackupPrivilege	3092	DARKCO~1.EXE
Token: SeRestorePrivilege	3092	DARKCO~1.EXE
Token: SeShutdownPrivilege	3092	DARKCO~1.EXE
Token: SeDebugPrivilege	3092	DARKCO~1.EXE
Token: SeSystemEnvironmentPrivilege	3092	DARKCO~1.EXE
Token: SeChangeNotifyPrivilege	3092	DARKCO~1.EXE
Token: SeRemoteShutdownPrivilege	3092	DARKCO~1.EXE
Token: SeUndockPrivilege	3092	DARKCO~1.EXE
Token: SeManageVolumePrivilege	3092	DARKCO~1.EXE
Token: SeImpersonatePrivilege	3092	DARKCO~1.EXE
Token: SeCreateGlobalPrivilege	3092	DARKCO~1.EXE
Token: 33	3092	DARKCO~1.EXE
Token: 34	3092	DARKCO~1.EXE
Token: 35	3092	DARKCO~1.EXE
Token: 36	3092	DARKCO~1.EXE
Token: SeIncreaseQuotaPrivilege	4408	DarkComet Server.exe
Token: SeSecurityPrivilege	4408	DarkComet Server.exe
Token: SeTakeOwnershipPrivilege	4408	DarkComet Server.exe
Token: SeLoadDriverPrivilege	4408	DarkComet Server.exe
Token: SeSystemProfilePrivilege	4408	DarkComet Server.exe
Token: SeSystemtimePrivilege	4408	DarkComet Server.exe
Token: SeProfSingleProcessPrivilege	4408	DarkComet Server.exe
Token: SeIncBasePriorityPrivilege	4408	DarkComet Server.exe
Token: SeCreatePagefilePrivilege	4408	DarkComet Server.exe
Token: SeBackupPrivilege	4408	DarkComet Server.exe
Token: SeRestorePrivilege	4408	DarkComet Server.exe
Token: SeShutdownPrivilege	4408	DarkComet Server.exe
Token: SeDebugPrivilege	4408	DarkComet Server.exe
Token: SeSystemEnvironmentPrivilege	4408	DarkComet Server.exe
Token: SeChangeNotifyPrivilege	4408	DarkComet Server.exe
Token: SeRemoteShutdownPrivilege	4408	DarkComet Server.exe
Token: SeUndockPrivilege	4408	DarkComet Server.exe
Token: SeManageVolumePrivilege	4408	DarkComet Server.exe
Token: SeImpersonatePrivilege	4408	DarkComet Server.exe
Token: SeCreateGlobalPrivilege	4408	DarkComet Server.exe
Token: 33	4408	DarkComet Server.exe
Token: 34	4408	DarkComet Server.exe
Token: 35	4408	DarkComet Server.exe
Token: 36	4408	DarkComet Server.exe
Token: SeIncreaseQuotaPrivilege	2044	DARKCO~1.EXE
Token: SeSecurityPrivilege	2044	DARKCO~1.EXE
Token: SeTakeOwnershipPrivilege	2044	DARKCO~1.EXE
Token: SeLoadDriverPrivilege	2044	DARKCO~1.EXE
Token: SeSystemProfilePrivilege	2044	DARKCO~1.EXE
Token: SeSystemtimePrivilege	2044	DARKCO~1.EXE
Token: SeProfSingleProcessPrivilege	2044	DARKCO~1.EXE
Token: SeIncBasePriorityPrivilege	2044	DARKCO~1.EXE
Token: SeCreatePagefilePrivilege	2044	DARKCO~1.EXE
Token: SeBackupPrivilege	2044	DARKCO~1.EXE
Token: SeRestorePrivilege	2044	DARKCO~1.EXE
Token: SeShutdownPrivilege	2044	DARKCO~1.EXE
Token: SeDebugPrivilege	2044	DARKCO~1.EXE
Token: SeSystemEnvironmentPrivilege	2044	DARKCO~1.EXE
Token: SeChangeNotifyPrivilege	2044	DARKCO~1.EXE
Token: SeRemoteShutdownPrivilege	2044	DARKCO~1.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4408	DarkComet Server.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 3092	2552	JaffaCakes118_988f08c71b487bb22b9228638056f698.exe	88
PID 2552 wrote to memory of 3092	2552	JaffaCakes118_988f08c71b487bb22b9228638056f698.exe	88
PID 2552 wrote to memory of 3092	2552	JaffaCakes118_988f08c71b487bb22b9228638056f698.exe	88
PID 1672 wrote to memory of 6044	1672	cmd.exe	89
PID 1672 wrote to memory of 6044	1672	cmd.exe	89
PID 3092 wrote to memory of 4408	3092	DARKCO~1.EXE	101
PID 3092 wrote to memory of 4408	3092	DARKCO~1.EXE	101
PID 3092 wrote to memory of 4408	3092	DARKCO~1.EXE	101
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 4408 wrote to memory of 2080	4408	DarkComet Server.exe	104
PID 2552 wrote to memory of 2044	2552	JaffaCakes118_988f08c71b487bb22b9228638056f698.exe	107
PID 2552 wrote to memory of 2044	2552	JaffaCakes118_988f08c71b487bb22b9228638056f698.exe	107
PID 2552 wrote to memory of 2044	2552	JaffaCakes118_988f08c71b487bb22b9228638056f698.exe	107

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_988f08c71b487bb22b9228638056f698.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_988f08c71b487bb22b9228638056f698.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DARKCO~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DARKCO~1.EXE
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
    "C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:2080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DARKCO~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DARKCO~1.EXE
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
1⤵
PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
1⤵
PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
1⤵
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
1⤵
PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
1⤵
PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
1⤵
PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
1⤵
PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
1⤵
PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
1⤵
PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
1⤵
PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
1⤵
PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
1⤵
PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
1⤵
PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
1⤵
PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
1⤵
PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DarkComet Server\DarkComet Server.exe
1⤵
PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DARKCO~1.EXE

Filesize
659KB

MD5
d85475fe17092a15927f89207e54a8e4

SHA1
eb6094a52a40351f167c047d4a9f9dd489b48600

SHA256
d00b6df1f22a363b7db3c77b5beda0ae27c61713576c22c5d41ac23fb5f66d4c

SHA512
bf296b61a01d3fd549ec7547e5c104327a84dae196b3f0b17680e31a4bab62419efdaf092700947e34a90067b47141cc4a6662b0f4d74ec8b35d12151dea9ce7

Download Submit
memory/2044-21-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2080-18-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/3092-5-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/3092-19-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4408-22-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4408-24-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads