darkcomet | 9c438c5bdb0b14d8020665628536fc4e0cadd3eebf29e39bb675802666ab1567

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Size

874KB
MD5

14abcdc70e8241e4d6aff50d87ed12ae
SHA1

c80ff4c996dc233529344ba28e5275f34c8b050a
SHA256

9c438c5bdb0b14d8020665628536fc4e0cadd3eebf29e39bb675802666ab1567
SHA512

5a18c749c3630fb8cb74985d053540f7bb5cf760a5ca7db8a5a8000d366c9c03b36c341ce21bdcb217049b490c540cfe45fdf225e1b3367ce2015e1cee9c4366
SSDEEP

12288:rEH+9e0/hHFpS9fa2FzsKZhxiNtazSO5pDt3iWpjuE8NTrfMc0cinVTgtPv939qS:r99e0/Dpmf9t0GzfiWAEciVMtH939xLz

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

msdcsc.exemsdcsc.exe

pid process

2768 msdcsc.exe
2632 msdcsc.exe
Loads dropped DLL 3 IoCs

Processes:

14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exemsdcsc.exe

pid process

1844 14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
1844 14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
2768 msdcsc.exe

pid	process
2768	msdcsc.exe
2632	msdcsc.exe

pid	process
1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
2768	msdcsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exemsdcsc.exe

description	pid	process	target process
PID 2176 set thread context of 1844	2176	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2768 set thread context of 2632	2768	msdcsc.exe	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeSecurityPrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeBackupPrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeRestorePrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeShutdownPrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeDebugPrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeUndockPrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: 33	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: 34	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: 35	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2632	msdcsc.exe
Token: SeSecurityPrivilege	2632	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2632	msdcsc.exe
Token: SeLoadDriverPrivilege	2632	msdcsc.exe
Token: SeSystemProfilePrivilege	2632	msdcsc.exe
Token: SeSystemtimePrivilege	2632	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2632	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2632	msdcsc.exe
Token: SeCreatePagefilePrivilege	2632	msdcsc.exe
Token: SeBackupPrivilege	2632	msdcsc.exe
Token: SeRestorePrivilege	2632	msdcsc.exe
Token: SeShutdownPrivilege	2632	msdcsc.exe
Token: SeDebugPrivilege	2632	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2632	msdcsc.exe
Token: SeChangeNotifyPrivilege	2632	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2632	msdcsc.exe
Token: SeUndockPrivilege	2632	msdcsc.exe
Token: SeManageVolumePrivilege	2632	msdcsc.exe
Token: SeImpersonatePrivilege	2632	msdcsc.exe
Token: SeCreateGlobalPrivilege	2632	msdcsc.exe
Token: 33	2632	msdcsc.exe
Token: 34	2632	msdcsc.exe
Token: 35	2632	msdcsc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exemsdcsc.exemsdcsc.exe

pid process

2176 14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
2768 msdcsc.exe
2632 msdcsc.exe

pid	process
2176	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
2768	msdcsc.exe
2632	msdcsc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exemsdcsc.exe

description	pid	process	target process
PID 2176 wrote to memory of 1844	2176	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2176 wrote to memory of 1844	2176	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2176 wrote to memory of 1844	2176	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2176 wrote to memory of 1844	2176	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2176 wrote to memory of 1844	2176	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2176 wrote to memory of 1844	2176	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2176 wrote to memory of 1844	2176	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2176 wrote to memory of 1844	2176	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2176 wrote to memory of 1844	2176	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2176 wrote to memory of 1844	2176	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2176 wrote to memory of 1844	2176	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2176 wrote to memory of 1844	2176	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2176 wrote to memory of 1844	2176	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 1844 wrote to memory of 2768	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	msdcsc.exe
PID 1844 wrote to memory of 2768	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	msdcsc.exe
PID 1844 wrote to memory of 2768	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	msdcsc.exe
PID 1844 wrote to memory of 2768	1844	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	msdcsc.exe
PID 2768 wrote to memory of 2632	2768	msdcsc.exe	msdcsc.exe
PID 2768 wrote to memory of 2632	2768	msdcsc.exe	msdcsc.exe
PID 2768 wrote to memory of 2632	2768	msdcsc.exe	msdcsc.exe
PID 2768 wrote to memory of 2632	2768	msdcsc.exe	msdcsc.exe
PID 2768 wrote to memory of 2632	2768	msdcsc.exe	msdcsc.exe
PID 2768 wrote to memory of 2632	2768	msdcsc.exe	msdcsc.exe
PID 2768 wrote to memory of 2632	2768	msdcsc.exe	msdcsc.exe
PID 2768 wrote to memory of 2632	2768	msdcsc.exe	msdcsc.exe
PID 2768 wrote to memory of 2632	2768	msdcsc.exe	msdcsc.exe
PID 2768 wrote to memory of 2632	2768	msdcsc.exe	msdcsc.exe
PID 2768 wrote to memory of 2632	2768	msdcsc.exe	msdcsc.exe
PID 2768 wrote to memory of 2632	2768	msdcsc.exe	msdcsc.exe
PID 2768 wrote to memory of 2632	2768	msdcsc.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768

C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2632

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
Filesize
874KB

MD5
14abcdc70e8241e4d6aff50d87ed12ae

SHA1
c80ff4c996dc233529344ba28e5275f34c8b050a

SHA256
9c438c5bdb0b14d8020665628536fc4e0cadd3eebf29e39bb675802666ab1567

SHA512
5a18c749c3630fb8cb74985d053540f7bb5cf760a5ca7db8a5a8000d366c9c03b36c341ce21bdcb217049b490c540cfe45fdf225e1b3367ce2015e1cee9c4366

Download Submit
memory/1844-5-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1844-12-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1844-8-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1844-7-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1844-17-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1844-16-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1844-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1844-13-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1844-11-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1844-9-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1844-3-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1844-35-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1844-22-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1844-20-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1844-21-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2176-10-0x0000000000430000-0x0000000000454000-memory.dmp

Filesize
144KB

Download
memory/2176-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2176-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2632-67-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-72-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-58-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-59-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-60-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-62-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-61-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-63-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-64-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-65-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-66-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-78-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-68-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-69-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-70-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-71-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-77-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-73-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-74-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-75-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2632-76-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2768-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2768-36-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download