darkcomet | 9c438c5bdb0b14d8020665628536fc4e0cadd3eebf29e39bb675802666ab1567

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Size

874KB
MD5

14abcdc70e8241e4d6aff50d87ed12ae
SHA1

c80ff4c996dc233529344ba28e5275f34c8b050a
SHA256

9c438c5bdb0b14d8020665628536fc4e0cadd3eebf29e39bb675802666ab1567
SHA512

5a18c749c3630fb8cb74985d053540f7bb5cf760a5ca7db8a5a8000d366c9c03b36c341ce21bdcb217049b490c540cfe45fdf225e1b3367ce2015e1cee9c4366
SSDEEP

12288:rEH+9e0/hHFpS9fa2FzsKZhxiNtazSO5pDt3iWpjuE8NTrfMc0cinVTgtPv939qS:r99e0/Dpmf9t0GzfiWAEciVMtH939xLz

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

msdcsc.exemsdcsc.exe

pid process

4564 msdcsc.exe
4300 msdcsc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe

pid	process
4564	msdcsc.exe
4300	msdcsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exemsdcsc.exe

description	pid	process	target process
PID 2368 set thread context of 1608	2368	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 4564 set thread context of 4300	4564	msdcsc.exe	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeSecurityPrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeBackupPrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeRestorePrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeShutdownPrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeDebugPrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeUndockPrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: 33	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: 34	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: 35	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: 36	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4300	msdcsc.exe
Token: SeSecurityPrivilege	4300	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4300	msdcsc.exe
Token: SeLoadDriverPrivilege	4300	msdcsc.exe
Token: SeSystemProfilePrivilege	4300	msdcsc.exe
Token: SeSystemtimePrivilege	4300	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4300	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4300	msdcsc.exe
Token: SeCreatePagefilePrivilege	4300	msdcsc.exe
Token: SeBackupPrivilege	4300	msdcsc.exe
Token: SeRestorePrivilege	4300	msdcsc.exe
Token: SeShutdownPrivilege	4300	msdcsc.exe
Token: SeDebugPrivilege	4300	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4300	msdcsc.exe
Token: SeChangeNotifyPrivilege	4300	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4300	msdcsc.exe
Token: SeUndockPrivilege	4300	msdcsc.exe
Token: SeManageVolumePrivilege	4300	msdcsc.exe
Token: SeImpersonatePrivilege	4300	msdcsc.exe
Token: SeCreateGlobalPrivilege	4300	msdcsc.exe
Token: 33	4300	msdcsc.exe
Token: 34	4300	msdcsc.exe
Token: 35	4300	msdcsc.exe
Token: 36	4300	msdcsc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exemsdcsc.exemsdcsc.exe

pid process

2368 14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
4564 msdcsc.exe
4300 msdcsc.exe

pid	process
2368	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
4564	msdcsc.exe
4300	msdcsc.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exemsdcsc.exe

description	pid	process	target process
PID 2368 wrote to memory of 1608	2368	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2368 wrote to memory of 1608	2368	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2368 wrote to memory of 1608	2368	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2368 wrote to memory of 1608	2368	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2368 wrote to memory of 1608	2368	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2368 wrote to memory of 1608	2368	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2368 wrote to memory of 1608	2368	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2368 wrote to memory of 1608	2368	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2368 wrote to memory of 1608	2368	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2368 wrote to memory of 1608	2368	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2368 wrote to memory of 1608	2368	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2368 wrote to memory of 1608	2368	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2368 wrote to memory of 1608	2368	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 2368 wrote to memory of 1608	2368	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
PID 1608 wrote to memory of 4564	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	msdcsc.exe
PID 1608 wrote to memory of 4564	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	msdcsc.exe
PID 1608 wrote to memory of 4564	1608	14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe	msdcsc.exe
PID 4564 wrote to memory of 4300	4564	msdcsc.exe	msdcsc.exe
PID 4564 wrote to memory of 4300	4564	msdcsc.exe	msdcsc.exe
PID 4564 wrote to memory of 4300	4564	msdcsc.exe	msdcsc.exe
PID 4564 wrote to memory of 4300	4564	msdcsc.exe	msdcsc.exe
PID 4564 wrote to memory of 4300	4564	msdcsc.exe	msdcsc.exe
PID 4564 wrote to memory of 4300	4564	msdcsc.exe	msdcsc.exe
PID 4564 wrote to memory of 4300	4564	msdcsc.exe	msdcsc.exe
PID 4564 wrote to memory of 4300	4564	msdcsc.exe	msdcsc.exe
PID 4564 wrote to memory of 4300	4564	msdcsc.exe	msdcsc.exe
PID 4564 wrote to memory of 4300	4564	msdcsc.exe	msdcsc.exe
PID 4564 wrote to memory of 4300	4564	msdcsc.exe	msdcsc.exe
PID 4564 wrote to memory of 4300	4564	msdcsc.exe	msdcsc.exe
PID 4564 wrote to memory of 4300	4564	msdcsc.exe	msdcsc.exe
PID 4564 wrote to memory of 4300	4564	msdcsc.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Local\Temp\14abcdc70e8241e4d6aff50d87ed12ae_JaffaCakes118.exe
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564

C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4300

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
Filesize
874KB

MD5
14abcdc70e8241e4d6aff50d87ed12ae

SHA1
c80ff4c996dc233529344ba28e5275f34c8b050a

SHA256
9c438c5bdb0b14d8020665628536fc4e0cadd3eebf29e39bb675802666ab1567

SHA512
5a18c749c3630fb8cb74985d053540f7bb5cf760a5ca7db8a5a8000d366c9c03b36c341ce21bdcb217049b490c540cfe45fdf225e1b3367ce2015e1cee9c4366

Download Submit
memory/1608-4-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1608-3-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1608-7-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1608-8-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1608-9-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1608-17-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2368-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2368-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4300-32-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-38-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-28-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-29-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-49-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-34-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-33-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-48-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-35-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-36-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-37-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-27-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-39-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-40-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-41-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-42-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-43-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-44-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-45-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-46-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4300-47-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4564-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4564-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download