darkcomet | 938bfda0209c6bb2e28e0094245a0ce708c75f19b42a557054d9a1efde1b1335

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe
Size

1.3MB
MD5

15e79e75f052a82d3e1a2cd88028596f
SHA1

ec3f2e8e2fe31d232bd45d7d54c79dbe81c47994
SHA256

938bfda0209c6bb2e28e0094245a0ce708c75f19b42a557054d9a1efde1b1335
SHA512

8b425d73fb21de18b8fa549a2719cc22da45e0eccd45c1168ee2ffdfd26dd1db3090a0ebd1eb28608e7dad6d1f60de54246f232579c134e779d4a9114ff16ab3
SSDEEP

24576:1BjwYUcORkNuE9agxxs3HAfpnJ+xxxgQUSFKJnNiu/J5tL:qcuE9xxs3HAB8xTflFKJNx/VL

Score

10^/10

darkcomet evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Modifies WinLogon for persistence 2 TTPs 1 IoCs
persistence

Winlogon Helper DLL
T1547.004

Modify Registry
T1112

Processes:

ephir.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" ephir.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2880 attrib.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe"	ephir.exe

pid	process
2880	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winlogon.exeephir.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	ephir.exe

Executes dropped EXE 3 IoCs

Processes:

winlogon.exeephir.exewinupdate.exe

pid process

4868 winlogon.exe
608 ephir.exe
4116 winupdate.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

ephir.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" ephir.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe

description pid process target process

PID 4672 set thread context of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

ephir.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ephir.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4768 PING.EXE

pid	process
4868	winlogon.exe
608	ephir.exe
4116	winupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	ephir.exe

description	pid	process	target process
PID 4672 set thread context of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ephir.exe

pid	process
4768	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe

pid	process
4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe
4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe
4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe
4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winupdate.exe

pid process

4116 winupdate.exe

pid	process
4116	winupdate.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exeephir.exewinupdate.exe

description	pid	process
Token: SeDebugPrivilege	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	608	ephir.exe
Token: SeSecurityPrivilege	608	ephir.exe
Token: SeTakeOwnershipPrivilege	608	ephir.exe
Token: SeLoadDriverPrivilege	608	ephir.exe
Token: SeSystemProfilePrivilege	608	ephir.exe
Token: SeSystemtimePrivilege	608	ephir.exe
Token: SeProfSingleProcessPrivilege	608	ephir.exe
Token: SeIncBasePriorityPrivilege	608	ephir.exe
Token: SeCreatePagefilePrivilege	608	ephir.exe
Token: SeBackupPrivilege	608	ephir.exe
Token: SeRestorePrivilege	608	ephir.exe
Token: SeShutdownPrivilege	608	ephir.exe
Token: SeDebugPrivilege	608	ephir.exe
Token: SeSystemEnvironmentPrivilege	608	ephir.exe
Token: SeChangeNotifyPrivilege	608	ephir.exe
Token: SeRemoteShutdownPrivilege	608	ephir.exe
Token: SeUndockPrivilege	608	ephir.exe
Token: SeManageVolumePrivilege	608	ephir.exe
Token: SeImpersonatePrivilege	608	ephir.exe
Token: SeCreateGlobalPrivilege	608	ephir.exe
Token: 33	608	ephir.exe
Token: 34	608	ephir.exe
Token: 35	608	ephir.exe
Token: 36	608	ephir.exe
Token: SeIncreaseQuotaPrivilege	4116	winupdate.exe
Token: SeSecurityPrivilege	4116	winupdate.exe
Token: SeTakeOwnershipPrivilege	4116	winupdate.exe
Token: SeLoadDriverPrivilege	4116	winupdate.exe
Token: SeSystemProfilePrivilege	4116	winupdate.exe
Token: SeSystemtimePrivilege	4116	winupdate.exe
Token: SeProfSingleProcessPrivilege	4116	winupdate.exe
Token: SeIncBasePriorityPrivilege	4116	winupdate.exe
Token: SeCreatePagefilePrivilege	4116	winupdate.exe
Token: SeBackupPrivilege	4116	winupdate.exe
Token: SeRestorePrivilege	4116	winupdate.exe
Token: SeShutdownPrivilege	4116	winupdate.exe
Token: SeDebugPrivilege	4116	winupdate.exe
Token: SeSystemEnvironmentPrivilege	4116	winupdate.exe
Token: SeChangeNotifyPrivilege	4116	winupdate.exe
Token: SeRemoteShutdownPrivilege	4116	winupdate.exe
Token: SeUndockPrivilege	4116	winupdate.exe
Token: SeManageVolumePrivilege	4116	winupdate.exe
Token: SeImpersonatePrivilege	4116	winupdate.exe
Token: SeCreateGlobalPrivilege	4116	winupdate.exe
Token: 33	4116	winupdate.exe
Token: 34	4116	winupdate.exe
Token: 35	4116	winupdate.exe
Token: 36	4116	winupdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

winupdate.exe

pid process

4116 winupdate.exe

pid	process
4116	winupdate.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exewinlogon.exeephir.execmd.execmd.exe

description	pid	process	target process
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4672 wrote to memory of 4868	4672	15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe	winlogon.exe
PID 4868 wrote to memory of 608	4868	winlogon.exe	ephir.exe
PID 4868 wrote to memory of 608	4868	winlogon.exe	ephir.exe
PID 4868 wrote to memory of 608	4868	winlogon.exe	ephir.exe
PID 608 wrote to memory of 3632	608	ephir.exe	cmd.exe
PID 608 wrote to memory of 3632	608	ephir.exe	cmd.exe
PID 608 wrote to memory of 3632	608	ephir.exe	cmd.exe
PID 3632 wrote to memory of 2880	3632	cmd.exe	attrib.exe
PID 3632 wrote to memory of 2880	3632	cmd.exe	attrib.exe
PID 3632 wrote to memory of 2880	3632	cmd.exe	attrib.exe
PID 608 wrote to memory of 4116	608	ephir.exe	winupdate.exe
PID 608 wrote to memory of 4116	608	ephir.exe	winupdate.exe
PID 608 wrote to memory of 4116	608	ephir.exe	winupdate.exe
PID 608 wrote to memory of 4676	608	ephir.exe	cmd.exe
PID 608 wrote to memory of 4676	608	ephir.exe	cmd.exe
PID 608 wrote to memory of 4676	608	ephir.exe	cmd.exe
PID 4676 wrote to memory of 4768	4676	cmd.exe	PING.EXE
PID 4676 wrote to memory of 4768	4676	cmd.exe	PING.EXE
PID 4676 wrote to memory of 4768	4676	cmd.exe	PING.EXE

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2880 attrib.exe

pid	process
2880	attrib.exe

C:\Users\Admin\AppData\Local\Temp\15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672

C:\ProgramData\winlogon.exe
C:\ProgramData\winlogon.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868

C:\Users\Admin\AppData\Local\Temp\ephir.exe
"C:\Users\Admin\AppData\Local\Temp\ephir.exe"
3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ephir.exe" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\ephir.exe" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2880

C:\Windupdt\winupdate.exe
"C:\Windupdt\winupdate.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\ephir.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
5⤵
- Runs ping.exe
PID:4768

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winlogon.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\ephir.exe
Filesize
648KB

MD5
33c3c97354fadb72aeb3af19215a9c0b

SHA1
e0e388a7b42facdfd4bb5c6e7466f553575f3d43

SHA256
92d939bdbf1517dba637996aa25ab692f1c00b9465f19bb85ceaa09f5545352e

SHA512
33d4d18b1b206458f8acf09441ad263a2019639a2fac13acf4725a766335be2aa44c059abfcd10a8dd04f23a947f413f514920e8134d0087275a1779f06dca7e

Download Submit
memory/608-60-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/608-25-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/4116-67-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4116-69-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4116-74-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4116-73-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4116-72-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4116-71-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4116-70-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4116-68-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4116-61-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4116-62-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4116-63-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4116-64-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4116-65-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4116-66-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4672-0-0x0000000074922000-0x0000000074923000-memory.dmp

Filesize
4KB

Download
memory/4672-1-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/4672-2-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/4672-10-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/4868-8-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4868-23-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4868-6-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4868-11-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download