darkcomet | 8439f3656b12b448b15f43c7ea8a8871ea978aaa3f3140af622682d0ac06b8ce

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Size

616KB
MD5

15ce45fdf58db94c01d9379c4f0148f2
SHA1

74aa27d81f3a3d1cf544f6b2c6e8ea160654fac0
SHA256

8439f3656b12b448b15f43c7ea8a8871ea978aaa3f3140af622682d0ac06b8ce
SHA512

651fe20068e868a418cb64af078470be30017fa71d25bca9a1781511f2b135bc71a7ab4a71e7401e11fc20f536b8aecb982ff131f390ca0c135ac2f9336f346f
SSDEEP

12288:YePwlp7/N0+OLbetJZv5m0/VyVz9ZPYHm1GjD2JSmJVRC:fmS+OEZvMQAFAmMeJSmfw

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1"	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe

Disables Task Manager via registry modification
evasion
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe

pid process

2188 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe

pid	process
2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeSecurityPrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeBackupPrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeRestorePrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeShutdownPrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeDebugPrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeUndockPrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: 33	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: 34	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: 35	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Token: 36	2188	15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2188

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2188-0-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2188-7-0x0000000077250000-0x0000000077340000-memory.dmp

Filesize
960KB

Download
memory/2188-9-0x0000000077250000-0x0000000077340000-memory.dmp

Filesize
960KB

Download
memory/2188-8-0x0000000077250000-0x0000000077340000-memory.dmp

Filesize
960KB

Download
memory/2188-6-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2188-2-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/2188-5-0x0000000077270000-0x0000000077271000-memory.dmp

Filesize
4KB

Download
memory/2188-4-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/2188-3-0x0000000077992000-0x0000000077993000-memory.dmp

Filesize
4KB

Download
memory/2188-1-0x00000000007B0000-0x00000000007FE000-memory.dmp

Filesize
312KB

Download
memory/2188-10-0x0000000077250000-0x0000000077340000-memory.dmp

Filesize
960KB

Download
memory/2188-12-0x0000000077250000-0x0000000077340000-memory.dmp

Filesize
960KB

Download
memory/2188-13-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2188-14-0x00000000007B0000-0x00000000007FE000-memory.dmp

Filesize
312KB

Download
memory/2188-15-0x0000000077250000-0x0000000077340000-memory.dmp

Filesize
960KB

Download
memory/2188-16-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/2188-17-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/2188-18-0x0000000077250000-0x0000000077340000-memory.dmp

Filesize
960KB

Download
memory/2188-20-0x0000000077250000-0x0000000077340000-memory.dmp

Filesize
960KB

Download
memory/2188-19-0x0000000077250000-0x0000000077340000-memory.dmp

Filesize
960KB

Download
memory/2188-21-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2188-22-0x0000000077250000-0x0000000077340000-memory.dmp

Filesize
960KB

Download
memory/2188-23-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2188-24-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2188-25-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2188-26-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2188-27-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2188-28-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2188-29-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2188-30-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2188-31-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2188-32-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2188-33-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2188-34-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download