darkcomet | 139072b0c2ff16e30c9cebbe749f6bc195eae012372cc4ce4f85f4ff7281eba4

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Size

948KB
MD5

18a2aa0f58307b422e8f9d630c3a8d2e
SHA1

9f302922070f05762ce6d9577f54e9430d58c00a
SHA256

139072b0c2ff16e30c9cebbe749f6bc195eae012372cc4ce4f85f4ff7281eba4
SHA512

7aea4c1e6c07565cfba83453b1da2c521b8ca45bb987d6d5caeb24d48865fd86c5452453d644fe67de2063196bba6131f7505df79e56e3ae5e71020244f44cc4
SSDEEP

24576:BdEEsNOHR6uztgWbL/VOt7GW36j0SG4GMeIUM7W3:rEEs8TJgWvVKGW6oSG4y46

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

Processes:

18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe

description pid process target process

PID 4160 set thread context of 2432 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe explorer.exe

description	pid	process	target process
PID 4160 set thread context of 2432	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe	explorer.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe

Modifies registry class 4 IoCs

Processes:

18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jl1696517142v.tjk	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\jl1696517142v.tjk\ = 9e380cc3ea991ac4df67b7c947eebe49c975080488eb026d	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jl1696517142v.tjk	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\jl1696517142v.tjk\ = 9e380cc3ea991ac4df67b7c947eebe49c975080488eb026d	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

ping.exe

pid process

3800 ping.exe

pid	process
3800	ping.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exeexplorer.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeSecurityPrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeBackupPrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeRestorePrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeShutdownPrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeDebugPrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeUndockPrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: 33	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: 34	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: 35	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: 36	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2432	explorer.exe
Token: SeSecurityPrivilege	2432	explorer.exe
Token: SeTakeOwnershipPrivilege	2432	explorer.exe
Token: SeLoadDriverPrivilege	2432	explorer.exe
Token: SeSystemProfilePrivilege	2432	explorer.exe
Token: SeSystemtimePrivilege	2432	explorer.exe
Token: SeProfSingleProcessPrivilege	2432	explorer.exe
Token: SeIncBasePriorityPrivilege	2432	explorer.exe
Token: SeCreatePagefilePrivilege	2432	explorer.exe
Token: SeBackupPrivilege	2432	explorer.exe
Token: SeRestorePrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeDebugPrivilege	2432	explorer.exe
Token: SeSystemEnvironmentPrivilege	2432	explorer.exe
Token: SeChangeNotifyPrivilege	2432	explorer.exe
Token: SeRemoteShutdownPrivilege	2432	explorer.exe
Token: SeUndockPrivilege	2432	explorer.exe
Token: SeManageVolumePrivilege	2432	explorer.exe
Token: SeImpersonatePrivilege	2432	explorer.exe
Token: SeCreateGlobalPrivilege	2432	explorer.exe
Token: 33	2432	explorer.exe
Token: 34	2432	explorer.exe
Token: 35	2432	explorer.exe
Token: 36	2432	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

2432 explorer.exe

pid	process
2432	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe

description	pid	process	target process
PID 4160 wrote to memory of 2432	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe	explorer.exe
PID 4160 wrote to memory of 2432	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe	explorer.exe
PID 4160 wrote to memory of 2432	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe	explorer.exe
PID 4160 wrote to memory of 2432	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe	explorer.exe
PID 4160 wrote to memory of 2432	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe	explorer.exe
PID 4160 wrote to memory of 3800	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe	ping.exe
PID 4160 wrote to memory of 3800	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe	ping.exe
PID 4160 wrote to memory of 3800	4160	18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe	ping.exe

C:\Users\Admin\AppData\Local\Temp\18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\SysWOW64\ping.exe
ping 127.0.0.1 -n 5 > NUL del "C:\Users\Admin\AppData\Local\Temp\18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe"
2⤵
- Runs ping.exe
PID:3800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:2800

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2432-17-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2432-12-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2432-25-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2432-10-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2432-19-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/2432-14-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2432-24-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2432-22-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2432-23-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2432-21-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2432-18-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2432-20-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/4160-16-0x0000000000401000-0x00000000004C6000-memory.dmp

Filesize
788KB

Download
memory/4160-3-0x0000000000401000-0x00000000004C6000-memory.dmp

Filesize
788KB

Download
memory/4160-4-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/4160-15-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/4160-0-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download