darkcomet | bdd3d2eb31328c3e93623405e820a51b154954ab26008a10072960a99b204e2e

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Size

750KB
MD5

18d46ddaa7b3c6afae42058a273789ce
SHA1

62da1f56cf1792ffc096e56eba14151a274320cc
SHA256

bdd3d2eb31328c3e93623405e820a51b154954ab26008a10072960a99b204e2e
SHA512

ffd39b63ef234314db54e5e1b12aed7bedf661d1e66d3e6ea5c21ceef4b7a176b61131f566e5dfba304da8dd3db8852396d7bbe7f8320bbef0150250ca3c1e75
SSDEEP

12288:kk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+4:V0QRWoJEfg0oChGdJQbjPbNW5tYeP+GL

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

remila.no-ip.biz:1604

Mutex

DC_MUTEX-20J85XY

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
NoNpEFiHHBFZ
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1836 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

2188 msdcsc.exe
Loads dropped DLL 2 IoCs

Processes:

18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe

pid process

2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe

pid	process
1836	cmd.exe

pid	process
2188	msdcsc.exe

pid	process
2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exemsdcsc.exeiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

msdcsc.exe

description pid process target process

PID 2188 set thread context of 2732 2188 msdcsc.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2700 PING.EXE

description	pid	process	target process
PID 2188 set thread context of 2732	2188	msdcsc.exe	iexplore.exe

pid	process
2700	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exemsdcsc.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeSecurityPrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeBackupPrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeRestorePrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeShutdownPrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeDebugPrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeUndockPrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: 33	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: 34	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: 35	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2188	msdcsc.exe
Token: SeSecurityPrivilege	2188	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2188	msdcsc.exe
Token: SeLoadDriverPrivilege	2188	msdcsc.exe
Token: SeSystemProfilePrivilege	2188	msdcsc.exe
Token: SeSystemtimePrivilege	2188	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2188	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2188	msdcsc.exe
Token: SeCreatePagefilePrivilege	2188	msdcsc.exe
Token: SeBackupPrivilege	2188	msdcsc.exe
Token: SeRestorePrivilege	2188	msdcsc.exe
Token: SeShutdownPrivilege	2188	msdcsc.exe
Token: SeDebugPrivilege	2188	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2188	msdcsc.exe
Token: SeChangeNotifyPrivilege	2188	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2188	msdcsc.exe
Token: SeUndockPrivilege	2188	msdcsc.exe
Token: SeManageVolumePrivilege	2188	msdcsc.exe
Token: SeImpersonatePrivilege	2188	msdcsc.exe
Token: SeCreateGlobalPrivilege	2188	msdcsc.exe
Token: 33	2188	msdcsc.exe
Token: 34	2188	msdcsc.exe
Token: 35	2188	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2732	iexplore.exe
Token: SeSecurityPrivilege	2732	iexplore.exe
Token: SeTakeOwnershipPrivilege	2732	iexplore.exe
Token: SeLoadDriverPrivilege	2732	iexplore.exe
Token: SeSystemProfilePrivilege	2732	iexplore.exe
Token: SeSystemtimePrivilege	2732	iexplore.exe
Token: SeProfSingleProcessPrivilege	2732	iexplore.exe
Token: SeIncBasePriorityPrivilege	2732	iexplore.exe
Token: SeCreatePagefilePrivilege	2732	iexplore.exe
Token: SeBackupPrivilege	2732	iexplore.exe
Token: SeRestorePrivilege	2732	iexplore.exe
Token: SeShutdownPrivilege	2732	iexplore.exe
Token: SeDebugPrivilege	2732	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2732	iexplore.exe
Token: SeChangeNotifyPrivilege	2732	iexplore.exe
Token: SeRemoteShutdownPrivilege	2732	iexplore.exe
Token: SeUndockPrivilege	2732	iexplore.exe
Token: SeManageVolumePrivilege	2732	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

2732 iexplore.exe

pid	process
2732	iexplore.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.execmd.exemsdcsc.exe

description	pid	process	target process
PID 2184 wrote to memory of 1836	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe	cmd.exe
PID 2184 wrote to memory of 1836	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe	cmd.exe
PID 2184 wrote to memory of 1836	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe	cmd.exe
PID 2184 wrote to memory of 1836	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe	cmd.exe
PID 1836 wrote to memory of 2700	1836	cmd.exe	PING.EXE
PID 1836 wrote to memory of 2700	1836	cmd.exe	PING.EXE
PID 1836 wrote to memory of 2700	1836	cmd.exe	PING.EXE
PID 1836 wrote to memory of 2700	1836	cmd.exe	PING.EXE
PID 2184 wrote to memory of 2188	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe	msdcsc.exe
PID 2184 wrote to memory of 2188	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe	msdcsc.exe
PID 2184 wrote to memory of 2188	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe	msdcsc.exe
PID 2184 wrote to memory of 2188	2184	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe	msdcsc.exe
PID 2188 wrote to memory of 2732	2188	msdcsc.exe	iexplore.exe
PID 2188 wrote to memory of 2732	2188	msdcsc.exe	iexplore.exe
PID 2188 wrote to memory of 2732	2188	msdcsc.exe	iexplore.exe
PID 2188 wrote to memory of 2732	2188	msdcsc.exe	iexplore.exe
PID 2188 wrote to memory of 2732	2188	msdcsc.exe	iexplore.exe
PID 2188 wrote to memory of 2732	2188	msdcsc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
3⤵
- Runs ping.exe
PID:2700

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2732

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
750KB

MD5
18d46ddaa7b3c6afae42058a273789ce

SHA1
62da1f56cf1792ffc096e56eba14151a274320cc

SHA256
bdd3d2eb31328c3e93623405e820a51b154954ab26008a10072960a99b204e2e

SHA512
ffd39b63ef234314db54e5e1b12aed7bedf661d1e66d3e6ea5c21ceef4b7a176b61131f566e5dfba304da8dd3db8852396d7bbe7f8320bbef0150250ca3c1e75

Download Submit
memory/2184-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2184-11-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2188-14-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2732-13-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download