darkcomet | bdd3d2eb31328c3e93623405e820a51b154954ab26008a10072960a99b204e2e

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Size

750KB
MD5

18d46ddaa7b3c6afae42058a273789ce
SHA1

62da1f56cf1792ffc096e56eba14151a274320cc
SHA256

bdd3d2eb31328c3e93623405e820a51b154954ab26008a10072960a99b204e2e
SHA512

ffd39b63ef234314db54e5e1b12aed7bedf661d1e66d3e6ea5c21ceef4b7a176b61131f566e5dfba304da8dd3db8852396d7bbe7f8320bbef0150250ca3c1e75
SSDEEP

12288:kk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+4:V0QRWoJEfg0oChGdJQbjPbNW5tYeP+GL

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

remila.no-ip.biz:1604

Mutex

DC_MUTEX-20J85XY

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
NoNpEFiHHBFZ
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

2064 msdcsc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe

pid	process
2064	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3664 PING.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe

pid	process
3664	PING.EXE

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeSecurityPrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeBackupPrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeRestorePrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeShutdownPrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeDebugPrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeUndockPrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: 33	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: 34	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: 35	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: 36	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2064	msdcsc.exe
Token: SeSecurityPrivilege	2064	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2064	msdcsc.exe
Token: SeLoadDriverPrivilege	2064	msdcsc.exe
Token: SeSystemProfilePrivilege	2064	msdcsc.exe
Token: SeSystemtimePrivilege	2064	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2064	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2064	msdcsc.exe
Token: SeCreatePagefilePrivilege	2064	msdcsc.exe
Token: SeBackupPrivilege	2064	msdcsc.exe
Token: SeRestorePrivilege	2064	msdcsc.exe
Token: SeShutdownPrivilege	2064	msdcsc.exe
Token: SeDebugPrivilege	2064	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2064	msdcsc.exe
Token: SeChangeNotifyPrivilege	2064	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2064	msdcsc.exe
Token: SeUndockPrivilege	2064	msdcsc.exe
Token: SeManageVolumePrivilege	2064	msdcsc.exe
Token: SeImpersonatePrivilege	2064	msdcsc.exe
Token: SeCreateGlobalPrivilege	2064	msdcsc.exe
Token: 33	2064	msdcsc.exe
Token: 34	2064	msdcsc.exe
Token: 35	2064	msdcsc.exe
Token: 36	2064	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

2064 msdcsc.exe

pid	process
2064	msdcsc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.execmd.exemsdcsc.exe

description	pid	process	target process
PID 4708 wrote to memory of 2764	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe	cmd.exe
PID 4708 wrote to memory of 2764	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe	cmd.exe
PID 4708 wrote to memory of 2764	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe	cmd.exe
PID 2764 wrote to memory of 3664	2764	cmd.exe	PING.EXE
PID 2764 wrote to memory of 3664	2764	cmd.exe	PING.EXE
PID 2764 wrote to memory of 3664	2764	cmd.exe	PING.EXE
PID 4708 wrote to memory of 2064	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe	msdcsc.exe
PID 4708 wrote to memory of 2064	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe	msdcsc.exe
PID 4708 wrote to memory of 2064	4708	18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe	msdcsc.exe
PID 2064 wrote to memory of 4092	2064	msdcsc.exe	iexplore.exe
PID 2064 wrote to memory of 4092	2064	msdcsc.exe	iexplore.exe
PID 2064 wrote to memory of 4092	2064	msdcsc.exe	iexplore.exe
PID 2064 wrote to memory of 1140	2064	msdcsc.exe	explorer.exe
PID 2064 wrote to memory of 1140	2064	msdcsc.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
3⤵
- Runs ping.exe
PID:3664

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
PID:4092

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
750KB

MD5
18d46ddaa7b3c6afae42058a273789ce

SHA1
62da1f56cf1792ffc096e56eba14151a274320cc

SHA256
bdd3d2eb31328c3e93623405e820a51b154954ab26008a10072960a99b204e2e

SHA512
ffd39b63ef234314db54e5e1b12aed7bedf661d1e66d3e6ea5c21ceef4b7a176b61131f566e5dfba304da8dd3db8852396d7bbe7f8320bbef0150250ca3c1e75

Download Submit
memory/2064-67-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2064-62-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2064-69-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2064-70-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2064-64-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2064-65-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2064-66-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2064-68-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2064-77-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2064-76-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2064-63-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2064-71-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2064-72-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2064-73-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2064-74-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2064-75-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4708-60-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4708-0-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download