darkcomet | 09da8c179c90ad0b2f8813465e2c17154b08be99f31601591adb68b54acaa014

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Size

650KB
MD5

18fb8efcf5d20eee45ac7b65d4adcba8
SHA1

0e9e982364df02f61ae38598b9bae7fdf88cedce
SHA256

09da8c179c90ad0b2f8813465e2c17154b08be99f31601591adb68b54acaa014
SHA512

a07d98e70d50371c7ffb4e313a0e5985757cbe7a98f5db511c356ef577f49682236180ee394feb5844b26b551ce9b79b7eda15d1265a0ee33671936e8364611b
SSDEEP

12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+5:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+GI

Score

10^/10

darkcomet trojan -anto persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Trojan -Anto

79.44.153.226:1604

192.168.1.12:1604

127.0.0.1:1604

pazzo90.no-ip.org:1604

Mutex

DC_MUTEX-1ZU7GL5

Attributes

InstallPath
Microsoft.exe
gencode
fcbHLDnEBLN6
install
true
offline_keylogger
true
persistence
true
reg_key
cvhost

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe"	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2124 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Microsoft.exe

pid process

2784 Microsoft.exe
Loads dropped DLL 2 IoCs

Processes:

18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe

pid process

2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
2200 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe

pid	process
2124	cmd.exe

pid	process
2784	Microsoft.exe

pid	process
2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exeMicrosoft.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe"	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe"	Microsoft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2316 PING.EXE

pid	process
2316	PING.EXE

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exeMicrosoft.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeSecurityPrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeBackupPrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeRestorePrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeShutdownPrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeDebugPrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeUndockPrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: 33	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: 34	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: 35	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2784	Microsoft.exe
Token: SeSecurityPrivilege	2784	Microsoft.exe
Token: SeTakeOwnershipPrivilege	2784	Microsoft.exe
Token: SeLoadDriverPrivilege	2784	Microsoft.exe
Token: SeSystemProfilePrivilege	2784	Microsoft.exe
Token: SeSystemtimePrivilege	2784	Microsoft.exe
Token: SeProfSingleProcessPrivilege	2784	Microsoft.exe
Token: SeIncBasePriorityPrivilege	2784	Microsoft.exe
Token: SeCreatePagefilePrivilege	2784	Microsoft.exe
Token: SeBackupPrivilege	2784	Microsoft.exe
Token: SeRestorePrivilege	2784	Microsoft.exe
Token: SeShutdownPrivilege	2784	Microsoft.exe
Token: SeDebugPrivilege	2784	Microsoft.exe
Token: SeSystemEnvironmentPrivilege	2784	Microsoft.exe
Token: SeChangeNotifyPrivilege	2784	Microsoft.exe
Token: SeRemoteShutdownPrivilege	2784	Microsoft.exe
Token: SeUndockPrivilege	2784	Microsoft.exe
Token: SeManageVolumePrivilege	2784	Microsoft.exe
Token: SeImpersonatePrivilege	2784	Microsoft.exe
Token: SeCreateGlobalPrivilege	2784	Microsoft.exe
Token: 33	2784	Microsoft.exe
Token: 34	2784	Microsoft.exe
Token: 35	2784	Microsoft.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Microsoft.exe

pid process

2784 Microsoft.exe

pid	process
2784	Microsoft.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2200 wrote to memory of 2124	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe	cmd.exe
PID 2200 wrote to memory of 2124	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe	cmd.exe
PID 2200 wrote to memory of 2124	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe	cmd.exe
PID 2200 wrote to memory of 2124	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe	cmd.exe
PID 2124 wrote to memory of 2316	2124	cmd.exe	PING.EXE
PID 2124 wrote to memory of 2316	2124	cmd.exe	PING.EXE
PID 2124 wrote to memory of 2316	2124	cmd.exe	PING.EXE
PID 2124 wrote to memory of 2316	2124	cmd.exe	PING.EXE
PID 2200 wrote to memory of 2784	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe	Microsoft.exe
PID 2200 wrote to memory of 2784	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe	Microsoft.exe
PID 2200 wrote to memory of 2784	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe	Microsoft.exe
PID 2200 wrote to memory of 2784	2200	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe	Microsoft.exe

C:\Users\Admin\AppData\Local\Temp\18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
3⤵
- Runs ping.exe
PID:2316

C:\Users\Admin\AppData\Roaming\Microsoft.exe
"C:\Users\Admin\AppData\Roaming\Microsoft.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2784

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft.exe
Filesize
650KB

MD5
18fb8efcf5d20eee45ac7b65d4adcba8

SHA1
0e9e982364df02f61ae38598b9bae7fdf88cedce

SHA256
09da8c179c90ad0b2f8813465e2c17154b08be99f31601591adb68b54acaa014

SHA512
a07d98e70d50371c7ffb4e313a0e5985757cbe7a98f5db511c356ef577f49682236180ee394feb5844b26b551ce9b79b7eda15d1265a0ee33671936e8364611b

Download Submit
memory/2200-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2200-12-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2784-13-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2784-14-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2784-15-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2784-17-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2784-19-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2784-21-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2784-23-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2784-25-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download