darkcomet | 09da8c179c90ad0b2f8813465e2c17154b08be99f31601591adb68b54acaa014

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Size

650KB
MD5

18fb8efcf5d20eee45ac7b65d4adcba8
SHA1

0e9e982364df02f61ae38598b9bae7fdf88cedce
SHA256

09da8c179c90ad0b2f8813465e2c17154b08be99f31601591adb68b54acaa014
SHA512

a07d98e70d50371c7ffb4e313a0e5985757cbe7a98f5db511c356ef577f49682236180ee394feb5844b26b551ce9b79b7eda15d1265a0ee33671936e8364611b
SSDEEP

12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+5:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+GI

Score

10^/10

darkcomet trojan -anto persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Trojan -Anto

79.44.153.226:1604

192.168.1.12:1604

127.0.0.1:1604

pazzo90.no-ip.org:1604

Mutex

DC_MUTEX-1ZU7GL5

Attributes

InstallPath
Microsoft.exe
gencode
fcbHLDnEBLN6
install
true
offline_keylogger
true
persistence
true
reg_key
cvhost

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe"	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Executes dropped EXE 1 IoCs

Processes:

Microsoft.exe

pid process

4364 Microsoft.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe

pid	process
4364	Microsoft.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exeMicrosoft.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cvhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe"	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cvhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe"	Microsoft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3304 PING.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe

pid	process
3304	PING.EXE

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exeMicrosoft.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeSecurityPrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeBackupPrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeRestorePrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeShutdownPrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeDebugPrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeUndockPrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: 33	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: 34	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: 35	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: 36	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4364	Microsoft.exe
Token: SeSecurityPrivilege	4364	Microsoft.exe
Token: SeTakeOwnershipPrivilege	4364	Microsoft.exe
Token: SeLoadDriverPrivilege	4364	Microsoft.exe
Token: SeSystemProfilePrivilege	4364	Microsoft.exe
Token: SeSystemtimePrivilege	4364	Microsoft.exe
Token: SeProfSingleProcessPrivilege	4364	Microsoft.exe
Token: SeIncBasePriorityPrivilege	4364	Microsoft.exe
Token: SeCreatePagefilePrivilege	4364	Microsoft.exe
Token: SeBackupPrivilege	4364	Microsoft.exe
Token: SeRestorePrivilege	4364	Microsoft.exe
Token: SeShutdownPrivilege	4364	Microsoft.exe
Token: SeDebugPrivilege	4364	Microsoft.exe
Token: SeSystemEnvironmentPrivilege	4364	Microsoft.exe
Token: SeChangeNotifyPrivilege	4364	Microsoft.exe
Token: SeRemoteShutdownPrivilege	4364	Microsoft.exe
Token: SeUndockPrivilege	4364	Microsoft.exe
Token: SeManageVolumePrivilege	4364	Microsoft.exe
Token: SeImpersonatePrivilege	4364	Microsoft.exe
Token: SeCreateGlobalPrivilege	4364	Microsoft.exe
Token: 33	4364	Microsoft.exe
Token: 34	4364	Microsoft.exe
Token: 35	4364	Microsoft.exe
Token: 36	4364	Microsoft.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Microsoft.exe

pid process

4364 Microsoft.exe

pid	process
4364	Microsoft.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2948 wrote to memory of 1324	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe	cmd.exe
PID 2948 wrote to memory of 1324	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe	cmd.exe
PID 2948 wrote to memory of 1324	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe	cmd.exe
PID 1324 wrote to memory of 3304	1324	cmd.exe	PING.EXE
PID 1324 wrote to memory of 3304	1324	cmd.exe	PING.EXE
PID 1324 wrote to memory of 3304	1324	cmd.exe	PING.EXE
PID 2948 wrote to memory of 4364	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe	Microsoft.exe
PID 2948 wrote to memory of 4364	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe	Microsoft.exe
PID 2948 wrote to memory of 4364	2948	18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe	Microsoft.exe

C:\Users\Admin\AppData\Local\Temp\18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\18fb8efcf5d20eee45ac7b65d4adcba8_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
3⤵
- Runs ping.exe
PID:3304

C:\Users\Admin\AppData\Roaming\Microsoft.exe
"C:\Users\Admin\AppData\Roaming\Microsoft.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4364

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft.exe
Filesize
650KB

MD5
18fb8efcf5d20eee45ac7b65d4adcba8

SHA1
0e9e982364df02f61ae38598b9bae7fdf88cedce

SHA256
09da8c179c90ad0b2f8813465e2c17154b08be99f31601591adb68b54acaa014

SHA512
a07d98e70d50371c7ffb4e313a0e5985757cbe7a98f5db511c356ef577f49682236180ee394feb5844b26b551ce9b79b7eda15d1265a0ee33671936e8364611b

Download Submit
memory/2948-0-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2948-62-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4364-63-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4364-64-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4364-65-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4364-66-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4364-68-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4364-70-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4364-75-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download