darkcomet | 4adc579df51df125b1ccbfcd3b176e80498950f225428606faf1c2e8c1683b05

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
Size

1.0MB
MD5

19407e2acb87c1402f55b98f7c96651c
SHA1

c50cb8e2bfbb24780b7734f90e1d20c2ceeab37c
SHA256

4adc579df51df125b1ccbfcd3b176e80498950f225428606faf1c2e8c1683b05
SHA512

673a5e1e6520958d3650d1ff0fd5c88191ff1ae1591ee46f09e53d99a070a6831ccb1449a07fd2f79f62a3bc413902ce0d24910893bd10025160bd3f2526a0d5
SSDEEP

24576:ouC0kWBheio7m8nQEKKvBjVaLtVI4/rj:o90kWBhe37TVJBeH

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

svchost.exe.exesvchost.exe.exe

pid process

2324 svchost.exe.exe
2580 svchost.exe.exe

pid	process
2324	svchost.exe.exe
2580	svchost.exe.exe

Loads dropped DLL 4 IoCs

Processes:

19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe

pid	process
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Crack malware's bytes Pro.exe"	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Crack malware's bytes Pro.exe"	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe

description	pid	process	target process
PID 1676 set thread context of 2324	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 3060 set thread context of 2580	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe

pid	process
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exesvchost.exe.exe19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exesvchost.exe.exe

description	pid	process
Token: SeDebugPrivilege	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2324	svchost.exe.exe
Token: SeSecurityPrivilege	2324	svchost.exe.exe
Token: SeTakeOwnershipPrivilege	2324	svchost.exe.exe
Token: SeLoadDriverPrivilege	2324	svchost.exe.exe
Token: SeSystemProfilePrivilege	2324	svchost.exe.exe
Token: SeSystemtimePrivilege	2324	svchost.exe.exe
Token: SeProfSingleProcessPrivilege	2324	svchost.exe.exe
Token: SeIncBasePriorityPrivilege	2324	svchost.exe.exe
Token: SeCreatePagefilePrivilege	2324	svchost.exe.exe
Token: SeBackupPrivilege	2324	svchost.exe.exe
Token: SeRestorePrivilege	2324	svchost.exe.exe
Token: SeShutdownPrivilege	2324	svchost.exe.exe
Token: SeDebugPrivilege	2324	svchost.exe.exe
Token: SeSystemEnvironmentPrivilege	2324	svchost.exe.exe
Token: SeChangeNotifyPrivilege	2324	svchost.exe.exe
Token: SeRemoteShutdownPrivilege	2324	svchost.exe.exe
Token: SeUndockPrivilege	2324	svchost.exe.exe
Token: SeManageVolumePrivilege	2324	svchost.exe.exe
Token: SeImpersonatePrivilege	2324	svchost.exe.exe
Token: SeCreateGlobalPrivilege	2324	svchost.exe.exe
Token: 33	2324	svchost.exe.exe
Token: 34	2324	svchost.exe.exe
Token: 35	2324	svchost.exe.exe
Token: SeDebugPrivilege	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2580	svchost.exe.exe
Token: SeSecurityPrivilege	2580	svchost.exe.exe
Token: SeTakeOwnershipPrivilege	2580	svchost.exe.exe
Token: SeLoadDriverPrivilege	2580	svchost.exe.exe
Token: SeSystemProfilePrivilege	2580	svchost.exe.exe
Token: SeSystemtimePrivilege	2580	svchost.exe.exe
Token: SeProfSingleProcessPrivilege	2580	svchost.exe.exe
Token: SeIncBasePriorityPrivilege	2580	svchost.exe.exe
Token: SeCreatePagefilePrivilege	2580	svchost.exe.exe
Token: SeBackupPrivilege	2580	svchost.exe.exe
Token: SeRestorePrivilege	2580	svchost.exe.exe
Token: SeShutdownPrivilege	2580	svchost.exe.exe
Token: SeDebugPrivilege	2580	svchost.exe.exe
Token: SeSystemEnvironmentPrivilege	2580	svchost.exe.exe
Token: SeChangeNotifyPrivilege	2580	svchost.exe.exe
Token: SeRemoteShutdownPrivilege	2580	svchost.exe.exe
Token: SeUndockPrivilege	2580	svchost.exe.exe
Token: SeManageVolumePrivilege	2580	svchost.exe.exe
Token: SeImpersonatePrivilege	2580	svchost.exe.exe
Token: SeCreateGlobalPrivilege	2580	svchost.exe.exe
Token: 33	2580	svchost.exe.exe
Token: 34	2580	svchost.exe.exe
Token: 35	2580	svchost.exe.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe.exe

pid process

2324 svchost.exe.exe

pid	process
2324	svchost.exe.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe

description	pid	process	target process
PID 1676 wrote to memory of 2324	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1676 wrote to memory of 2324	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1676 wrote to memory of 2324	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1676 wrote to memory of 2324	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1676 wrote to memory of 2324	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1676 wrote to memory of 2324	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1676 wrote to memory of 2324	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1676 wrote to memory of 2324	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1676 wrote to memory of 2324	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1676 wrote to memory of 2324	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1676 wrote to memory of 2324	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1676 wrote to memory of 2324	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1676 wrote to memory of 2324	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1676 wrote to memory of 2324	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1676 wrote to memory of 2324	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1676 wrote to memory of 3060	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
PID 1676 wrote to memory of 3060	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
PID 1676 wrote to memory of 3060	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
PID 1676 wrote to memory of 3060	1676	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
PID 3060 wrote to memory of 2580	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 3060 wrote to memory of 2580	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 3060 wrote to memory of 2580	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 3060 wrote to memory of 2580	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 3060 wrote to memory of 2580	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 3060 wrote to memory of 2580	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 3060 wrote to memory of 2580	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 3060 wrote to memory of 2580	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 3060 wrote to memory of 2580	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 3060 wrote to memory of 2580	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 3060 wrote to memory of 2580	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 3060 wrote to memory of 2580	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 3060 wrote to memory of 2580	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 3060 wrote to memory of 2580	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 3060 wrote to memory of 2580	3060	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe

C:\Users\Admin\AppData\Local\Temp\19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Roaming\svchost.exe.exe
C:\Users\Admin\AppData\Roaming\svchost.exe.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2324

C:\Users\Admin\AppData\Local\Temp\19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Roaming\svchost.exe.exe
C:\Users\Admin\AppData\Roaming\svchost.exe.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2580

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\svchost.exe.exe
Filesize
1KB

MD5
3d9bb6f53646c6a96df819bdb471796a

SHA1
46d2d340398594f5060373f81232b82211e32825

SHA256
c0657322afdac0df459f3bc233ecf362838774a116ff8d82846914925d246e83

SHA512
b6165a7be23878cf75a70745d87767041f5a413c2f27d51440974ef205e09e10789cdc540bb504cd4cb4b857ae7d16e935fce85f1a618dde8b1f44471b661873

Download Submit
memory/1676-0-0x0000000074511000-0x0000000074512000-memory.dmp

Filesize
4KB

Download
memory/1676-1-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/1676-2-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/1676-29-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/2324-14-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2324-11-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2324-15-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2324-16-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2324-18-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2324-17-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2324-27-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2324-13-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2324-32-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2580-25-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download