darkcomet | 4adc579df51df125b1ccbfcd3b176e80498950f225428606faf1c2e8c1683b05

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
Size

1.0MB
MD5

19407e2acb87c1402f55b98f7c96651c
SHA1

c50cb8e2bfbb24780b7734f90e1d20c2ceeab37c
SHA256

4adc579df51df125b1ccbfcd3b176e80498950f225428606faf1c2e8c1683b05
SHA512

673a5e1e6520958d3650d1ff0fd5c88191ff1ae1591ee46f09e53d99a070a6831ccb1449a07fd2f79f62a3bc413902ce0d24910893bd10025160bd3f2526a0d5
SSDEEP

24576:ouC0kWBheio7m8nQEKKvBjVaLtVI4/rj:o90kWBhe37TVJBeH

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

svchost.exe.exesvchost.exe.exe

pid process

2964 svchost.exe.exe
1184 svchost.exe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe

pid	process
2964	svchost.exe.exe
1184	svchost.exe.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Crack malware's bytes Pro.exe"	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Crack malware's bytes Pro.exe"	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe

description	pid	process	target process
PID 1352 set thread context of 2964	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 4804 set thread context of 1184	4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe

pid	process
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exesvchost.exe.exe19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exesvchost.exe.exe

description	pid	process
Token: SeDebugPrivilege	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2964	svchost.exe.exe
Token: SeSecurityPrivilege	2964	svchost.exe.exe
Token: SeTakeOwnershipPrivilege	2964	svchost.exe.exe
Token: SeLoadDriverPrivilege	2964	svchost.exe.exe
Token: SeSystemProfilePrivilege	2964	svchost.exe.exe
Token: SeSystemtimePrivilege	2964	svchost.exe.exe
Token: SeProfSingleProcessPrivilege	2964	svchost.exe.exe
Token: SeIncBasePriorityPrivilege	2964	svchost.exe.exe
Token: SeCreatePagefilePrivilege	2964	svchost.exe.exe
Token: SeBackupPrivilege	2964	svchost.exe.exe
Token: SeRestorePrivilege	2964	svchost.exe.exe
Token: SeShutdownPrivilege	2964	svchost.exe.exe
Token: SeDebugPrivilege	2964	svchost.exe.exe
Token: SeSystemEnvironmentPrivilege	2964	svchost.exe.exe
Token: SeChangeNotifyPrivilege	2964	svchost.exe.exe
Token: SeRemoteShutdownPrivilege	2964	svchost.exe.exe
Token: SeUndockPrivilege	2964	svchost.exe.exe
Token: SeManageVolumePrivilege	2964	svchost.exe.exe
Token: SeImpersonatePrivilege	2964	svchost.exe.exe
Token: SeCreateGlobalPrivilege	2964	svchost.exe.exe
Token: 33	2964	svchost.exe.exe
Token: 34	2964	svchost.exe.exe
Token: 35	2964	svchost.exe.exe
Token: 36	2964	svchost.exe.exe
Token: SeDebugPrivilege	4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1184	svchost.exe.exe
Token: SeSecurityPrivilege	1184	svchost.exe.exe
Token: SeTakeOwnershipPrivilege	1184	svchost.exe.exe
Token: SeLoadDriverPrivilege	1184	svchost.exe.exe
Token: SeSystemProfilePrivilege	1184	svchost.exe.exe
Token: SeSystemtimePrivilege	1184	svchost.exe.exe
Token: SeProfSingleProcessPrivilege	1184	svchost.exe.exe
Token: SeIncBasePriorityPrivilege	1184	svchost.exe.exe
Token: SeCreatePagefilePrivilege	1184	svchost.exe.exe
Token: SeBackupPrivilege	1184	svchost.exe.exe
Token: SeRestorePrivilege	1184	svchost.exe.exe
Token: SeShutdownPrivilege	1184	svchost.exe.exe
Token: SeDebugPrivilege	1184	svchost.exe.exe
Token: SeSystemEnvironmentPrivilege	1184	svchost.exe.exe
Token: SeChangeNotifyPrivilege	1184	svchost.exe.exe
Token: SeRemoteShutdownPrivilege	1184	svchost.exe.exe
Token: SeUndockPrivilege	1184	svchost.exe.exe
Token: SeManageVolumePrivilege	1184	svchost.exe.exe
Token: SeImpersonatePrivilege	1184	svchost.exe.exe
Token: SeCreateGlobalPrivilege	1184	svchost.exe.exe
Token: 33	1184	svchost.exe.exe
Token: 34	1184	svchost.exe.exe
Token: 35	1184	svchost.exe.exe
Token: 36	1184	svchost.exe.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe.exe

pid process

2964 svchost.exe.exe

pid	process
2964	svchost.exe.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe

description	pid	process	target process
PID 1352 wrote to memory of 2964	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1352 wrote to memory of 2964	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1352 wrote to memory of 2964	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1352 wrote to memory of 2964	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1352 wrote to memory of 2964	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1352 wrote to memory of 2964	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1352 wrote to memory of 2964	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1352 wrote to memory of 2964	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1352 wrote to memory of 2964	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1352 wrote to memory of 2964	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1352 wrote to memory of 2964	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1352 wrote to memory of 2964	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1352 wrote to memory of 2964	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1352 wrote to memory of 2964	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 1352 wrote to memory of 4804	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
PID 1352 wrote to memory of 4804	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
PID 1352 wrote to memory of 4804	1352	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
PID 4804 wrote to memory of 1184	4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 4804 wrote to memory of 1184	4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 4804 wrote to memory of 1184	4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 4804 wrote to memory of 1184	4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 4804 wrote to memory of 1184	4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 4804 wrote to memory of 1184	4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 4804 wrote to memory of 1184	4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 4804 wrote to memory of 1184	4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 4804 wrote to memory of 1184	4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 4804 wrote to memory of 1184	4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 4804 wrote to memory of 1184	4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 4804 wrote to memory of 1184	4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 4804 wrote to memory of 1184	4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe
PID 4804 wrote to memory of 1184	4804	19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe	svchost.exe.exe

C:\Users\Admin\AppData\Local\Temp\19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Roaming\svchost.exe.exe
C:\Users\Admin\AppData\Roaming\svchost.exe.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2964

C:\Users\Admin\AppData\Local\Temp\19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19407e2acb87c1402f55b98f7c96651c_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Roaming\svchost.exe.exe
C:\Users\Admin\AppData\Roaming\svchost.exe.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe.exe
Filesize
1KB

MD5
3d9bb6f53646c6a96df819bdb471796a

SHA1
46d2d340398594f5060373f81232b82211e32825

SHA256
c0657322afdac0df459f3bc233ecf362838774a116ff8d82846914925d246e83

SHA512
b6165a7be23878cf75a70745d87767041f5a413c2f27d51440974ef205e09e10789cdc540bb504cd4cb4b857ae7d16e935fce85f1a618dde8b1f44471b661873

Download Submit
memory/1184-25-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1184-24-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1352-0-0x00000000750D2000-0x00000000750D3000-memory.dmp

Filesize
4KB

Download
memory/1352-1-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1352-2-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1352-30-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1352-29-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1352-28-0x00000000750D2000-0x00000000750D3000-memory.dmp

Filesize
4KB

Download
memory/2964-10-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2964-16-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/2964-13-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2964-46-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2964-43-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2964-14-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2964-15-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2964-6-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2964-27-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2964-12-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2964-32-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2964-9-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2964-42-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4804-23-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4804-34-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4804-33-0x00000000750D2000-0x00000000750D3000-memory.dmp

Filesize
4KB

Download
memory/4804-31-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4804-18-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4804-17-0x00000000750D2000-0x00000000750D3000-memory.dmp

Filesize
4KB

Download