darkcomet | f76c7db479887e9ed2185329fa5724f1dad254c88d3553f413dba0d2a920ad3c

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a43210f401834932b515731deb398f9_JaffaCakes118.exe
Size

1.1MB
MD5

1a43210f401834932b515731deb398f9
SHA1

22820a8fefa82a6a52004522027067c5a98457f7
SHA256

f76c7db479887e9ed2185329fa5724f1dad254c88d3553f413dba0d2a920ad3c
SHA512

9b6db7e0102d1aa526ab375edcdab0e4348f664e268b522f7d928ac70d1593e25784ea3dbfaeb08b893e7142657f29eaa6baa4980125cf08d20d0da4e8b4dbb1
SSDEEP

24576:UgjUgmqZ5n6tkjR26s2ZKTWm9cwfThY5HW5F2vvRef1taxih1oQ:ljU1q6ta2IWWmuMTeHW74vRm6Q

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

328.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	328.exe

Executes dropped EXE 2 IoCs

Processes:

328.exemsdcsc.exe

pid process

2944 328.exe
2920 msdcsc.exe
Loads dropped DLL 2 IoCs

Processes:

328.exe

pid process

2944 328.exe
2944 328.exe

pid	process
2944	328.exe
2920	msdcsc.exe

pid	process
2944	328.exe
2944	328.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

328.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	328.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

msdcsc.exe

description pid process target process

PID 2920 set thread context of 2484 2920 msdcsc.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2484 iexplore.exe

description	pid	process	target process
PID 2920 set thread context of 2484	2920	msdcsc.exe	iexplore.exe

pid	process
2484	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

328.exemsdcsc.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2944	328.exe
Token: SeSecurityPrivilege	2944	328.exe
Token: SeTakeOwnershipPrivilege	2944	328.exe
Token: SeLoadDriverPrivilege	2944	328.exe
Token: SeSystemProfilePrivilege	2944	328.exe
Token: SeSystemtimePrivilege	2944	328.exe
Token: SeProfSingleProcessPrivilege	2944	328.exe
Token: SeIncBasePriorityPrivilege	2944	328.exe
Token: SeCreatePagefilePrivilege	2944	328.exe
Token: SeBackupPrivilege	2944	328.exe
Token: SeRestorePrivilege	2944	328.exe
Token: SeShutdownPrivilege	2944	328.exe
Token: SeDebugPrivilege	2944	328.exe
Token: SeSystemEnvironmentPrivilege	2944	328.exe
Token: SeChangeNotifyPrivilege	2944	328.exe
Token: SeRemoteShutdownPrivilege	2944	328.exe
Token: SeUndockPrivilege	2944	328.exe
Token: SeManageVolumePrivilege	2944	328.exe
Token: SeImpersonatePrivilege	2944	328.exe
Token: SeCreateGlobalPrivilege	2944	328.exe
Token: 33	2944	328.exe
Token: 34	2944	328.exe
Token: 35	2944	328.exe
Token: SeIncreaseQuotaPrivilege	2920	msdcsc.exe
Token: SeSecurityPrivilege	2920	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2920	msdcsc.exe
Token: SeLoadDriverPrivilege	2920	msdcsc.exe
Token: SeSystemProfilePrivilege	2920	msdcsc.exe
Token: SeSystemtimePrivilege	2920	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2920	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2920	msdcsc.exe
Token: SeCreatePagefilePrivilege	2920	msdcsc.exe
Token: SeBackupPrivilege	2920	msdcsc.exe
Token: SeRestorePrivilege	2920	msdcsc.exe
Token: SeShutdownPrivilege	2920	msdcsc.exe
Token: SeDebugPrivilege	2920	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2920	msdcsc.exe
Token: SeChangeNotifyPrivilege	2920	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2920	msdcsc.exe
Token: SeUndockPrivilege	2920	msdcsc.exe
Token: SeManageVolumePrivilege	2920	msdcsc.exe
Token: SeImpersonatePrivilege	2920	msdcsc.exe
Token: SeCreateGlobalPrivilege	2920	msdcsc.exe
Token: 33	2920	msdcsc.exe
Token: 34	2920	msdcsc.exe
Token: 35	2920	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2484	iexplore.exe
Token: SeSecurityPrivilege	2484	iexplore.exe
Token: SeTakeOwnershipPrivilege	2484	iexplore.exe
Token: SeLoadDriverPrivilege	2484	iexplore.exe
Token: SeSystemProfilePrivilege	2484	iexplore.exe
Token: SeSystemtimePrivilege	2484	iexplore.exe
Token: SeProfSingleProcessPrivilege	2484	iexplore.exe
Token: SeIncBasePriorityPrivilege	2484	iexplore.exe
Token: SeCreatePagefilePrivilege	2484	iexplore.exe
Token: SeBackupPrivilege	2484	iexplore.exe
Token: SeRestorePrivilege	2484	iexplore.exe
Token: SeShutdownPrivilege	2484	iexplore.exe
Token: SeDebugPrivilege	2484	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2484	iexplore.exe
Token: SeChangeNotifyPrivilege	2484	iexplore.exe
Token: SeRemoteShutdownPrivilege	2484	iexplore.exe
Token: SeUndockPrivilege	2484	iexplore.exe
Token: SeManageVolumePrivilege	2484	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2672 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

2484 iexplore.exe

pid	process
2672	DllHost.exe

pid	process
2484	iexplore.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

1a43210f401834932b515731deb398f9_JaffaCakes118.exe328.exemsdcsc.exe

description	pid	process	target process
PID 2140 wrote to memory of 2944	2140	1a43210f401834932b515731deb398f9_JaffaCakes118.exe	328.exe
PID 2140 wrote to memory of 2944	2140	1a43210f401834932b515731deb398f9_JaffaCakes118.exe	328.exe
PID 2140 wrote to memory of 2944	2140	1a43210f401834932b515731deb398f9_JaffaCakes118.exe	328.exe
PID 2140 wrote to memory of 2944	2140	1a43210f401834932b515731deb398f9_JaffaCakes118.exe	328.exe
PID 2944 wrote to memory of 2920	2944	328.exe	msdcsc.exe
PID 2944 wrote to memory of 2920	2944	328.exe	msdcsc.exe
PID 2944 wrote to memory of 2920	2944	328.exe	msdcsc.exe
PID 2944 wrote to memory of 2920	2944	328.exe	msdcsc.exe
PID 2920 wrote to memory of 2484	2920	msdcsc.exe	iexplore.exe
PID 2920 wrote to memory of 2484	2920	msdcsc.exe	iexplore.exe
PID 2920 wrote to memory of 2484	2920	msdcsc.exe	iexplore.exe
PID 2920 wrote to memory of 2484	2920	msdcsc.exe	iexplore.exe
PID 2920 wrote to memory of 2484	2920	msdcsc.exe	iexplore.exe
PID 2920 wrote to memory of 2484	2920	msdcsc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\1a43210f401834932b515731deb398f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a43210f401834932b515731deb398f9_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\328.exe
C:\Users\Admin\AppData\Local\Temp\328.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2484

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.JPG
Filesize
125KB

MD5
9272107027f941d9701157dc8cf40c3f

SHA1
c744f12fb5548b759e78288dbd4b62b3df612632

SHA256
4e6428dcd5cb61410ad161a409a8116a7dfb9faaa21e0014b50ff81797770a6a

SHA512
a390ec436ad653c2ed9b8cb056217a5a3db27b010102c2069a4afc3a99d825dbda92441276bdf80eab4a3906a54055208e4e110a19b5a475869c2200dfe3a72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\328.exe
Filesize
848KB

MD5
c3117f0ae622f67dc68c178ae1663a8c

SHA1
7160e08fca4f08d426437589bc9ce571a575606b

SHA256
3e47503c31311544f1a78a19bae880909138eea6459a40532674bde19130c448

SHA512
2c32cfd7b4a7b2a3c525501bac302eab3b449a46c38b4dd658fb8281efbc8222fc8691911860a0a54cabbedb20f0ea027e6452d26ea6c5dc5ad9c720f2b9183c

Download Submit
memory/2140-4-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2140-0-0x000007FEF5A8E000-0x000007FEF5A8F000-memory.dmp

Filesize
4KB

Download
memory/2140-2-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2140-15-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2140-1-0x000000001B2E0000-0x000000001B51E000-memory.dmp

Filesize
2.2MB

Download
memory/2484-29-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2672-17-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2920-30-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2944-10-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2944-16-0x00000000026A0000-0x00000000026A2000-memory.dmp

Filesize
8KB

Download
memory/2944-27-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download