darkcomet | 4bdabc229debcac7ba94f54ba39bdaee42dd04bd49cd8e49ca5768f031ed6400

Analysis

max time kernel
0s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe
Size

1.2MB
MD5

1d02f8724176e55b98acd620ee83dc23
SHA1

c65d9e07b99c49c4ea24659ea601566de269de81
SHA256

4bdabc229debcac7ba94f54ba39bdaee42dd04bd49cd8e49ca5768f031ed6400
SHA512

6c615554cf26ff199150f82e2c4737502004f121436e921a0b23f88a7b39e0b47766927a91a55164f0842e698961fd71f2ecba08a57a4b3927489c1773810f94
SSDEEP

24576:8cllKsTzfp7HlSFyyKwPw+Oyqq7FHSJXqb4GpUc5gvr+tTZ+j:8CwPfOyZEJ6EGpU7r+dwj

Score

10^/10

darkcomet test evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

TEST

jamesonb.no-ip.biz:1604

Mutex

DC_MUTEX-9VHT05G

Attributes

gencode
K2ecZw3W5jbF
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2568 attrib.exe
2544 attrib.exe
Executes dropped EXE 1 IoCs

Processes:

processname.exe

pid process

3020 processname.exe
Loads dropped DLL 2 IoCs

Processes:

1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe

pid process

2848 1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe
2848 1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe

pid	process
2568	attrib.exe
2544	attrib.exe

pid	process
3020	processname.exe

pid	process
2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe
2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup Name = "C:\\Users\\Admin\\AppData\\Roaming\\crypt.exe"	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe

description pid process target process

PID 2848 set thread context of 3020 2848 1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe processname.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe

pid process

2848 1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe

description	pid	process	target process
PID 2848 set thread context of 3020	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe

pid	process
2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exeprocessname.exe

description	pid	process
Token: SeDebugPrivilege	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3020	processname.exe
Token: SeSecurityPrivilege	3020	processname.exe
Token: SeTakeOwnershipPrivilege	3020	processname.exe
Token: SeLoadDriverPrivilege	3020	processname.exe
Token: SeSystemProfilePrivilege	3020	processname.exe
Token: SeSystemtimePrivilege	3020	processname.exe
Token: SeProfSingleProcessPrivilege	3020	processname.exe
Token: SeIncBasePriorityPrivilege	3020	processname.exe
Token: SeCreatePagefilePrivilege	3020	processname.exe
Token: SeBackupPrivilege	3020	processname.exe
Token: SeRestorePrivilege	3020	processname.exe
Token: SeShutdownPrivilege	3020	processname.exe
Token: SeDebugPrivilege	3020	processname.exe
Token: SeSystemEnvironmentPrivilege	3020	processname.exe
Token: SeChangeNotifyPrivilege	3020	processname.exe
Token: SeRemoteShutdownPrivilege	3020	processname.exe
Token: SeUndockPrivilege	3020	processname.exe
Token: SeManageVolumePrivilege	3020	processname.exe
Token: SeImpersonatePrivilege	3020	processname.exe
Token: SeCreateGlobalPrivilege	3020	processname.exe
Token: 33	3020	processname.exe
Token: 34	3020	processname.exe
Token: 35	3020	processname.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

processname.exe

pid process

3020 processname.exe

pid	process
3020	processname.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exeprocessname.exe

description	pid	process	target process
PID 2848 wrote to memory of 3020	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 2848 wrote to memory of 3020	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 2848 wrote to memory of 3020	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 2848 wrote to memory of 3020	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 2848 wrote to memory of 3020	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 2848 wrote to memory of 3020	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 2848 wrote to memory of 3020	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 2848 wrote to memory of 3020	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 2848 wrote to memory of 3020	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 2848 wrote to memory of 3020	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 2848 wrote to memory of 3020	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 2848 wrote to memory of 3020	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 2848 wrote to memory of 3020	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 2848 wrote to memory of 3020	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 2848 wrote to memory of 3020	2848	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 3020 wrote to memory of 2624	3020	processname.exe	cmd.exe
PID 3020 wrote to memory of 2624	3020	processname.exe	cmd.exe
PID 3020 wrote to memory of 2624	3020	processname.exe	cmd.exe
PID 3020 wrote to memory of 2624	3020	processname.exe	cmd.exe
PID 3020 wrote to memory of 2664	3020	processname.exe	cmd.exe
PID 3020 wrote to memory of 2664	3020	processname.exe	cmd.exe
PID 3020 wrote to memory of 2664	3020	processname.exe	cmd.exe
PID 3020 wrote to memory of 2664	3020	processname.exe	cmd.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe
PID 3020 wrote to memory of 2740	3020	processname.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2568 attrib.exe
2544 attrib.exe

pid	process
2568	attrib.exe
2544	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Users\Admin\AppData\Roaming\processname.exe
C:\Users\Admin\AppData\Roaming\processname.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\processname.exe" +s +h
3⤵
PID:2624

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\processname.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h
3⤵
PID:2664

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2568

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:2740

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\processname.exe
Filesize
1KB

MD5
103c865cdd27ea254b0650f19cbfdf49

SHA1
5e1be8e7a2920812f5dbcfae672f448ca55949b8

SHA256
f067fa96d40bcdb07f2465867fa9000273ef9bdefabdaf6c2387401ae915beac

SHA512
d1a1bd4df7eb70230c71845b9fce20215dcf430e5d8295a3bf133e5b61edeef81914f89c6b3c408897a03ad555ae889b55988e8b6b54e267b792e0d2fe8d7189

Download Submit
memory/2740-18-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2740-56-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2848-60-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2848-2-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2848-0-0x0000000074D71000-0x0000000074D72000-memory.dmp

Filesize
4KB

Download
memory/2848-1-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/3020-62-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-64-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-58-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-57-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-15-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-17-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-13-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-16-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-61-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-14-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-63-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-11-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-65-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-66-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-67-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-68-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-69-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-70-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-71-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-72-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-73-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3020-74-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download