darkcomet | 4bdabc229debcac7ba94f54ba39bdaee42dd04bd49cd8e49ca5768f031ed6400

Analysis

max time kernel
2s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe
Size

1.2MB
MD5

1d02f8724176e55b98acd620ee83dc23
SHA1

c65d9e07b99c49c4ea24659ea601566de269de81
SHA256

4bdabc229debcac7ba94f54ba39bdaee42dd04bd49cd8e49ca5768f031ed6400
SHA512

6c615554cf26ff199150f82e2c4737502004f121436e921a0b23f88a7b39e0b47766927a91a55164f0842e698961fd71f2ecba08a57a4b3927489c1773810f94
SSDEEP

24576:8cllKsTzfp7HlSFyyKwPw+Oyqq7FHSJXqb4GpUc5gvr+tTZ+j:8CwPfOyZEJ6EGpU7r+dwj

Score

10^/10

darkcomet test evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

TEST

jamesonb.no-ip.biz:1604

Mutex

DC_MUTEX-9VHT05G

Attributes

gencode
K2ecZw3W5jbF
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1832 attrib.exe
3036 attrib.exe
Executes dropped EXE 1 IoCs

Processes:

processname.exe

pid process

2336 processname.exe

pid	process
1832	attrib.exe
3036	attrib.exe

pid	process
2336	processname.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup Name = "C:\\Users\\Admin\\AppData\\Roaming\\crypt.exe"	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe

description pid process target process

PID 1644 set thread context of 2336 1644 1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe processname.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe

pid process

1644 1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe

description	pid	process	target process
PID 1644 set thread context of 2336	1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe

pid	process
1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exeprocessname.exe

description	pid	process
Token: SeDebugPrivilege	1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2336	processname.exe
Token: SeSecurityPrivilege	2336	processname.exe
Token: SeTakeOwnershipPrivilege	2336	processname.exe
Token: SeLoadDriverPrivilege	2336	processname.exe
Token: SeSystemProfilePrivilege	2336	processname.exe
Token: SeSystemtimePrivilege	2336	processname.exe
Token: SeProfSingleProcessPrivilege	2336	processname.exe
Token: SeIncBasePriorityPrivilege	2336	processname.exe
Token: SeCreatePagefilePrivilege	2336	processname.exe
Token: SeBackupPrivilege	2336	processname.exe
Token: SeRestorePrivilege	2336	processname.exe
Token: SeShutdownPrivilege	2336	processname.exe
Token: SeDebugPrivilege	2336	processname.exe
Token: SeSystemEnvironmentPrivilege	2336	processname.exe
Token: SeChangeNotifyPrivilege	2336	processname.exe
Token: SeRemoteShutdownPrivilege	2336	processname.exe
Token: SeUndockPrivilege	2336	processname.exe
Token: SeManageVolumePrivilege	2336	processname.exe
Token: SeImpersonatePrivilege	2336	processname.exe
Token: SeCreateGlobalPrivilege	2336	processname.exe
Token: 33	2336	processname.exe
Token: 34	2336	processname.exe
Token: 35	2336	processname.exe
Token: 36	2336	processname.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe

description	pid	process	target process
PID 1644 wrote to memory of 2336	1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 1644 wrote to memory of 2336	1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 1644 wrote to memory of 2336	1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 1644 wrote to memory of 2336	1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 1644 wrote to memory of 2336	1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 1644 wrote to memory of 2336	1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 1644 wrote to memory of 2336	1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 1644 wrote to memory of 2336	1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 1644 wrote to memory of 2336	1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 1644 wrote to memory of 2336	1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 1644 wrote to memory of 2336	1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 1644 wrote to memory of 2336	1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 1644 wrote to memory of 2336	1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe
PID 1644 wrote to memory of 2336	1644	1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe	processname.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1832 attrib.exe
3036 attrib.exe

pid	process
1832	attrib.exe
3036	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d02f8724176e55b98acd620ee83dc23_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Roaming\processname.exe
C:\Users\Admin\AppData\Roaming\processname.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\processname.exe" +s +h
3⤵
PID:1728

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\processname.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h
3⤵
PID:3824

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3036

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:2912

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\processname.exe
Filesize
1KB

MD5
103c865cdd27ea254b0650f19cbfdf49

SHA1
5e1be8e7a2920812f5dbcfae672f448ca55949b8

SHA256
f067fa96d40bcdb07f2465867fa9000273ef9bdefabdaf6c2387401ae915beac

SHA512
d1a1bd4df7eb70230c71845b9fce20215dcf430e5d8295a3bf133e5b61edeef81914f89c6b3c408897a03ad555ae889b55988e8b6b54e267b792e0d2fe8d7189

Download Submit
memory/1644-19-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1644-1-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1644-2-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1644-0-0x0000000074892000-0x0000000074893000-memory.dmp

Filesize
4KB

Download
memory/2336-20-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-27-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-12-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-13-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2336-17-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-16-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-33-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-14-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-6-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-9-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-21-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-22-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-23-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-24-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-25-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-26-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-10-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-28-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-29-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-30-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-31-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2336-32-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2912-15-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download