darkcomet | e41162a023fe7e4e3a764c2e8595f9b3c1a019a87e84410b6104b9971d45c565

Analysis

max time kernel
141s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe
Size

2.0MB
MD5

1bb0e36a487c3ae5f9507ea0285d6416
SHA1

0255931a7006c73090d98d7e1ed0e296a55454d1
SHA256

e41162a023fe7e4e3a764c2e8595f9b3c1a019a87e84410b6104b9971d45c565
SHA512

c433389874b17002fd60f03da0b9f91d3ca421f091f8139d045bc04c01e46be387542798bdb79045b762f87d252c82333d0c5b739c98898d39d7f7b32997c07b
SSDEEP

24576:fv5rzBjpZ9STx44vIXnd7s6WSu0H8O57HJ:ZQIXnx/cO

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

528.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	528.exe

Drops file in Drivers directory 1 IoCs

Processes:

528.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts 528.exe
Executes dropped EXE 2 IoCs

Processes:

528.exe528.exe

pid process

892 528.exe
2104 528.exe
Loads dropped DLL 11 IoCs

Processes:

528.exeWerFault.exeWerFault.exe

pid process

892 528.exe
2780 WerFault.exe
2780 WerFault.exe
2780 WerFault.exe
2780 WerFault.exe
2780 WerFault.exe
2968 WerFault.exe
2968 WerFault.exe
2968 WerFault.exe
2968 WerFault.exe
2968 WerFault.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	528.exe

pid	process
892	528.exe
2104	528.exe

pid	process
892	528.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2968	WerFault.exe
2968	WerFault.exe
2968	WerFault.exe
2968	WerFault.exe
2968	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

528.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	528.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

528.exe

description pid process target process

PID 892 set thread context of 2104 892 528.exe 528.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2780 892 WerFault.exe 528.exe
2968 2104 WerFault.exe 528.exe

description	pid	process	target process
PID 892 set thread context of 2104	892	528.exe	528.exe

pid	pid_target	process	target process
2780	892	WerFault.exe	528.exe
2968	2104	WerFault.exe	528.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

528.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2104	528.exe
Token: SeSecurityPrivilege	2104	528.exe
Token: SeTakeOwnershipPrivilege	2104	528.exe
Token: SeLoadDriverPrivilege	2104	528.exe
Token: SeSystemProfilePrivilege	2104	528.exe
Token: SeSystemtimePrivilege	2104	528.exe
Token: SeProfSingleProcessPrivilege	2104	528.exe
Token: SeIncBasePriorityPrivilege	2104	528.exe
Token: SeCreatePagefilePrivilege	2104	528.exe
Token: SeBackupPrivilege	2104	528.exe
Token: SeRestorePrivilege	2104	528.exe
Token: SeShutdownPrivilege	2104	528.exe
Token: SeDebugPrivilege	2104	528.exe
Token: SeSystemEnvironmentPrivilege	2104	528.exe
Token: SeChangeNotifyPrivilege	2104	528.exe
Token: SeRemoteShutdownPrivilege	2104	528.exe
Token: SeUndockPrivilege	2104	528.exe
Token: SeManageVolumePrivilege	2104	528.exe
Token: SeImpersonatePrivilege	2104	528.exe
Token: SeCreateGlobalPrivilege	2104	528.exe
Token: 33	2104	528.exe
Token: 34	2104	528.exe
Token: 35	2104	528.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

528.exe

pid process

892 528.exe

pid	process
892	528.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe528.exe528.exe

description	pid	process	target process
PID 1748 wrote to memory of 892	1748	1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe	528.exe
PID 1748 wrote to memory of 892	1748	1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe	528.exe
PID 1748 wrote to memory of 892	1748	1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe	528.exe
PID 1748 wrote to memory of 892	1748	1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe	528.exe
PID 892 wrote to memory of 2104	892	528.exe	528.exe
PID 892 wrote to memory of 2104	892	528.exe	528.exe
PID 892 wrote to memory of 2104	892	528.exe	528.exe
PID 892 wrote to memory of 2104	892	528.exe	528.exe
PID 892 wrote to memory of 2104	892	528.exe	528.exe
PID 892 wrote to memory of 2104	892	528.exe	528.exe
PID 892 wrote to memory of 2104	892	528.exe	528.exe
PID 892 wrote to memory of 2104	892	528.exe	528.exe
PID 892 wrote to memory of 2104	892	528.exe	528.exe
PID 892 wrote to memory of 2104	892	528.exe	528.exe
PID 892 wrote to memory of 2104	892	528.exe	528.exe
PID 892 wrote to memory of 2104	892	528.exe	528.exe
PID 892 wrote to memory of 2104	892	528.exe	528.exe
PID 892 wrote to memory of 2780	892	528.exe	WerFault.exe
PID 892 wrote to memory of 2780	892	528.exe	WerFault.exe
PID 892 wrote to memory of 2780	892	528.exe	WerFault.exe
PID 892 wrote to memory of 2780	892	528.exe	WerFault.exe
PID 2104 wrote to memory of 2592	2104	528.exe	cmd.exe
PID 2104 wrote to memory of 2592	2104	528.exe	cmd.exe
PID 2104 wrote to memory of 2592	2104	528.exe	cmd.exe
PID 2104 wrote to memory of 2592	2104	528.exe	cmd.exe
PID 2104 wrote to memory of 1324	2104	528.exe	cmd.exe
PID 2104 wrote to memory of 1324	2104	528.exe	cmd.exe
PID 2104 wrote to memory of 1324	2104	528.exe	cmd.exe
PID 2104 wrote to memory of 1324	2104	528.exe	cmd.exe
PID 2104 wrote to memory of 2968	2104	528.exe	WerFault.exe
PID 2104 wrote to memory of 2968	2104	528.exe	WerFault.exe
PID 2104 wrote to memory of 2968	2104	528.exe	WerFault.exe
PID 2104 wrote to memory of 2968	2104	528.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\528.exe
C:\Users\Admin\AppData\Local\Temp\528.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\528.exe
C:\Users\Admin\AppData\Local\Temp\528
3⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
4⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
4⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 624
4⤵
- Loads dropped DLL
- Program crash
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 236
3⤵
- Loads dropped DLL
- Program crash
PID:2780

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\528.exe
Filesize
755KB

MD5
7d9f73236d47178e2447ffdd4583f94c

SHA1
c118d94ea20eea01214ac5bcdc4f01741daf075f

SHA256
5515679bd5ffd508df258c4339c5e2fcc0158c015e9d3cd8a9b10a9e7c29ab22

SHA512
2936d2e387aff3503d759cff5b3da0d1fc91f2e9152e9e9713f15a8eb6f0173290fd60c418b1cad1a9868539b73126e42bacf64704d5e1aaa2364a20adae5c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
58B

MD5
e030bf1e87a3a28e2f2fc84b1f30eeff

SHA1
311796cdb47375f814ee069b97fb119252189b74

SHA256
2f08a1c056f80663c74c117bcae2d42b05be0be2bb85c4e3fff8821d978f81f9

SHA512
e89b80e5369a2327b35757f5182627f3db36c8d43306d6ab47752ae56e450d9855137d6c4035ce4416c93d63a0a68c6fe57b7261600642a267dee98b9abd4664

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
50B

MD5
b774ae3fb1da087e1f83b4f7b2060e5a

SHA1
97eb9be49ac3af9c851c9e1e84e32bfd53e325a8

SHA256
adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b

SHA512
f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701

Download Submit
memory/892-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/892-13-0x0000000000260000-0x000000000026B000-memory.dmp

Filesize
44KB

Download
memory/1748-47-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmp

Filesize
9.6MB

Download
memory/1748-7-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmp

Filesize
9.6MB

Download
memory/1748-0-0x000007FEF505E000-0x000007FEF505F000-memory.dmp

Filesize
4KB

Download
memory/2104-37-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2104-16-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2104-28-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2104-25-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2104-22-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2104-38-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2104-20-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2104-30-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2104-18-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2104-39-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2104-32-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2104-48-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2104-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2104-14-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2104-74-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2104-75-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads