darkcomet | 6f33293b5249254007d2dce8e8e5514b568f0700164aa8606829287221f50e88

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe
Size

420KB
MD5

1bd50dc7b3e8edd57e4b285ccdcc3a0f
SHA1

238e5e649d7d08fa9ad55e6b52f64ce2ee1b8184
SHA256

6f33293b5249254007d2dce8e8e5514b568f0700164aa8606829287221f50e88
SHA512

2c9be630c14e841d06ac867e9852a9a5f64bc003b50b380421550b1ec559823ee90bbb2f0c8a99a0bdcaa809a48fedab9762f1ec32f6b2471173ce654ee10aef
SSDEEP

6144:3br+YGcLLr7U00LLLLLLVngnPLLLYMj3yR8OpMXPpGkvAs5HxBlWvHm/ScwSxjtz:3fWMLyirP4kvAQvld/SFSBXu2Xguf8K

Score

10^/10

darkcomet new guys persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

New guys

appiething.no-ip.biz:1604

Mutex

DC_MUTEX-H48H0Y8

Attributes

gencode
A4BYeJSrCyrP
install
false
offline_keylogger
true
password
sfdsdfdfdfssd
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

Resolve chromse.exeResolve chromse.exe

pid process

7464 Resolve chromse.exe
7848 Resolve chromse.exe

pid	process
7464	Resolve chromse.exe
7848	Resolve chromse.exe

Loads dropped DLL 5 IoCs

Processes:

1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe

pid	process
2924	1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe
2924	1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe
2924	1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe
2924	1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe
2924	1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe

UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral1/memory/7848-36181-0x0000000000400000-0x00000000004B9000-memory.dmp upx
behavioral1/memory/7848-36188-0x0000000000400000-0x00000000004B9000-memory.dmp upx

resource	yara_rule
behavioral1/memory/7848-36181-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/7848-36188-0x0000000000400000-0x00000000004B9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Detect = "C:\\Users\\Admin\\AppData\\Roaming\\Intel trying\\Resolve chromse.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Resolve chromse.exe

description pid process target process

PID 7464 set thread context of 7848 7464 Resolve chromse.exe Resolve chromse.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 7464 set thread context of 7848	7464	Resolve chromse.exe	Resolve chromse.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

Resolve chromse.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	7848	Resolve chromse.exe
Token: SeSecurityPrivilege	7848	Resolve chromse.exe
Token: SeTakeOwnershipPrivilege	7848	Resolve chromse.exe
Token: SeLoadDriverPrivilege	7848	Resolve chromse.exe
Token: SeSystemProfilePrivilege	7848	Resolve chromse.exe
Token: SeSystemtimePrivilege	7848	Resolve chromse.exe
Token: SeProfSingleProcessPrivilege	7848	Resolve chromse.exe
Token: SeIncBasePriorityPrivilege	7848	Resolve chromse.exe
Token: SeCreatePagefilePrivilege	7848	Resolve chromse.exe
Token: SeBackupPrivilege	7848	Resolve chromse.exe
Token: SeRestorePrivilege	7848	Resolve chromse.exe
Token: SeShutdownPrivilege	7848	Resolve chromse.exe
Token: SeDebugPrivilege	7848	Resolve chromse.exe
Token: SeSystemEnvironmentPrivilege	7848	Resolve chromse.exe
Token: SeChangeNotifyPrivilege	7848	Resolve chromse.exe
Token: SeRemoteShutdownPrivilege	7848	Resolve chromse.exe
Token: SeUndockPrivilege	7848	Resolve chromse.exe
Token: SeManageVolumePrivilege	7848	Resolve chromse.exe
Token: SeImpersonatePrivilege	7848	Resolve chromse.exe
Token: SeCreateGlobalPrivilege	7848	Resolve chromse.exe
Token: 33	7848	Resolve chromse.exe
Token: 34	7848	Resolve chromse.exe
Token: 35	7848	Resolve chromse.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exeResolve chromse.exeResolve chromse.exe

pid process

2924 1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe
7464 Resolve chromse.exe
7848 Resolve chromse.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.execmd.exeResolve chromse.exe

description	pid	process	target process
PID 2924 wrote to memory of 3900	2924	1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe	cmd.exe
PID 2924 wrote to memory of 3900	2924	1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe	cmd.exe
PID 2924 wrote to memory of 3900	2924	1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe	cmd.exe
PID 2924 wrote to memory of 3900	2924	1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe	cmd.exe
PID 3900 wrote to memory of 1072	3900	cmd.exe	reg.exe
PID 3900 wrote to memory of 1072	3900	cmd.exe	reg.exe
PID 3900 wrote to memory of 1072	3900	cmd.exe	reg.exe
PID 3900 wrote to memory of 1072	3900	cmd.exe	reg.exe
PID 2924 wrote to memory of 7464	2924	1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe	Resolve chromse.exe
PID 2924 wrote to memory of 7464	2924	1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe	Resolve chromse.exe
PID 2924 wrote to memory of 7464	2924	1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe	Resolve chromse.exe
PID 2924 wrote to memory of 7464	2924	1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe	Resolve chromse.exe
PID 7464 wrote to memory of 7848	7464	Resolve chromse.exe	Resolve chromse.exe
PID 7464 wrote to memory of 7848	7464	Resolve chromse.exe	Resolve chromse.exe
PID 7464 wrote to memory of 7848	7464	Resolve chromse.exe	Resolve chromse.exe
PID 7464 wrote to memory of 7848	7464	Resolve chromse.exe	Resolve chromse.exe
PID 7464 wrote to memory of 7848	7464	Resolve chromse.exe	Resolve chromse.exe
PID 7464 wrote to memory of 7848	7464	Resolve chromse.exe	Resolve chromse.exe
PID 7464 wrote to memory of 7848	7464	Resolve chromse.exe	Resolve chromse.exe
PID 7464 wrote to memory of 7848	7464	Resolve chromse.exe	Resolve chromse.exe

C:\Users\Admin\AppData\Local\Temp\1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1bd50dc7b3e8edd57e4b285ccdcc3a0f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259444966.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Detect" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Intel trying\Resolve chromse.exe" /f
3⤵
- Adds Run key to start application
PID:1072

C:\Users\Admin\AppData\Roaming\Intel trying\Resolve chromse.exe
"C:\Users\Admin\AppData\Roaming\Intel trying\Resolve chromse.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:7464

C:\Users\Admin\AppData\Roaming\Intel trying\Resolve chromse.exe
"C:\Users\Admin\AppData\Roaming\Intel trying\Resolve chromse.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:7848

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259444966.bat
Filesize
162B

MD5
d1d64e60b45ff774cba45c0069205d6f

SHA1
6dceeaafd21647ef54a7050b90869741f09d47fd

SHA256
e838dd60aca3c13cbd76f59b3fd9e44a3bf1159e6c184cf6b7e66925cf441a12

SHA512
554194031ec1b781dcb78fb57162207f5d8726d1cf5a5f4f4dec3eca294d7482b00581e33498dffe04569382a4ad4c2345653b8cf7e6f168046e25ee0d5f87b3

Download Submit
\Users\Admin\AppData\Roaming\Intel trying\Resolve chromse.exe
Filesize
420KB

MD5
7b6c99fd3ad3fa7b5bfb477a1895eda7

SHA1
2d8c22eb74d1d76759a58bfca6dff701f885d52d

SHA256
efefff19fcd09e00e147b5ac57c50d8a9b1ca31a0cd58e28951e4c3e589cf5dd

SHA512
f3690dfbd3dc6b652a51a5eb79cb3d60d67ab3876ece25e88a74532b487a9052f2510eaacfc961f7823c4a0e5a9be327cb5d940c70bce6e00d2407b16907371e

Download Submit
memory/2924-14170-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14142-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14206-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14166-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14202-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14200-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14198-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14196-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14194-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14192-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14190-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14188-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14186-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14184-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14182-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14180-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14178-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14162-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14174-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14172-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-9123-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2924-14168-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14204-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14164-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14176-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14160-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14158-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14156-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14154-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14152-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14150-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14148-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14146-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14144-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14208-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14140-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14138-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14136-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14070-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14068-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14062-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14057-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-14210-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/7848-36181-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/7848-36188-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download