darkcomet | 151a6374669a557f4b91682dff916e16088173c995f4cbf239b6d8828886ec89

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Size

758KB
MD5

1c2d1c88e9597535bc77f312f3eed94b
SHA1

5313e64a644abf63c7a653ef3383d2cba4bb2470
SHA256

151a6374669a557f4b91682dff916e16088173c995f4cbf239b6d8828886ec89
SHA512

b435a3f06d218ce817783c5e3783e210bdc3860d7e330b4953a1b7b2a08e0c925b8937f52d6c6947c32613aceec1bc31897289a4c2bea81e2b12e563a8195ab4
SSDEEP

12288:8X2JVHMRtDaSm3TJvVNvWV5YTsY7tHwbz/htfcoCoK632zb7G/QoFCk:qss2Sm39NNv9wY7tHwbzfIoK6Mook

Score

10^/10

darkcomet nsm evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

nsm

dark.dnsd.info:1604

Mutex

DC_MUTEX-BBCMREG

Attributes

InstallPath
MSDCSC\lsassc.exe
gencode
rArbm2GK8iZn
install
true
offline_keylogger
false
persistence
true
reg_key
lsass.exe

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\lsassc.exe"	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4868 attrib.exe
2756 attrib.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Executes dropped EXE 1 IoCs

Processes:

lsassc.exe

pid process

4520 lsassc.exe

pid	process
4868	attrib.exe
2756	attrib.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe

pid	process
4520	lsassc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exelsassc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\lsassc.exe"	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\lsassc.exe"	lsassc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

828 1516 WerFault.exe notepad.exe
Modifies registry class 1 IoCs

Processes:

1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

lsassc.exe

pid process

4520 lsassc.exe

pid	pid_target	process	target process
828	1516	WerFault.exe	notepad.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe

pid	process
4520	lsassc.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exelsassc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeSecurityPrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeBackupPrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeRestorePrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeShutdownPrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeDebugPrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeUndockPrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: 33	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: 34	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: 35	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: 36	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4520	lsassc.exe
Token: SeSecurityPrivilege	4520	lsassc.exe
Token: SeTakeOwnershipPrivilege	4520	lsassc.exe
Token: SeLoadDriverPrivilege	4520	lsassc.exe
Token: SeSystemProfilePrivilege	4520	lsassc.exe
Token: SeSystemtimePrivilege	4520	lsassc.exe
Token: SeProfSingleProcessPrivilege	4520	lsassc.exe
Token: SeIncBasePriorityPrivilege	4520	lsassc.exe
Token: SeCreatePagefilePrivilege	4520	lsassc.exe
Token: SeBackupPrivilege	4520	lsassc.exe
Token: SeRestorePrivilege	4520	lsassc.exe
Token: SeShutdownPrivilege	4520	lsassc.exe
Token: SeDebugPrivilege	4520	lsassc.exe
Token: SeSystemEnvironmentPrivilege	4520	lsassc.exe
Token: SeChangeNotifyPrivilege	4520	lsassc.exe
Token: SeRemoteShutdownPrivilege	4520	lsassc.exe
Token: SeUndockPrivilege	4520	lsassc.exe
Token: SeManageVolumePrivilege	4520	lsassc.exe
Token: SeImpersonatePrivilege	4520	lsassc.exe
Token: SeCreateGlobalPrivilege	4520	lsassc.exe
Token: 33	4520	lsassc.exe
Token: 34	4520	lsassc.exe
Token: 35	4520	lsassc.exe
Token: 36	4520	lsassc.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.execmd.execmd.exelsassc.exe

description	pid	process	target process
PID 3004 wrote to memory of 5016	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	cmd.exe
PID 3004 wrote to memory of 5016	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	cmd.exe
PID 3004 wrote to memory of 5016	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	cmd.exe
PID 3004 wrote to memory of 4140	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	cmd.exe
PID 3004 wrote to memory of 4140	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	cmd.exe
PID 3004 wrote to memory of 4140	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	cmd.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 3004 wrote to memory of 1516	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	notepad.exe
PID 4140 wrote to memory of 4868	4140	cmd.exe	attrib.exe
PID 4140 wrote to memory of 4868	4140	cmd.exe	attrib.exe
PID 4140 wrote to memory of 4868	4140	cmd.exe	attrib.exe
PID 5016 wrote to memory of 2756	5016	cmd.exe	attrib.exe
PID 5016 wrote to memory of 2756	5016	cmd.exe	attrib.exe
PID 5016 wrote to memory of 2756	5016	cmd.exe	attrib.exe
PID 3004 wrote to memory of 4520	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	lsassc.exe
PID 3004 wrote to memory of 4520	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	lsassc.exe
PID 3004 wrote to memory of 4520	3004	1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe	lsassc.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe
PID 4520 wrote to memory of 2272	4520	lsassc.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4868 attrib.exe
2756 attrib.exe

pid	process
4868	attrib.exe
2756	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4868

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 128
3⤵
- Program crash
PID:828

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\lsassc.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\lsassc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1516 -ip 1516
1⤵
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\lsassc.exe
Filesize
758KB

MD5
1c2d1c88e9597535bc77f312f3eed94b

SHA1
5313e64a644abf63c7a653ef3383d2cba4bb2470

SHA256
151a6374669a557f4b91682dff916e16088173c995f4cbf239b6d8828886ec89

SHA512
b435a3f06d218ce817783c5e3783e210bdc3860d7e330b4953a1b7b2a08e0c925b8937f52d6c6947c32613aceec1bc31897289a4c2bea81e2b12e563a8195ab4

Download Submit
memory/1516-3-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2272-63-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/3004-0-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/3004-62-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4520-65-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4520-67-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4520-69-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4520-71-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4520-75-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download