darkcomet | d959533c8ebd8f01b71f18724bb1d3e4b56f1cae10b42e9646fbae252bcf08df

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Size

1.4MB
MD5

1d31d4f6c88a2f38d2750733df822fb6
SHA1

61c246104b2ab1d7e9e51d095b4d3924a675a0a0
SHA256

d959533c8ebd8f01b71f18724bb1d3e4b56f1cae10b42e9646fbae252bcf08df
SHA512

b2f8168b174d7b4767c019cc3ef7ff9017b6d68d2b6e5c5fab527e08bb02d0b2bd89cb748430e74a2ea8ead0fdc25e8971cabd408b36609b99c7c4022aaf008f
SSDEEP

24576:CHkvKha8vcsqLGu9BBdmZr3ndDkd9f+Vjz4nIrICWvuS3G8r/6TyBRzWxPsB24aq:C6Kdv8ukCtM2Irvz3tryuBwxU2QaSp

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\dwm.exe"	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	dwm.exe

Executes dropped EXE 2 IoCs

Processes:

dwm.exedwm.exe

pid process

3000 dwm.exe
2752 dwm.exe
Loads dropped DLL 2 IoCs

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exedwm.exe

pid process

2192 1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
3000 dwm.exe

pid	process
3000	dwm.exe
2752	dwm.exe

pid	process
2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
3000	dwm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\AudioDigital = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\dwm.exe"	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exedwm.exe

description	pid	process	target process
PID 2200 set thread context of 2192	2200	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
PID 3000 set thread context of 2752	3000	dwm.exe	dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exedwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	dwm.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exedwm.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeBackupPrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeRestorePrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeShutdownPrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeDebugPrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeUndockPrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: 33	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: 34	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: 35	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2752	dwm.exe
Token: SeSecurityPrivilege	2752	dwm.exe
Token: SeTakeOwnershipPrivilege	2752	dwm.exe
Token: SeLoadDriverPrivilege	2752	dwm.exe
Token: SeSystemProfilePrivilege	2752	dwm.exe
Token: SeSystemtimePrivilege	2752	dwm.exe
Token: SeProfSingleProcessPrivilege	2752	dwm.exe
Token: SeIncBasePriorityPrivilege	2752	dwm.exe
Token: SeCreatePagefilePrivilege	2752	dwm.exe
Token: SeBackupPrivilege	2752	dwm.exe
Token: SeRestorePrivilege	2752	dwm.exe
Token: SeShutdownPrivilege	2752	dwm.exe
Token: SeDebugPrivilege	2752	dwm.exe
Token: SeSystemEnvironmentPrivilege	2752	dwm.exe
Token: SeChangeNotifyPrivilege	2752	dwm.exe
Token: SeRemoteShutdownPrivilege	2752	dwm.exe
Token: SeUndockPrivilege	2752	dwm.exe
Token: SeManageVolumePrivilege	2752	dwm.exe
Token: SeImpersonatePrivilege	2752	dwm.exe
Token: SeCreateGlobalPrivilege	2752	dwm.exe
Token: 33	2752	dwm.exe
Token: 34	2752	dwm.exe
Token: 35	2752	dwm.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exedwm.exedwm.exe

pid process

2200 1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
2200 1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
3000 dwm.exe
3000 dwm.exe
2752 dwm.exe

pid	process
2200	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
2200	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
3000	dwm.exe
3000	dwm.exe
2752	dwm.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exedwm.exe

description	pid	process	target process
PID 2200 wrote to memory of 2192	2200	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
PID 2200 wrote to memory of 2192	2200	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
PID 2200 wrote to memory of 2192	2200	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
PID 2200 wrote to memory of 2192	2200	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
PID 2200 wrote to memory of 2192	2200	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
PID 2200 wrote to memory of 2192	2200	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
PID 2192 wrote to memory of 3000	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	dwm.exe
PID 2192 wrote to memory of 3000	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	dwm.exe
PID 2192 wrote to memory of 3000	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	dwm.exe
PID 2192 wrote to memory of 3000	2192	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	dwm.exe
PID 3000 wrote to memory of 2752	3000	dwm.exe	dwm.exe
PID 3000 wrote to memory of 2752	3000	dwm.exe	dwm.exe
PID 3000 wrote to memory of 2752	3000	dwm.exe	dwm.exe
PID 3000 wrote to memory of 2752	3000	dwm.exe	dwm.exe
PID 3000 wrote to memory of 2752	3000	dwm.exe	dwm.exe
PID 3000 wrote to memory of 2752	3000	dwm.exe	dwm.exe

C:\Users\Admin\AppData\Local\Temp\1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe"
2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Roaming\microsoft\dwm.exe
"C:\Users\Admin\AppData\Roaming\microsoft\dwm.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Roaming\microsoft\dwm.exe
"C:\Users\Admin\AppData\Roaming\microsoft\dwm.exe"
4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2752

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\dwm.exe
Filesize
1.4MB

MD5
1d31d4f6c88a2f38d2750733df822fb6

SHA1
61c246104b2ab1d7e9e51d095b4d3924a675a0a0

SHA256
d959533c8ebd8f01b71f18724bb1d3e4b56f1cae10b42e9646fbae252bcf08df

SHA512
b2f8168b174d7b4767c019cc3ef7ff9017b6d68d2b6e5c5fab527e08bb02d0b2bd89cb748430e74a2ea8ead0fdc25e8971cabd408b36609b99c7c4022aaf008f

Download Submit
memory/2192-21-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2192-1-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2192-6-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2192-5-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2192-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2192-7-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2192-8-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2192-9-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2192-10-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2200-34-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/2200-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2200-50-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/2200-37-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2752-55-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-56-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-32-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-60-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-36-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-31-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-40-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-43-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-46-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-49-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-29-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-59-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-52-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-53-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-54-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-30-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-33-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-57-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2752-58-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3000-51-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/3000-35-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download