darkcomet | d959533c8ebd8f01b71f18724bb1d3e4b56f1cae10b42e9646fbae252bcf08df

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Size

1.4MB
MD5

1d31d4f6c88a2f38d2750733df822fb6
SHA1

61c246104b2ab1d7e9e51d095b4d3924a675a0a0
SHA256

d959533c8ebd8f01b71f18724bb1d3e4b56f1cae10b42e9646fbae252bcf08df
SHA512

b2f8168b174d7b4767c019cc3ef7ff9017b6d68d2b6e5c5fab527e08bb02d0b2bd89cb748430e74a2ea8ead0fdc25e8971cabd408b36609b99c7c4022aaf008f
SSDEEP

24576:CHkvKha8vcsqLGu9BBdmZr3ndDkd9f+Vjz4nIrICWvuS3G8r/6TyBRzWxPsB24aq:C6Kdv8ukCtM2Irvz3tryuBwxU2QaSp

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\dwm.exe"	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	dwm.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

dwm.exedwm.exe

pid process

2604 dwm.exe
116 dwm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe

pid	process
2604	dwm.exe
116	dwm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AudioDigital = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\dwm.exe"	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exedwm.exe

description	pid	process	target process
PID 4780 set thread context of 4824	4780	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
PID 2604 set thread context of 116	2604	dwm.exe	dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	dwm.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exedwm.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeSecurityPrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeBackupPrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeRestorePrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeShutdownPrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeDebugPrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeUndockPrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: 33	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: 34	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: 35	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: 36	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	116	dwm.exe
Token: SeSecurityPrivilege	116	dwm.exe
Token: SeTakeOwnershipPrivilege	116	dwm.exe
Token: SeLoadDriverPrivilege	116	dwm.exe
Token: SeSystemProfilePrivilege	116	dwm.exe
Token: SeSystemtimePrivilege	116	dwm.exe
Token: SeProfSingleProcessPrivilege	116	dwm.exe
Token: SeIncBasePriorityPrivilege	116	dwm.exe
Token: SeCreatePagefilePrivilege	116	dwm.exe
Token: SeBackupPrivilege	116	dwm.exe
Token: SeRestorePrivilege	116	dwm.exe
Token: SeShutdownPrivilege	116	dwm.exe
Token: SeDebugPrivilege	116	dwm.exe
Token: SeSystemEnvironmentPrivilege	116	dwm.exe
Token: SeChangeNotifyPrivilege	116	dwm.exe
Token: SeRemoteShutdownPrivilege	116	dwm.exe
Token: SeUndockPrivilege	116	dwm.exe
Token: SeManageVolumePrivilege	116	dwm.exe
Token: SeImpersonatePrivilege	116	dwm.exe
Token: SeCreateGlobalPrivilege	116	dwm.exe
Token: 33	116	dwm.exe
Token: 34	116	dwm.exe
Token: 35	116	dwm.exe
Token: 36	116	dwm.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exedwm.exedwm.exe

pid process

4780 1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
4780 1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
2604 dwm.exe
2604 dwm.exe
116 dwm.exe

pid	process
4780	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
4780	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
2604	dwm.exe
2604	dwm.exe
116	dwm.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exedwm.exe

description	pid	process	target process
PID 4780 wrote to memory of 4824	4780	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
PID 4780 wrote to memory of 4824	4780	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
PID 4780 wrote to memory of 4824	4780	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
PID 4780 wrote to memory of 4824	4780	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
PID 4780 wrote to memory of 4824	4780	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
PID 4824 wrote to memory of 2604	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	dwm.exe
PID 4824 wrote to memory of 2604	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	dwm.exe
PID 4824 wrote to memory of 2604	4824	1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe	dwm.exe
PID 2604 wrote to memory of 116	2604	dwm.exe	dwm.exe
PID 2604 wrote to memory of 116	2604	dwm.exe	dwm.exe
PID 2604 wrote to memory of 116	2604	dwm.exe	dwm.exe
PID 2604 wrote to memory of 116	2604	dwm.exe	dwm.exe
PID 2604 wrote to memory of 116	2604	dwm.exe	dwm.exe

C:\Users\Admin\AppData\Local\Temp\1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\AppData\Local\Temp\1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d31d4f6c88a2f38d2750733df822fb6_JaffaCakes118.exe"
2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Roaming\microsoft\dwm.exe
"C:\Users\Admin\AppData\Roaming\microsoft\dwm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Roaming\microsoft\dwm.exe
"C:\Users\Admin\AppData\Roaming\microsoft\dwm.exe"
4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:116

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\dwm.exe
Filesize
1.4MB

MD5
1d31d4f6c88a2f38d2750733df822fb6

SHA1
61c246104b2ab1d7e9e51d095b4d3924a675a0a0

SHA256
d959533c8ebd8f01b71f18724bb1d3e4b56f1cae10b42e9646fbae252bcf08df

SHA512
b2f8168b174d7b4767c019cc3ef7ff9017b6d68d2b6e5c5fab527e08bb02d0b2bd89cb748430e74a2ea8ead0fdc25e8971cabd408b36609b99c7c4022aaf008f

Download Submit
memory/116-25-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-44-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-24-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-53-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-52-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-51-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-56-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-50-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-41-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-28-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-54-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-55-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-23-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-27-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-26-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-49-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-38-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-31-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-48-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-35-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2604-30-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/2604-19-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/2604-47-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/4780-45-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/4780-0-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/4780-32-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/4780-29-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/4824-15-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4824-4-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4824-6-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4824-5-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4824-3-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4824-2-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4824-1-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download