darkcomet | 20d6b633c956d62b403d5606d19087c849a389e418a4f584aecc7e482ce85d72

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1de373b11595fabb241db93b799b978a_JaffaCakes118.exe
Size

505KB
MD5

1de373b11595fabb241db93b799b978a
SHA1

b3921a1ec91acfc4e414f1748a219d97d9400244
SHA256

20d6b633c956d62b403d5606d19087c849a389e418a4f584aecc7e482ce85d72
SHA512

937d3d2c6e8c455822c8d2aea9a5d913dfccbb9bd7b55a0f2d8d3b66a34c1a88fdb70841806098f09cfc2b0ac23ac5bf730955fc69f97cb9d47a17195f5442ed
SSDEEP

12288:ZK3D4laLHWhujOl4EsJj0TN09tnXxsQtOKL1o0v0txUnh5csx6m:QVLHGujOS90TNwhseOAX4hsxF

Score

10^/10

darkcomet servermain persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

servermain

xgreenstonex.no-ip.biz:1604

Mutex

DC_MUTEX-4K7GGLT

Attributes

gencode
379wZYAo9xu2
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

winlogon.exeStage2.exeStage1.exe

pid process

1964 winlogon.exe
2404 Stage2.exe
2756 Stage1.exe
Loads dropped DLL 4 IoCs

Processes:

winlogon.exe

pid process

1964 winlogon.exe
1964 winlogon.exe
1964 winlogon.exe
1964 winlogon.exe

pid	process
1964	winlogon.exe
2404	Stage2.exe
2756	Stage1.exe

pid	process
1964	winlogon.exe
1964	winlogon.exe
1964	winlogon.exe
1964	winlogon.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1964-5-0x0000000000400000-0x0000000000424000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe	upx
\Users\Admin\AppData\Local\Temp\Stage2.exe	upx
behavioral1/memory/2404-18-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2404-22-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2848-32-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-38-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-37-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-39-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-34-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-41-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1964-42-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2848-43-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-44-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-45-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-47-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-46-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-48-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-49-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-50-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-51-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-52-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-53-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-54-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-55-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-56-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-57-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-58-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-59-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-60-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-61-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2848-62-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1de373b11595fabb241db93b799b978a_JaffaCakes118.exeStage1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1de373b11595fabb241db93b799b978a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe"	Stage1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Stage1.exe

description pid process target process

PID 2756 set thread context of 2848 2756 Stage1.exe cvtres.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2756 set thread context of 2848	2756	Stage1.exe	cvtres.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

cvtres.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2848	cvtres.exe
Token: SeSecurityPrivilege	2848	cvtres.exe
Token: SeTakeOwnershipPrivilege	2848	cvtres.exe
Token: SeLoadDriverPrivilege	2848	cvtres.exe
Token: SeSystemProfilePrivilege	2848	cvtres.exe
Token: SeSystemtimePrivilege	2848	cvtres.exe
Token: SeProfSingleProcessPrivilege	2848	cvtres.exe
Token: SeIncBasePriorityPrivilege	2848	cvtres.exe
Token: SeCreatePagefilePrivilege	2848	cvtres.exe
Token: SeBackupPrivilege	2848	cvtres.exe
Token: SeRestorePrivilege	2848	cvtres.exe
Token: SeShutdownPrivilege	2848	cvtres.exe
Token: SeDebugPrivilege	2848	cvtres.exe
Token: SeSystemEnvironmentPrivilege	2848	cvtres.exe
Token: SeChangeNotifyPrivilege	2848	cvtres.exe
Token: SeRemoteShutdownPrivilege	2848	cvtres.exe
Token: SeUndockPrivilege	2848	cvtres.exe
Token: SeManageVolumePrivilege	2848	cvtres.exe
Token: SeImpersonatePrivilege	2848	cvtres.exe
Token: SeCreateGlobalPrivilege	2848	cvtres.exe
Token: 33	2848	cvtres.exe
Token: 34	2848	cvtres.exe
Token: 35	2848	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cvtres.exe

pid process

2848 cvtres.exe

pid	process
2848	cvtres.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

1de373b11595fabb241db93b799b978a_JaffaCakes118.exewinlogon.exeStage1.exe

description	pid	process	target process
PID 772 wrote to memory of 1964	772	1de373b11595fabb241db93b799b978a_JaffaCakes118.exe	winlogon.exe
PID 772 wrote to memory of 1964	772	1de373b11595fabb241db93b799b978a_JaffaCakes118.exe	winlogon.exe
PID 772 wrote to memory of 1964	772	1de373b11595fabb241db93b799b978a_JaffaCakes118.exe	winlogon.exe
PID 772 wrote to memory of 1964	772	1de373b11595fabb241db93b799b978a_JaffaCakes118.exe	winlogon.exe
PID 772 wrote to memory of 1964	772	1de373b11595fabb241db93b799b978a_JaffaCakes118.exe	winlogon.exe
PID 772 wrote to memory of 1964	772	1de373b11595fabb241db93b799b978a_JaffaCakes118.exe	winlogon.exe
PID 772 wrote to memory of 1964	772	1de373b11595fabb241db93b799b978a_JaffaCakes118.exe	winlogon.exe
PID 1964 wrote to memory of 2404	1964	winlogon.exe	Stage2.exe
PID 1964 wrote to memory of 2404	1964	winlogon.exe	Stage2.exe
PID 1964 wrote to memory of 2404	1964	winlogon.exe	Stage2.exe
PID 1964 wrote to memory of 2404	1964	winlogon.exe	Stage2.exe
PID 1964 wrote to memory of 2756	1964	winlogon.exe	Stage1.exe
PID 1964 wrote to memory of 2756	1964	winlogon.exe	Stage1.exe
PID 1964 wrote to memory of 2756	1964	winlogon.exe	Stage1.exe
PID 1964 wrote to memory of 2756	1964	winlogon.exe	Stage1.exe
PID 2756 wrote to memory of 2848	2756	Stage1.exe	cvtres.exe
PID 2756 wrote to memory of 2848	2756	Stage1.exe	cvtres.exe
PID 2756 wrote to memory of 2848	2756	Stage1.exe	cvtres.exe
PID 2756 wrote to memory of 2848	2756	Stage1.exe	cvtres.exe
PID 2756 wrote to memory of 2848	2756	Stage1.exe	cvtres.exe
PID 2756 wrote to memory of 2848	2756	Stage1.exe	cvtres.exe
PID 2756 wrote to memory of 2848	2756	Stage1.exe	cvtres.exe
PID 2756 wrote to memory of 2848	2756	Stage1.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\1de373b11595fabb241db93b799b978a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1de373b11595fabb241db93b799b978a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\Stage2.exe
"C:\Users\Admin\AppData\Local\Temp\Stage2.exe" x -y -oC:\Users\Admin\AppData\Local\Temp -pxnq8rPMxVI87ciGwWJHxRTy3iauHcIirteOOELv3B5vkS9kJoHBUAahY1dWxj8yA
3⤵
- Executes dropped EXE
PID:2404

C:\Users\Admin\AppData\Local\Temp\Stage1.exe
"C:\Users\Admin\AppData\Local\Temp\Stage1.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2848

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
Filesize
424KB

MD5
a93e2595c5ff88effb06d37071d6c8dd

SHA1
4624ba0ed2a77ca83c1b36af8fb369d5a35900dc

SHA256
7e57aec62450050ef6155073c9c3b96ffdcb5c2784eaf375405347c1258f4427

SHA512
b4260b5cbd872ff59505e5eed1075d23325ea96e5dc1a32736305c3f51e8101c67640e957bd59133f4b78392eb7f7d0c8b69e8771bed830144cdee590f163e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stage1.exe
Filesize
308KB

MD5
c06f87af3eade3d7f9947a6cd5e1ad65

SHA1
102143cb612fbfc532849e7909cf95e5f320f8fc

SHA256
a83ee9fbf10ce3a5a28a55b8b7c14c1f6c6e1f78ba256bdfc640fb9f46601ac4

SHA512
03a41127c8a6d5d91380ac3dc6d9d5f33ab8ee59e81e30867e6f7575531d17ba2388402b419611e04fe3466c6c3eb95750a6a36160d903d1822452ac6dfd0f9d

Download Submit
\Users\Admin\AppData\Local\Temp\Stage2.exe
Filesize
377KB

MD5
cc375e543361795f66484536ced4c32e

SHA1
e6004e351d2c3bc30f05251c76d056a9c3368cb0

SHA256
45ec72b86d21a50d9c208467c4440bd2ce67935bbc3c6f18f4407a9682c22b59

SHA512
f2f8a19bc00aab894d3810c2ef80f02b33077b07a335ee64a61726ee43d62f7213316fee63c2910ccff5d8b864884f575f473745c09b83c1e4a0ee162b61d75b

Download Submit
memory/1964-12-0x00000000026E0000-0x0000000002723000-memory.dmp

Filesize
268KB

Download
memory/1964-5-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1964-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2404-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2404-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2756-40-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-27-0x0000000074651000-0x0000000074652000-memory.dmp

Filesize
4KB

Download
memory/2756-28-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-29-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/2848-43-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-48-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-37-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-39-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-34-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2848-41-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-32-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-31-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-44-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-45-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-47-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-46-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-38-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-49-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-50-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-51-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-52-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-53-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-54-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-55-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-56-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-57-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-58-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-59-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-60-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-61-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2848-62-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download