darkcomet | 20d6b633c956d62b403d5606d19087c849a389e418a4f584aecc7e482ce85d72

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1de373b11595fabb241db93b799b978a_JaffaCakes118.exe
Size

505KB
MD5

1de373b11595fabb241db93b799b978a
SHA1

b3921a1ec91acfc4e414f1748a219d97d9400244
SHA256

20d6b633c956d62b403d5606d19087c849a389e418a4f584aecc7e482ce85d72
SHA512

937d3d2c6e8c455822c8d2aea9a5d913dfccbb9bd7b55a0f2d8d3b66a34c1a88fdb70841806098f09cfc2b0ac23ac5bf730955fc69f97cb9d47a17195f5442ed
SSDEEP

12288:ZK3D4laLHWhujOl4EsJj0TN09tnXxsQtOKL1o0v0txUnh5csx6m:QVLHGujOS90TNwhseOAX4hsxF

Score

10^/10

darkcomet servermain persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

servermain

xgreenstonex.no-ip.biz:1604

Mutex

DC_MUTEX-4K7GGLT

Attributes

gencode
379wZYAo9xu2
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

winlogon.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation winlogon.exe
Executes dropped EXE 3 IoCs

Processes:

winlogon.exeStage2.exeStage1.exe

pid process

3712 winlogon.exe
5016 Stage2.exe
4280 Stage1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	winlogon.exe

pid	process
3712	winlogon.exe
5016	Stage2.exe
4280	Stage1.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe	upx
behavioral2/memory/3712-4-0x0000000000400000-0x0000000000424000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Stage2.exe	upx
behavioral2/memory/5016-17-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/5016-22-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/3712-25-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1656-30-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-31-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-33-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3712-36-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1656-37-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-38-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-40-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-39-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-41-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-42-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-43-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-44-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-45-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-46-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-47-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-48-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-49-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-50-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-51-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-52-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-53-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1656-54-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Stage1.exe1de373b11595fabb241db93b799b978a_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe"	Stage1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1de373b11595fabb241db93b799b978a_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Stage1.exe

description pid process target process

PID 4280 set thread context of 1656 4280 Stage1.exe cvtres.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4280 set thread context of 1656	4280	Stage1.exe	cvtres.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

cvtres.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1656	cvtres.exe
Token: SeSecurityPrivilege	1656	cvtres.exe
Token: SeTakeOwnershipPrivilege	1656	cvtres.exe
Token: SeLoadDriverPrivilege	1656	cvtres.exe
Token: SeSystemProfilePrivilege	1656	cvtres.exe
Token: SeSystemtimePrivilege	1656	cvtres.exe
Token: SeProfSingleProcessPrivilege	1656	cvtres.exe
Token: SeIncBasePriorityPrivilege	1656	cvtres.exe
Token: SeCreatePagefilePrivilege	1656	cvtres.exe
Token: SeBackupPrivilege	1656	cvtres.exe
Token: SeRestorePrivilege	1656	cvtres.exe
Token: SeShutdownPrivilege	1656	cvtres.exe
Token: SeDebugPrivilege	1656	cvtres.exe
Token: SeSystemEnvironmentPrivilege	1656	cvtres.exe
Token: SeChangeNotifyPrivilege	1656	cvtres.exe
Token: SeRemoteShutdownPrivilege	1656	cvtres.exe
Token: SeUndockPrivilege	1656	cvtres.exe
Token: SeManageVolumePrivilege	1656	cvtres.exe
Token: SeImpersonatePrivilege	1656	cvtres.exe
Token: SeCreateGlobalPrivilege	1656	cvtres.exe
Token: 33	1656	cvtres.exe
Token: 34	1656	cvtres.exe
Token: 35	1656	cvtres.exe
Token: 36	1656	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cvtres.exe

pid process

1656 cvtres.exe

pid	process
1656	cvtres.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

1de373b11595fabb241db93b799b978a_JaffaCakes118.exewinlogon.exeStage1.exe

description	pid	process	target process
PID 824 wrote to memory of 3712	824	1de373b11595fabb241db93b799b978a_JaffaCakes118.exe	winlogon.exe
PID 824 wrote to memory of 3712	824	1de373b11595fabb241db93b799b978a_JaffaCakes118.exe	winlogon.exe
PID 824 wrote to memory of 3712	824	1de373b11595fabb241db93b799b978a_JaffaCakes118.exe	winlogon.exe
PID 3712 wrote to memory of 5016	3712	winlogon.exe	Stage2.exe
PID 3712 wrote to memory of 5016	3712	winlogon.exe	Stage2.exe
PID 3712 wrote to memory of 5016	3712	winlogon.exe	Stage2.exe
PID 3712 wrote to memory of 4280	3712	winlogon.exe	Stage1.exe
PID 3712 wrote to memory of 4280	3712	winlogon.exe	Stage1.exe
PID 3712 wrote to memory of 4280	3712	winlogon.exe	Stage1.exe
PID 4280 wrote to memory of 1656	4280	Stage1.exe	cvtres.exe
PID 4280 wrote to memory of 1656	4280	Stage1.exe	cvtres.exe
PID 4280 wrote to memory of 1656	4280	Stage1.exe	cvtres.exe
PID 4280 wrote to memory of 1656	4280	Stage1.exe	cvtres.exe
PID 4280 wrote to memory of 1656	4280	Stage1.exe	cvtres.exe
PID 4280 wrote to memory of 1656	4280	Stage1.exe	cvtres.exe
PID 4280 wrote to memory of 1656	4280	Stage1.exe	cvtres.exe
PID 4280 wrote to memory of 1656	4280	Stage1.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\1de373b11595fabb241db93b799b978a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1de373b11595fabb241db93b799b978a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:824

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712

C:\Users\Admin\AppData\Local\Temp\Stage2.exe
"C:\Users\Admin\AppData\Local\Temp\Stage2.exe" x -y -oC:\Users\Admin\AppData\Local\Temp -pxnq8rPMxVI87ciGwWJHxRTy3iauHcIirteOOELv3B5vkS9kJoHBUAahY1dWxj8yA
3⤵
- Executes dropped EXE
PID:5016

C:\Users\Admin\AppData\Local\Temp\Stage1.exe
"C:\Users\Admin\AppData\Local\Temp\Stage1.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
Filesize
424KB

MD5
a93e2595c5ff88effb06d37071d6c8dd

SHA1
4624ba0ed2a77ca83c1b36af8fb369d5a35900dc

SHA256
7e57aec62450050ef6155073c9c3b96ffdcb5c2784eaf375405347c1258f4427

SHA512
b4260b5cbd872ff59505e5eed1075d23325ea96e5dc1a32736305c3f51e8101c67640e957bd59133f4b78392eb7f7d0c8b69e8771bed830144cdee590f163e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stage1.exe
Filesize
308KB

MD5
c06f87af3eade3d7f9947a6cd5e1ad65

SHA1
102143cb612fbfc532849e7909cf95e5f320f8fc

SHA256
a83ee9fbf10ce3a5a28a55b8b7c14c1f6c6e1f78ba256bdfc640fb9f46601ac4

SHA512
03a41127c8a6d5d91380ac3dc6d9d5f33ab8ee59e81e30867e6f7575531d17ba2388402b419611e04fe3466c6c3eb95750a6a36160d903d1822452ac6dfd0f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stage2.exe
Filesize
377KB

MD5
cc375e543361795f66484536ced4c32e

SHA1
e6004e351d2c3bc30f05251c76d056a9c3368cb0

SHA256
45ec72b86d21a50d9c208467c4440bd2ce67935bbc3c6f18f4407a9682c22b59

SHA512
f2f8a19bc00aab894d3810c2ef80f02b33077b07a335ee64a61726ee43d62f7213316fee63c2910ccff5d8b864884f575f473745c09b83c1e4a0ee162b61d75b

Download Submit
memory/1656-46-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-47-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-39-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-40-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-53-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-52-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-51-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-30-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-31-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-33-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-50-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-49-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-37-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-38-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-54-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-48-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-41-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-42-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-43-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-44-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1656-45-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3712-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3712-36-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3712-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4280-34-0x0000000073930000-0x0000000073EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4280-28-0x0000000073930000-0x0000000073EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4280-27-0x0000000073930000-0x0000000073EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4280-26-0x0000000073932000-0x0000000073933000-memory.dmp

Filesize
4KB

Download
memory/5016-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download