darkcomet | 351b67cd53a80350ea7d34f069e85a2e4cb4d8050ef00f1e4a994f04326c78af

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
Size

630KB
MD5

1f36ae9c549463f85413f1f79c0c5886
SHA1

d4c413853c03dd17acaada4c1d46195e57cb9017
SHA256

351b67cd53a80350ea7d34f069e85a2e4cb4d8050ef00f1e4a994f04326c78af
SHA512

e54ac588bcba670fe0d3dbbf21768cfa2c1af799c4fc9d2f16d01efbb0697fbf63eaa7ae16ac26e1ef31a1cb247eb6ce63f923dab0ab0d9efe9d3db20852b76c
SSDEEP

12288:v5kJ7Mj7pvwIQRdVoZ9NVlfndzfiX6gIGPQG+U:v5C4jVvW89N7fndzfpgFQG+

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

nSClearText.exe

pid process

2620 nSClearText.exe
Loads dropped DLL 1 IoCs

Processes:

1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe

pid process

2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe

pid	process
2620	nSClearText.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2724-24-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2724-23-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2724-19-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2724-18-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2724-17-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2724-14-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2724-12-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2724-25-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2724-26-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2004-40-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2004-44-0x0000000000400000-0x00000000004EB000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\jdx = "C:\\Users\\Admin\\AppData\\Roaming\\jdx.exe"	WScript.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe

description	pid	process	target process
PID 2024 set thread context of 2724	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	cvtres.exe
PID 2024 set thread context of 2004	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe

pid	process
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

cvtres.exe1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exevbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2724	cvtres.exe
Token: SeSecurityPrivilege	2724	cvtres.exe
Token: SeTakeOwnershipPrivilege	2724	cvtres.exe
Token: SeLoadDriverPrivilege	2724	cvtres.exe
Token: SeSystemProfilePrivilege	2724	cvtres.exe
Token: SeSystemtimePrivilege	2724	cvtres.exe
Token: SeProfSingleProcessPrivilege	2724	cvtres.exe
Token: SeIncBasePriorityPrivilege	2724	cvtres.exe
Token: SeCreatePagefilePrivilege	2724	cvtres.exe
Token: SeBackupPrivilege	2724	cvtres.exe
Token: SeRestorePrivilege	2724	cvtres.exe
Token: SeShutdownPrivilege	2724	cvtres.exe
Token: SeDebugPrivilege	2724	cvtres.exe
Token: SeSystemEnvironmentPrivilege	2724	cvtres.exe
Token: SeChangeNotifyPrivilege	2724	cvtres.exe
Token: SeRemoteShutdownPrivilege	2724	cvtres.exe
Token: SeUndockPrivilege	2724	cvtres.exe
Token: SeManageVolumePrivilege	2724	cvtres.exe
Token: SeImpersonatePrivilege	2724	cvtres.exe
Token: SeCreateGlobalPrivilege	2724	cvtres.exe
Token: 33	2724	cvtres.exe
Token: 34	2724	cvtres.exe
Token: 35	2724	cvtres.exe
Token: SeDebugPrivilege	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2004	vbc.exe
Token: SeSecurityPrivilege	2004	vbc.exe
Token: SeTakeOwnershipPrivilege	2004	vbc.exe
Token: SeLoadDriverPrivilege	2004	vbc.exe
Token: SeSystemProfilePrivilege	2004	vbc.exe
Token: SeSystemtimePrivilege	2004	vbc.exe
Token: SeProfSingleProcessPrivilege	2004	vbc.exe
Token: SeIncBasePriorityPrivilege	2004	vbc.exe
Token: SeCreatePagefilePrivilege	2004	vbc.exe
Token: SeBackupPrivilege	2004	vbc.exe
Token: SeRestorePrivilege	2004	vbc.exe
Token: SeShutdownPrivilege	2004	vbc.exe
Token: SeDebugPrivilege	2004	vbc.exe
Token: SeSystemEnvironmentPrivilege	2004	vbc.exe
Token: SeChangeNotifyPrivilege	2004	vbc.exe
Token: SeRemoteShutdownPrivilege	2004	vbc.exe
Token: SeUndockPrivilege	2004	vbc.exe
Token: SeManageVolumePrivilege	2004	vbc.exe
Token: SeImpersonatePrivilege	2004	vbc.exe
Token: SeCreateGlobalPrivilege	2004	vbc.exe
Token: 33	2004	vbc.exe
Token: 34	2004	vbc.exe
Token: 35	2004	vbc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe

description	pid	process	target process
PID 2024 wrote to memory of 624	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	cmd.exe
PID 2024 wrote to memory of 624	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	cmd.exe
PID 2024 wrote to memory of 624	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	cmd.exe
PID 2024 wrote to memory of 624	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	cmd.exe
PID 2024 wrote to memory of 1908	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	WScript.exe
PID 2024 wrote to memory of 1908	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	WScript.exe
PID 2024 wrote to memory of 1908	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	WScript.exe
PID 2024 wrote to memory of 1908	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	WScript.exe
PID 2024 wrote to memory of 2724	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	cvtres.exe
PID 2024 wrote to memory of 2724	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	cvtres.exe
PID 2024 wrote to memory of 2724	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	cvtres.exe
PID 2024 wrote to memory of 2724	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	cvtres.exe
PID 2024 wrote to memory of 2724	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	cvtres.exe
PID 2024 wrote to memory of 2724	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	cvtres.exe
PID 2024 wrote to memory of 2724	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	cvtres.exe
PID 2024 wrote to memory of 2724	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	cvtres.exe
PID 2024 wrote to memory of 2620	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	nSClearText.exe
PID 2024 wrote to memory of 2620	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	nSClearText.exe
PID 2024 wrote to memory of 2620	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	nSClearText.exe
PID 2024 wrote to memory of 2620	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	nSClearText.exe
PID 2024 wrote to memory of 2004	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	vbc.exe
PID 2024 wrote to memory of 2004	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	vbc.exe
PID 2024 wrote to memory of 2004	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	vbc.exe
PID 2024 wrote to memory of 2004	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	vbc.exe
PID 2024 wrote to memory of 2004	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	vbc.exe
PID 2024 wrote to memory of 2004	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	vbc.exe
PID 2024 wrote to memory of 2004	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	vbc.exe
PID 2024 wrote to memory of 2004	2024	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C cd C:\Users\Admin\AppData\Roaming\ &&ren *.zgy *.exe && exit
2⤵
PID:624

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MTemp104.vbs"
2⤵
- Adds Run key to start application
PID:1908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Users\Admin\AppData\Local\Temp\nSClearText.exe
C:\Users\Admin\AppData\Local\Temp\nSClearText.exe
2⤵
- Executes dropped EXE
PID:2620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MTemp104.vbs
Filesize
429B

MD5
d4d3eb4e97c7387695972b24915e7530

SHA1
087ba0cdd68b4cd6bae40b81935c0d273a1a97bd

SHA256
f5b3191cb17353ca70f772b6208d26d04ba18076a709c20990836f75ee27a638

SHA512
a9709a5552d7013fe28bfc1d3dc8479108377a14c1b131390747a6a80e25def6161f79fa8a9bd2179ee70f9dd1a212d940a28e3bd8dbd5165b552a191e1de8ac

Download Submit
C:\Users\Admin\AppData\Roaming\jdx.zgy
Filesize
630KB

MD5
1f36ae9c549463f85413f1f79c0c5886

SHA1
d4c413853c03dd17acaada4c1d46195e57cb9017

SHA256
351b67cd53a80350ea7d34f069e85a2e4cb4d8050ef00f1e4a994f04326c78af

SHA512
e54ac588bcba670fe0d3dbbf21768cfa2c1af799c4fc9d2f16d01efbb0697fbf63eaa7ae16ac26e1ef31a1cb247eb6ce63f923dab0ab0d9efe9d3db20852b76c

Download Submit
memory/2004-44-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2004-40-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2024-0-0x0000000074631000-0x0000000074632000-memory.dmp

Filesize
4KB

Download
memory/2024-1-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-2-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-41-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-27-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2724-17-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2724-18-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2724-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-14-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2724-12-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2724-25-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2724-26-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2724-19-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2724-23-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2724-24-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2724-9-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download