darkcomet | 351b67cd53a80350ea7d34f069e85a2e4cb4d8050ef00f1e4a994f04326c78af

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
Size

630KB
MD5

1f36ae9c549463f85413f1f79c0c5886
SHA1

d4c413853c03dd17acaada4c1d46195e57cb9017
SHA256

351b67cd53a80350ea7d34f069e85a2e4cb4d8050ef00f1e4a994f04326c78af
SHA512

e54ac588bcba670fe0d3dbbf21768cfa2c1af799c4fc9d2f16d01efbb0697fbf63eaa7ae16ac26e1ef31a1cb247eb6ce63f923dab0ab0d9efe9d3db20852b76c
SSDEEP

12288:v5kJ7Mj7pvwIQRdVoZ9NVlfndzfiX6gIGPQG+U:v5C4jVvW89N7fndzfpgFQG+

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4824-10-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4824-13-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4824-12-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4824-14-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4824-17-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4824-16-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4824-23-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4824-25-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4824-30-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4212-39-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4824-43-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4824-45-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4824-50-0x0000000000400000-0x00000000004EB000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jdx = "C:\\Users\\Admin\\AppData\\Roaming\\jdx.exe"	WScript.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe

description	pid	process	target process
PID 1388 set thread context of 4824	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe
PID 1388 set thread context of 4212	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe

pid	process
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.execsc.execsc.exe

description	pid	process
Token: SeDebugPrivilege	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4824	csc.exe
Token: SeSecurityPrivilege	4824	csc.exe
Token: SeTakeOwnershipPrivilege	4824	csc.exe
Token: SeLoadDriverPrivilege	4824	csc.exe
Token: SeSystemProfilePrivilege	4824	csc.exe
Token: SeSystemtimePrivilege	4824	csc.exe
Token: SeProfSingleProcessPrivilege	4824	csc.exe
Token: SeIncBasePriorityPrivilege	4824	csc.exe
Token: SeCreatePagefilePrivilege	4824	csc.exe
Token: SeBackupPrivilege	4824	csc.exe
Token: SeRestorePrivilege	4824	csc.exe
Token: SeShutdownPrivilege	4824	csc.exe
Token: SeDebugPrivilege	4824	csc.exe
Token: SeSystemEnvironmentPrivilege	4824	csc.exe
Token: SeChangeNotifyPrivilege	4824	csc.exe
Token: SeRemoteShutdownPrivilege	4824	csc.exe
Token: SeUndockPrivilege	4824	csc.exe
Token: SeManageVolumePrivilege	4824	csc.exe
Token: SeImpersonatePrivilege	4824	csc.exe
Token: SeCreateGlobalPrivilege	4824	csc.exe
Token: 33	4824	csc.exe
Token: 34	4824	csc.exe
Token: 35	4824	csc.exe
Token: 36	4824	csc.exe
Token: SeIncreaseQuotaPrivilege	4212	csc.exe
Token: SeSecurityPrivilege	4212	csc.exe
Token: SeTakeOwnershipPrivilege	4212	csc.exe
Token: SeLoadDriverPrivilege	4212	csc.exe
Token: SeSystemProfilePrivilege	4212	csc.exe
Token: SeSystemtimePrivilege	4212	csc.exe
Token: SeProfSingleProcessPrivilege	4212	csc.exe
Token: SeIncBasePriorityPrivilege	4212	csc.exe
Token: SeCreatePagefilePrivilege	4212	csc.exe
Token: SeBackupPrivilege	4212	csc.exe
Token: SeRestorePrivilege	4212	csc.exe
Token: SeShutdownPrivilege	4212	csc.exe
Token: SeDebugPrivilege	4212	csc.exe
Token: SeSystemEnvironmentPrivilege	4212	csc.exe
Token: SeChangeNotifyPrivilege	4212	csc.exe
Token: SeRemoteShutdownPrivilege	4212	csc.exe
Token: SeUndockPrivilege	4212	csc.exe
Token: SeManageVolumePrivilege	4212	csc.exe
Token: SeImpersonatePrivilege	4212	csc.exe
Token: SeCreateGlobalPrivilege	4212	csc.exe
Token: 33	4212	csc.exe
Token: 34	4212	csc.exe
Token: 35	4212	csc.exe
Token: 36	4212	csc.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe

description	pid	process	target process
PID 1388 wrote to memory of 1700	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	cmd.exe
PID 1388 wrote to memory of 1700	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	cmd.exe
PID 1388 wrote to memory of 1700	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	cmd.exe
PID 1388 wrote to memory of 1160	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	WScript.exe
PID 1388 wrote to memory of 1160	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	WScript.exe
PID 1388 wrote to memory of 1160	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	WScript.exe
PID 1388 wrote to memory of 4824	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe
PID 1388 wrote to memory of 4824	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe
PID 1388 wrote to memory of 4824	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe
PID 1388 wrote to memory of 4824	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe
PID 1388 wrote to memory of 4824	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe
PID 1388 wrote to memory of 4824	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe
PID 1388 wrote to memory of 4824	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe
PID 1388 wrote to memory of 4824	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe
PID 1388 wrote to memory of 4212	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe
PID 1388 wrote to memory of 4212	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe
PID 1388 wrote to memory of 4212	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe
PID 1388 wrote to memory of 4212	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe
PID 1388 wrote to memory of 4212	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe
PID 1388 wrote to memory of 4212	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe
PID 1388 wrote to memory of 4212	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe
PID 1388 wrote to memory of 4212	1388	1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe	csc.exe

C:\Users\Admin\AppData\Local\Temp\1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C cd C:\Users\Admin\AppData\Roaming\ &&ren *.zgy *.exe && exit
2⤵
PID:1700

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MTemp104.vbs"
2⤵
- Adds Run key to start application
PID:1160

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4212

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MTemp104.vbs
Filesize
429B

MD5
d4d3eb4e97c7387695972b24915e7530

SHA1
087ba0cdd68b4cd6bae40b81935c0d273a1a97bd

SHA256
f5b3191cb17353ca70f772b6208d26d04ba18076a709c20990836f75ee27a638

SHA512
a9709a5552d7013fe28bfc1d3dc8479108377a14c1b131390747a6a80e25def6161f79fa8a9bd2179ee70f9dd1a212d940a28e3bd8dbd5165b552a191e1de8ac

Download Submit
C:\Users\Admin\AppData\Roaming\jdx.zgy
Filesize
630KB

MD5
1f36ae9c549463f85413f1f79c0c5886

SHA1
d4c413853c03dd17acaada4c1d46195e57cb9017

SHA256
351b67cd53a80350ea7d34f069e85a2e4cb4d8050ef00f1e4a994f04326c78af

SHA512
e54ac588bcba670fe0d3dbbf21768cfa2c1af799c4fc9d2f16d01efbb0697fbf63eaa7ae16ac26e1ef31a1cb247eb6ce63f923dab0ab0d9efe9d3db20852b76c

Download Submit
memory/1388-29-0x0000000001A70000-0x0000000001A80000-memory.dmp

Filesize
64KB

Download
memory/1388-1-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/1388-22-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/1388-21-0x0000000075282000-0x0000000075283000-memory.dmp

Filesize
4KB

Download
memory/1388-38-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/1388-0-0x0000000075282000-0x0000000075283000-memory.dmp

Filesize
4KB

Download
memory/1388-28-0x0000000001A70000-0x0000000001A80000-memory.dmp

Filesize
64KB

Download
memory/1388-18-0x0000000001A70000-0x0000000001A80000-memory.dmp

Filesize
64KB

Download
memory/1388-27-0x0000000001A70000-0x0000000001A80000-memory.dmp

Filesize
64KB

Download
memory/1388-24-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/1388-19-0x0000000001A70000-0x0000000001A80000-memory.dmp

Filesize
64KB

Download
memory/1388-20-0x0000000001A70000-0x0000000001A80000-memory.dmp

Filesize
64KB

Download
memory/1388-2-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4212-39-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4824-14-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4824-16-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4824-25-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4824-17-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4824-50-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4824-12-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4824-13-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4824-10-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4824-30-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4824-43-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4824-45-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4824-23-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download