darkcomet | 45ab1979854a77e9dd0aee9c1c70816b78d39c2bf08bcbcec00eece2648df531

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe
Size

1.1MB
MD5

1d7c6be9fa4ae8b1fc38353f9128defb
SHA1

baa78b59546fe20690306b2b51d0a8706b819bb0
SHA256

45ab1979854a77e9dd0aee9c1c70816b78d39c2bf08bcbcec00eece2648df531
SHA512

fd50008d3a80dd12a72d93e8b26f2f65be1f98abce4302e9e18c7499b572047299defb1bb54ef756a8298b5c062276f6fbc5575952d0679e4a34abae350e8e29
SSDEEP

24576:fyBgFB2EoTKXtnOwd9LaJIBwhXEtiUwnBrh7512KZ1X:qBgRoTWnOwHzTwbV1f1X

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

test.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate test.exe
Executes dropped EXE 2 IoCs

Processes:

Game_Test.EXEtest.exe

pid process

2672 Game_Test.EXE
1280 test.exe
Loads dropped DLL 4 IoCs

Processes:

1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exeGame_Test.EXEtest.exe

pid process

2400 1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe
2672 Game_Test.EXE
2672 Game_Test.EXE
1280 test.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	test.exe

pid	process
2672	Game_Test.EXE
1280	test.exe

pid	process
2400	1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe
2672	Game_Test.EXE
2672	Game_Test.EXE
1280	test.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Game_Test.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Game_Test.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

test.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	test.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	test.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	test.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	test.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

test.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier test.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	test.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exeGame_Test.EXEtest.exe

description	pid	process
Token: 33	2400	1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2400	1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe
Token: 33	2400	1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2400	1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe
Token: 33	2400	1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2400	1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe
Token: 33	2672	Game_Test.EXE
Token: SeIncBasePriorityPrivilege	2672	Game_Test.EXE
Token: SeIncreaseQuotaPrivilege	1280	test.exe
Token: SeSecurityPrivilege	1280	test.exe
Token: SeTakeOwnershipPrivilege	1280	test.exe
Token: SeLoadDriverPrivilege	1280	test.exe
Token: SeSystemProfilePrivilege	1280	test.exe
Token: SeSystemtimePrivilege	1280	test.exe
Token: SeProfSingleProcessPrivilege	1280	test.exe
Token: SeIncBasePriorityPrivilege	1280	test.exe
Token: SeCreatePagefilePrivilege	1280	test.exe
Token: SeBackupPrivilege	1280	test.exe
Token: SeRestorePrivilege	1280	test.exe
Token: SeShutdownPrivilege	1280	test.exe
Token: SeDebugPrivilege	1280	test.exe
Token: SeSystemEnvironmentPrivilege	1280	test.exe
Token: SeChangeNotifyPrivilege	1280	test.exe
Token: SeRemoteShutdownPrivilege	1280	test.exe
Token: SeUndockPrivilege	1280	test.exe
Token: SeManageVolumePrivilege	1280	test.exe
Token: SeImpersonatePrivilege	1280	test.exe
Token: SeCreateGlobalPrivilege	1280	test.exe
Token: 33	1280	test.exe
Token: 34	1280	test.exe
Token: 35	1280	test.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exeGame_Test.EXE

description	pid	process	target process
PID 2400 wrote to memory of 2672	2400	1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe	Game_Test.EXE
PID 2400 wrote to memory of 2672	2400	1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe	Game_Test.EXE
PID 2400 wrote to memory of 2672	2400	1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe	Game_Test.EXE
PID 2400 wrote to memory of 2672	2400	1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe	Game_Test.EXE
PID 2400 wrote to memory of 2672	2400	1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe	Game_Test.EXE
PID 2400 wrote to memory of 2672	2400	1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe	Game_Test.EXE
PID 2400 wrote to memory of 2672	2400	1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe	Game_Test.EXE
PID 2672 wrote to memory of 1280	2672	Game_Test.EXE	test.exe
PID 2672 wrote to memory of 1280	2672	Game_Test.EXE	test.exe
PID 2672 wrote to memory of 1280	2672	Game_Test.EXE	test.exe
PID 2672 wrote to memory of 1280	2672	Game_Test.EXE	test.exe
PID 2672 wrote to memory of 1280	2672	Game_Test.EXE	test.exe
PID 2672 wrote to memory of 1280	2672	Game_Test.EXE	test.exe
PID 2672 wrote to memory of 1280	2672	Game_Test.EXE	test.exe

C:\Users\Admin\AppData\Local\Temp\1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d7c6be9fa4ae8b1fc38353f9128defb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\Game\2.0.1.1\2011.03.17T23.59\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\Game_Test.EXE
"C:\Users\Admin\AppData\Local\Temp\Game_Test.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\Game\2.0.1.1\2011.03.17T23.59\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\test.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\test.exe
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\test.exe
Filesize
666KB

MD5
a09f440551ac1995c3ba4910e533fbc8

SHA1
24c7bd50dc6a0966ff4ba610200cf356e561e2c5

SHA256
74660d787976c12c2fdb0ea16b656efc8bebda1c23247b30678157a245f65355

SHA512
d53dce3a4eab3d5e531ffba78a8beae5ebec70d41dd5a993b098c25e6f01ab8c7095dd6b64fa35a9a50362da88c2f17302afcd692db8aa48403e7b3cec1a5aa3

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\Game\2.0.1.1\2011.03.17T23.59\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\test.exe
Filesize
17KB

MD5
b200c98714d2e0b08d73fad42fb64764

SHA1
38f98eff67ebc125b9bc9be38dbe5a50a5ae6132

SHA256
2952e2e8a4542d6b3ea89733fcf46ba555e1aa090fda917ca5f5e93a1fe1bff4

SHA512
1df43a3f470eafe72db248d8c18653b89c8126f0c72480d015f837e31ac608c0fe7041aae0b0d70fc3c540d7c7b9c09757a7186ff5f07778d1486cda43dfd828

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\Game\2.0.1.1\2011.03.17T23.59\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\Game_Test.EXE
Filesize
17KB

MD5
9fbed146b40afe568f710632df43c7ce

SHA1
bca1fcff30f62298e9ef4a30b8933e13a9c12cab

SHA256
19002df9ff572ed463cb5a335420db3aa28e38ac29d5086f9ab778c4f0803574

SHA512
e1b78283c9de0a4cf37be893485084a2e7f14280b9457d1103945cfafd29cfd7dc0ce2f85000fe45fa0c2f25f8bcf58fc5b8b0a1421cd2bd26a26ee1bab291d8

Download Submit
memory/1280-49-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-47-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-43-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-73-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-68-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-74-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-76-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-78-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-79-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-77-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-81-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-83-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-84-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-67-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-80-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-75-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-45-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-46-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-48-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-54-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-55-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-41-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-42-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-53-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-52-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-51-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-50-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-57-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-69-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-71-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-70-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-72-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-56-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-66-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-65-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-62-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-64-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-63-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-61-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-60-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-59-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1280-58-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2400-2-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2400-4-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2400-7-0x0000000000990000-0x0000000000A02000-memory.dmp

Filesize
456KB

Download
memory/2400-6-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2400-8-0x0000000000990000-0x0000000000A02000-memory.dmp

Filesize
456KB

Download
memory/2400-3-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2400-23-0x0000000000990000-0x0000000000A02000-memory.dmp

Filesize
456KB

Download
memory/2400-12-0x00000000038E0000-0x0000000003996000-memory.dmp

Filesize
728KB

Download
memory/2400-11-0x00000000038E0000-0x0000000003996000-memory.dmp

Filesize
728KB

Download
memory/2400-5-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2400-1-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2400-10-0x00000000038E0000-0x0000000003996000-memory.dmp

Filesize
728KB

Download
memory/2400-0-0x0000000000990000-0x0000000000A02000-memory.dmp

Filesize
456KB

Download
memory/2672-19-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2672-20-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2672-16-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2672-18-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2672-17-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2672-14-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2672-21-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2672-22-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download