darkcomet | fc2e03dee1a62f0c7b6e84354a3bb187588f78048d4aad87a01cb967f9df3844

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Size

281KB
MD5

21ce0bf3df358c7a3d87034d4cba8a73
SHA1

d3cf383529b827668a581a517bab63fd1f5064f6
SHA256

fc2e03dee1a62f0c7b6e84354a3bb187588f78048d4aad87a01cb967f9df3844
SHA512

b9a1aefc6961cdc4eeebf17d6fa0c4ddff36da64a9dbdab6a419c72b3a822fb1beb20d35db2a676a709b69ab6b2edb5af9044ef72032aea11bfc6df99b33a61a
SSDEEP

6144:2PFhbjbYGBWA72gTXbbqidowX3CJkwWXejkJEwwRlu:KXfbhocLb9owX3CJ3cejkuwG

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

www2q.hopto.org:1604

Mutex

DC_MUTEX-PTGB02B

Attributes

InstallPath
Up\Update.exe
gencode
fFbst8hvUYyb
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Up\\Update.exe"	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

2492 notepad.exe
Executes dropped EXE 2 IoCs

Processes:

Update.exeUpdate.exe

pid process

2660 Update.exe
2568 Update.exe
Loads dropped DLL 8 IoCs

Processes:

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exeUpdate.exeUpdate.exe

pid process

2016 21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
2660 Update.exe
2660 Update.exe
2660 Update.exe
2660 Update.exe
2568 Update.exe
2568 Update.exe
2568 Update.exe

pid	process
2492	notepad.exe

pid	process
2660	Update.exe
2568	Update.exe

pid	process
2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
2660	Update.exe
2660	Update.exe
2660	Update.exe
2660	Update.exe
2568	Update.exe
2568	Update.exe
2568	Update.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exeUpdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Up\\Update.exe"	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Up\\Update.exe"	Update.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exeUpdate.exe

description	pid	process	target process
PID 3000 set thread context of 2016	3000	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 2660 set thread context of 2568	2660	Update.exe	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exeUpdate.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeSecurityPrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeBackupPrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeRestorePrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeShutdownPrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeDebugPrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeUndockPrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: 33	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: 34	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: 35	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2568	Update.exe
Token: SeSecurityPrivilege	2568	Update.exe
Token: SeTakeOwnershipPrivilege	2568	Update.exe
Token: SeLoadDriverPrivilege	2568	Update.exe
Token: SeSystemProfilePrivilege	2568	Update.exe
Token: SeSystemtimePrivilege	2568	Update.exe
Token: SeProfSingleProcessPrivilege	2568	Update.exe
Token: SeIncBasePriorityPrivilege	2568	Update.exe
Token: SeCreatePagefilePrivilege	2568	Update.exe
Token: SeBackupPrivilege	2568	Update.exe
Token: SeRestorePrivilege	2568	Update.exe
Token: SeShutdownPrivilege	2568	Update.exe
Token: SeDebugPrivilege	2568	Update.exe
Token: SeSystemEnvironmentPrivilege	2568	Update.exe
Token: SeChangeNotifyPrivilege	2568	Update.exe
Token: SeRemoteShutdownPrivilege	2568	Update.exe
Token: SeUndockPrivilege	2568	Update.exe
Token: SeManageVolumePrivilege	2568	Update.exe
Token: SeImpersonatePrivilege	2568	Update.exe
Token: SeCreateGlobalPrivilege	2568	Update.exe
Token: 33	2568	Update.exe
Token: 34	2568	Update.exe
Token: 35	2568	Update.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exeUpdate.exeUpdate.exe

pid process

3000 21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
2660 Update.exe
2568 Update.exe

pid	process
3000	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
2660	Update.exe
2568	Update.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exeUpdate.exe

description	pid	process	target process
PID 3000 wrote to memory of 2016	3000	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 3000 wrote to memory of 2016	3000	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 3000 wrote to memory of 2016	3000	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 3000 wrote to memory of 2016	3000	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 3000 wrote to memory of 2016	3000	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 3000 wrote to memory of 2016	3000	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 3000 wrote to memory of 2016	3000	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 3000 wrote to memory of 2016	3000	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2492	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 2016 wrote to memory of 2660	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	Update.exe
PID 2016 wrote to memory of 2660	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	Update.exe
PID 2016 wrote to memory of 2660	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	Update.exe
PID 2016 wrote to memory of 2660	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	Update.exe
PID 2016 wrote to memory of 2660	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	Update.exe
PID 2016 wrote to memory of 2660	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	Update.exe
PID 2016 wrote to memory of 2660	2016	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	Update.exe
PID 2660 wrote to memory of 2568	2660	Update.exe	Update.exe
PID 2660 wrote to memory of 2568	2660	Update.exe	Update.exe
PID 2660 wrote to memory of 2568	2660	Update.exe	Update.exe
PID 2660 wrote to memory of 2568	2660	Update.exe	Update.exe
PID 2660 wrote to memory of 2568	2660	Update.exe	Update.exe
PID 2660 wrote to memory of 2568	2660	Update.exe	Update.exe
PID 2660 wrote to memory of 2568	2660	Update.exe	Update.exe
PID 2660 wrote to memory of 2568	2660	Update.exe	Update.exe
PID 2660 wrote to memory of 2568	2660	Update.exe	Update.exe
PID 2660 wrote to memory of 2568	2660	Update.exe	Update.exe
PID 2660 wrote to memory of 2568	2660	Update.exe	Update.exe

C:\Users\Admin\AppData\Local\Temp\21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
- Deletes itself
PID:2492

C:\ProgramData\Microsoft\Windows\Start Menu\Up\Update.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Up\Update.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660

C:\ProgramData\Microsoft\Windows\Start Menu\Up\Update.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Up\Update.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2568

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Up\Update.exe
Filesize
281KB

MD5
21ce0bf3df358c7a3d87034d4cba8a73

SHA1
d3cf383529b827668a581a517bab63fd1f5064f6

SHA256
fc2e03dee1a62f0c7b6e84354a3bb187588f78048d4aad87a01cb967f9df3844

SHA512
b9a1aefc6961cdc4eeebf17d6fa0c4ddff36da64a9dbdab6a419c72b3a822fb1beb20d35db2a676a709b69ab6b2edb5af9044ef72032aea11bfc6df99b33a61a

Download Submit
memory/2016-14-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2016-4-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2016-7-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2016-41-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2016-43-0x0000000003640000-0x0000000003748000-memory.dmp

Filesize
1.0MB

Download
memory/2016-11-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2016-12-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2016-16-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2016-15-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2016-17-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2492-36-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2492-21-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2568-75-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2568-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2568-86-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2568-84-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2568-83-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2568-82-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2568-80-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2568-79-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2568-77-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2568-76-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2568-61-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2568-68-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2568-73-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2568-69-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2568-70-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2660-67-0x0000000003400000-0x0000000003508000-memory.dmp

Filesize
1.0MB

Download
memory/2660-72-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2660-51-0x0000000000510000-0x0000000000618000-memory.dmp

Filesize
1.0MB

Download
memory/2660-53-0x0000000000510000-0x0000000000618000-memory.dmp

Filesize
1.0MB

Download
memory/2660-54-0x0000000000510000-0x0000000000618000-memory.dmp

Filesize
1.0MB

Download
memory/2660-55-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download
memory/2660-46-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/3000-0-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/3000-9-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3000-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3000-6-0x0000000002C70000-0x0000000002D78000-memory.dmp

Filesize
1.0MB

Download
memory/3000-10-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download