darkcomet | fc2e03dee1a62f0c7b6e84354a3bb187588f78048d4aad87a01cb967f9df3844

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Size

281KB
MD5

21ce0bf3df358c7a3d87034d4cba8a73
SHA1

d3cf383529b827668a581a517bab63fd1f5064f6
SHA256

fc2e03dee1a62f0c7b6e84354a3bb187588f78048d4aad87a01cb967f9df3844
SHA512

b9a1aefc6961cdc4eeebf17d6fa0c4ddff36da64a9dbdab6a419c72b3a822fb1beb20d35db2a676a709b69ab6b2edb5af9044ef72032aea11bfc6df99b33a61a
SSDEEP

6144:2PFhbjbYGBWA72gTXbbqidowX3CJkwWXejkJEwwRlu:KXfbhocLb9owX3CJ3cejkuwG

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

www2q.hopto.org:1604

Mutex

DC_MUTEX-PTGB02B

Attributes

InstallPath
Up\Update.exe
gencode
fFbst8hvUYyb
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Up\\Update.exe"	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

3820 notepad.exe
Executes dropped EXE 2 IoCs

Processes:

Update.exeUpdate.exe

pid process

3936 Update.exe
440 Update.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe

pid	process
3820	notepad.exe

pid	process
3936	Update.exe
440	Update.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exeUpdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Up\\Update.exe"	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Up\\Update.exe"	Update.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exeUpdate.exe

description	pid	process	target process
PID 2220 set thread context of 1208	2220	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 3936 set thread context of 440	3936	Update.exe	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3036 3820 WerFault.exe notepad.exe

pid	pid_target	process	target process
3036	3820	WerFault.exe	notepad.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exeUpdate.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeSecurityPrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeBackupPrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeRestorePrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeShutdownPrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeDebugPrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeUndockPrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: 33	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: 34	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: 35	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: 36	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	440	Update.exe
Token: SeSecurityPrivilege	440	Update.exe
Token: SeTakeOwnershipPrivilege	440	Update.exe
Token: SeLoadDriverPrivilege	440	Update.exe
Token: SeSystemProfilePrivilege	440	Update.exe
Token: SeSystemtimePrivilege	440	Update.exe
Token: SeProfSingleProcessPrivilege	440	Update.exe
Token: SeIncBasePriorityPrivilege	440	Update.exe
Token: SeCreatePagefilePrivilege	440	Update.exe
Token: SeBackupPrivilege	440	Update.exe
Token: SeRestorePrivilege	440	Update.exe
Token: SeShutdownPrivilege	440	Update.exe
Token: SeDebugPrivilege	440	Update.exe
Token: SeSystemEnvironmentPrivilege	440	Update.exe
Token: SeChangeNotifyPrivilege	440	Update.exe
Token: SeRemoteShutdownPrivilege	440	Update.exe
Token: SeUndockPrivilege	440	Update.exe
Token: SeManageVolumePrivilege	440	Update.exe
Token: SeImpersonatePrivilege	440	Update.exe
Token: SeCreateGlobalPrivilege	440	Update.exe
Token: 33	440	Update.exe
Token: 34	440	Update.exe
Token: 35	440	Update.exe
Token: 36	440	Update.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exeUpdate.exeUpdate.exe

pid process

2220 21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
3936 Update.exe
440 Update.exe

pid	process
2220	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
3936	Update.exe
440	Update.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exeUpdate.exe

description	pid	process	target process
PID 2220 wrote to memory of 1208	2220	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 2220 wrote to memory of 1208	2220	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 2220 wrote to memory of 1208	2220	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 2220 wrote to memory of 1208	2220	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 2220 wrote to memory of 1208	2220	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 2220 wrote to memory of 1208	2220	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 2220 wrote to memory of 1208	2220	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3820	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	notepad.exe
PID 1208 wrote to memory of 3936	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	Update.exe
PID 1208 wrote to memory of 3936	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	Update.exe
PID 1208 wrote to memory of 3936	1208	21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe	Update.exe
PID 3936 wrote to memory of 440	3936	Update.exe	Update.exe
PID 3936 wrote to memory of 440	3936	Update.exe	Update.exe
PID 3936 wrote to memory of 440	3936	Update.exe	Update.exe
PID 3936 wrote to memory of 440	3936	Update.exe	Update.exe
PID 3936 wrote to memory of 440	3936	Update.exe	Update.exe
PID 3936 wrote to memory of 440	3936	Update.exe	Update.exe
PID 3936 wrote to memory of 440	3936	Update.exe	Update.exe

C:\Users\Admin\AppData\Local\Temp\21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe"
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
- Deletes itself
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 232
4⤵
- Program crash
PID:3036

C:\ProgramData\Microsoft\Windows\Start Menu\Up\Update.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Up\Update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3936

C:\ProgramData\Microsoft\Windows\Start Menu\Up\Update.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Up\Update.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3820 -ip 3820
1⤵
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Up\Update.exe
Filesize
281KB

MD5
21ce0bf3df358c7a3d87034d4cba8a73

SHA1
d3cf383529b827668a581a517bab63fd1f5064f6

SHA256
fc2e03dee1a62f0c7b6e84354a3bb187588f78048d4aad87a01cb967f9df3844

SHA512
b9a1aefc6961cdc4eeebf17d6fa0c4ddff36da64a9dbdab6a419c72b3a822fb1beb20d35db2a676a709b69ab6b2edb5af9044ef72032aea11bfc6df99b33a61a

Download Submit
memory/440-50-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/440-47-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/440-55-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/440-53-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/440-51-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/440-39-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/440-49-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/440-56-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/440-48-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/440-46-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/440-59-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/440-40-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/440-43-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/440-42-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1208-12-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1208-10-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1208-4-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1208-26-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1208-6-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1208-9-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1208-13-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2220-8-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/2220-0-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2220-7-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2220-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/3820-17-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/3936-30-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/3936-45-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/3936-31-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download