darkcomet | c27d63aaaab8a73807dcc5cfc8d4ea41759da0a2a5aae290a1acf0fd00481c24

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Size

380KB
MD5

23f5da47d1e3320198797ec21026ff20
SHA1

4d0c77335a3f00cdd266d384913072701795ce42
SHA256

c27d63aaaab8a73807dcc5cfc8d4ea41759da0a2a5aae290a1acf0fd00481c24
SHA512

f4f35e2f89840cf4a09570d4ff6ea916eb2339bc6ece8156544c112777efeeb25fc9017fc03ab9b2178f90dbc000bfe7bfa280878056d0ca1ce2371c830e49fa
SSDEEP

6144:8JicfqjN1+ZkfWH3eKR/VErZFIDSavR5XaqhuHA48hN+q/kaQU7NLT2TtsbRmkuu:ZDNUZwjKdyPa0qhu8Aqx7NH2Tt+

Score

10^/10

darkcomet evasion persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\winlogon.exe"	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2984 attrib.exe
5068 attrib.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

pid	process
2984	attrib.exe
5068	attrib.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2108-3-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/2108-2-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/2108-4-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/2108-5-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/2108-6-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/2108-7-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/2108-67-0x0000000000400000-0x00000000004EB000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\winlogon.exe"	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

Processes:

23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winlogon.exe	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winlogon.exe	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

description pid process target process

PID 4460 set thread context of 2108 4460 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3488 PING.EXE

description	pid	process	target process
PID 4460 set thread context of 2108	4460	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

pid	process
3488	PING.EXE

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeSecurityPrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeBackupPrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeRestorePrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeShutdownPrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeUndockPrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: 33	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: 34	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: 35	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Token: 36	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

pid process

4460 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

pid	process
4460	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe23f5da47d1e3320198797ec21026ff20_JaffaCakes118.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4460 wrote to memory of 2108	4460	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
PID 4460 wrote to memory of 2108	4460	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
PID 4460 wrote to memory of 2108	4460	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
PID 4460 wrote to memory of 2108	4460	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
PID 4460 wrote to memory of 2108	4460	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
PID 4460 wrote to memory of 2108	4460	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
PID 4460 wrote to memory of 2108	4460	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
PID 4460 wrote to memory of 2108	4460	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
PID 2108 wrote to memory of 3576	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	cmd.exe
PID 2108 wrote to memory of 3576	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	cmd.exe
PID 2108 wrote to memory of 3576	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	cmd.exe
PID 2108 wrote to memory of 3144	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	cmd.exe
PID 2108 wrote to memory of 3144	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	cmd.exe
PID 2108 wrote to memory of 3144	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	cmd.exe
PID 2108 wrote to memory of 1560	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	cmd.exe
PID 2108 wrote to memory of 1560	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	cmd.exe
PID 2108 wrote to memory of 1560	2108	23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe	cmd.exe
PID 3576 wrote to memory of 2984	3576	cmd.exe	attrib.exe
PID 3576 wrote to memory of 2984	3576	cmd.exe	attrib.exe
PID 3576 wrote to memory of 2984	3576	cmd.exe	attrib.exe
PID 1560 wrote to memory of 3488	1560	cmd.exe	PING.EXE
PID 1560 wrote to memory of 3488	1560	cmd.exe	PING.EXE
PID 1560 wrote to memory of 3488	1560	cmd.exe	PING.EXE
PID 3144 wrote to memory of 5068	3144	cmd.exe	attrib.exe
PID 3144 wrote to memory of 5068	3144	cmd.exe	attrib.exe
PID 3144 wrote to memory of 5068	3144	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2984 attrib.exe
5068 attrib.exe

pid	process
2984	attrib.exe
5068	attrib.exe

C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
4⤵
- Runs ping.exe
PID:3488

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winlogon.exe
Filesize
380KB

MD5
23f5da47d1e3320198797ec21026ff20

SHA1
4d0c77335a3f00cdd266d384913072701795ce42

SHA256
c27d63aaaab8a73807dcc5cfc8d4ea41759da0a2a5aae290a1acf0fd00481c24

SHA512
f4f35e2f89840cf4a09570d4ff6ea916eb2339bc6ece8156544c112777efeeb25fc9017fc03ab9b2178f90dbc000bfe7bfa280878056d0ca1ce2371c830e49fa

Download Submit
memory/2108-3-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2108-2-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2108-4-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2108-5-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2108-6-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2108-7-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2108-67-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download