darkcomet | 7044ddd8b6a0a4dd7edd7989da538ed017522e3665ce3d0eaef606123a922f50

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Size

651KB
MD5

24a695bd98fe12ff40dfea58fa37a87e
SHA1

a6f2d32c7e0dca5cf6f116e4805b093e3c672256
SHA256

7044ddd8b6a0a4dd7edd7989da538ed017522e3665ce3d0eaef606123a922f50
SHA512

0318fae3986389a91edfb4ae11509178993f4d3f0a588a9c369be1432a091c6c8d5abf697353dedf79d2c2dd4be08f20751c1fe5b6a56dcfa100e9e0d552ed23
SSDEEP

12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+y:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+GX

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

mnanauk-dz.no-ip.biz:1604

Mutex

DC_MUTEX-EB46CLG

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
rpfQbN9b66NT
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdcsc.exe"	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

2660 msdcsc.exe
Loads dropped DLL 1 IoCs

Processes:

24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe

pid process

2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe

pid	process
2660	msdcsc.exe

pid	process
2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe"	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

msdcsc.exe

description pid process target process

PID 2660 set thread context of 2708 2660 msdcsc.exe iexplore.exe

description	pid	process	target process
PID 2660 set thread context of 2708	2660	msdcsc.exe	iexplore.exe

Drops file in Windows directory 3 IoCs

Processes:

24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\MSDCSC\msdcsc.exe	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
File opened for modification	C:\Windows\MSDCSC\msdcsc.exe	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
File opened for modification	C:\Windows\MSDCSC\	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exemsdcsc.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeBackupPrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeRestorePrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeShutdownPrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeDebugPrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeUndockPrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: 33	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: 34	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: 35	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2660	msdcsc.exe
Token: SeSecurityPrivilege	2660	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2660	msdcsc.exe
Token: SeLoadDriverPrivilege	2660	msdcsc.exe
Token: SeSystemProfilePrivilege	2660	msdcsc.exe
Token: SeSystemtimePrivilege	2660	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2660	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2660	msdcsc.exe
Token: SeCreatePagefilePrivilege	2660	msdcsc.exe
Token: SeBackupPrivilege	2660	msdcsc.exe
Token: SeRestorePrivilege	2660	msdcsc.exe
Token: SeShutdownPrivilege	2660	msdcsc.exe
Token: SeDebugPrivilege	2660	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2660	msdcsc.exe
Token: SeChangeNotifyPrivilege	2660	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2660	msdcsc.exe
Token: SeUndockPrivilege	2660	msdcsc.exe
Token: SeManageVolumePrivilege	2660	msdcsc.exe
Token: SeImpersonatePrivilege	2660	msdcsc.exe
Token: SeCreateGlobalPrivilege	2660	msdcsc.exe
Token: 33	2660	msdcsc.exe
Token: 34	2660	msdcsc.exe
Token: 35	2660	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2708	iexplore.exe
Token: SeSecurityPrivilege	2708	iexplore.exe
Token: SeTakeOwnershipPrivilege	2708	iexplore.exe
Token: SeLoadDriverPrivilege	2708	iexplore.exe
Token: SeSystemProfilePrivilege	2708	iexplore.exe
Token: SeSystemtimePrivilege	2708	iexplore.exe
Token: SeProfSingleProcessPrivilege	2708	iexplore.exe
Token: SeIncBasePriorityPrivilege	2708	iexplore.exe
Token: SeCreatePagefilePrivilege	2708	iexplore.exe
Token: SeBackupPrivilege	2708	iexplore.exe
Token: SeRestorePrivilege	2708	iexplore.exe
Token: SeShutdownPrivilege	2708	iexplore.exe
Token: SeDebugPrivilege	2708	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2708	iexplore.exe
Token: SeChangeNotifyPrivilege	2708	iexplore.exe
Token: SeRemoteShutdownPrivilege	2708	iexplore.exe
Token: SeUndockPrivilege	2708	iexplore.exe
Token: SeManageVolumePrivilege	2708	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

2708 iexplore.exe

pid	process
2708	iexplore.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exemsdcsc.exe

description	pid	process	target process
PID 2652 wrote to memory of 2660	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe	msdcsc.exe
PID 2652 wrote to memory of 2660	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe	msdcsc.exe
PID 2652 wrote to memory of 2660	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe	msdcsc.exe
PID 2652 wrote to memory of 2660	2652	24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe	msdcsc.exe
PID 2660 wrote to memory of 2708	2660	msdcsc.exe	iexplore.exe
PID 2660 wrote to memory of 2708	2660	msdcsc.exe	iexplore.exe
PID 2660 wrote to memory of 2708	2660	msdcsc.exe	iexplore.exe
PID 2660 wrote to memory of 2708	2660	msdcsc.exe	iexplore.exe
PID 2660 wrote to memory of 2708	2660	msdcsc.exe	iexplore.exe
PID 2660 wrote to memory of 2708	2660	msdcsc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\MSDCSC\msdcsc.exe
"C:\Windows\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2708

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\MSDCSC\msdcsc.exe
Filesize
651KB

MD5
24a695bd98fe12ff40dfea58fa37a87e

SHA1
a6f2d32c7e0dca5cf6f116e4805b093e3c672256

SHA256
7044ddd8b6a0a4dd7edd7989da538ed017522e3665ce3d0eaef606123a922f50

SHA512
0318fae3986389a91edfb4ae11509178993f4d3f0a588a9c369be1432a091c6c8d5abf697353dedf79d2c2dd4be08f20751c1fe5b6a56dcfa100e9e0d552ed23

Download Submit
memory/2652-0-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2652-8-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2660-9-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2660-12-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2708-11-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download