darkcomet | 8974b93e1437e29d027c8e69c22b4d95b81fa541db02a9848d73a3ae3c231511

Analysis

max time kernel
149s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Size

650KB
MD5

24c1e5d419b0eecccc15a74b7c56edeb
SHA1

d67d5dea6e2d3bba041a59b9b60c877ac25931c0
SHA256

8974b93e1437e29d027c8e69c22b4d95b81fa541db02a9848d73a3ae3c231511
SHA512

e72e93f3d5910a231fb4c6b1cf4e6a5b11e929cca76fdf15a4df890c569d59314a64d3ab5bb4f5be004331a870ef303a099c045d94db5e68b1794b613db12986
SSDEEP

12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+c:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+GJ

Score

10^/10

darkcomet javaappdrby1 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

JAVAappDrBy1

epiclegit.no-ip.biz:1337

Mutex

DC_MUTEX-V0B2QA6

Attributes

InstallPath
Java\JavawsJRE06.exe
gencode
kCoeYQ87hhHK
install
true
offline_keylogger
true
persistence
true
reg_key
JavaUpdater

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Java\\JavawsJRE06.exe"	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

JavawsJRE06.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	JavawsJRE06.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	JavawsJRE06.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	JavawsJRE06.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

JavawsJRE06.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" JavawsJRE06.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	JavawsJRE06.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

JavawsJRE06.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	JavawsJRE06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JavawsJRE06.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1408 attrib.exe
740 attrib.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Executes dropped EXE 1 IoCs

Processes:

JavawsJRE06.exe

pid process

1968 JavawsJRE06.exe

pid	process
1408	attrib.exe
740	attrib.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe

pid	process
1968	JavawsJRE06.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

JavawsJRE06.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JavawsJRE06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	JavawsJRE06.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exeJavawsJRE06.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Java\\JavawsJRE06.exe"	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Java\\JavawsJRE06.exe"	JavawsJRE06.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3952 PING.EXE

pid	process
3952	PING.EXE

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exeJavawsJRE06.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeSecurityPrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeSystemtimePrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeBackupPrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeRestorePrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeShutdownPrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeDebugPrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeUndockPrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeManageVolumePrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeImpersonatePrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: 33	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: 34	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: 35	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: 36	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1968	JavawsJRE06.exe
Token: SeSecurityPrivilege	1968	JavawsJRE06.exe
Token: SeTakeOwnershipPrivilege	1968	JavawsJRE06.exe
Token: SeLoadDriverPrivilege	1968	JavawsJRE06.exe
Token: SeSystemProfilePrivilege	1968	JavawsJRE06.exe
Token: SeSystemtimePrivilege	1968	JavawsJRE06.exe
Token: SeProfSingleProcessPrivilege	1968	JavawsJRE06.exe
Token: SeIncBasePriorityPrivilege	1968	JavawsJRE06.exe
Token: SeCreatePagefilePrivilege	1968	JavawsJRE06.exe
Token: SeBackupPrivilege	1968	JavawsJRE06.exe
Token: SeRestorePrivilege	1968	JavawsJRE06.exe
Token: SeShutdownPrivilege	1968	JavawsJRE06.exe
Token: SeDebugPrivilege	1968	JavawsJRE06.exe
Token: SeSystemEnvironmentPrivilege	1968	JavawsJRE06.exe
Token: SeChangeNotifyPrivilege	1968	JavawsJRE06.exe
Token: SeRemoteShutdownPrivilege	1968	JavawsJRE06.exe
Token: SeUndockPrivilege	1968	JavawsJRE06.exe
Token: SeManageVolumePrivilege	1968	JavawsJRE06.exe
Token: SeImpersonatePrivilege	1968	JavawsJRE06.exe
Token: SeCreateGlobalPrivilege	1968	JavawsJRE06.exe
Token: 33	1968	JavawsJRE06.exe
Token: 34	1968	JavawsJRE06.exe
Token: 35	1968	JavawsJRE06.exe
Token: 36	1968	JavawsJRE06.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

JavawsJRE06.exe

pid process

1968 JavawsJRE06.exe

pid	process
1968	JavawsJRE06.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.execmd.execmd.execmd.exe

description	pid	process	target process
PID 5088 wrote to memory of 4604	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe	cmd.exe
PID 5088 wrote to memory of 4604	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe	cmd.exe
PID 5088 wrote to memory of 4604	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe	cmd.exe
PID 5088 wrote to memory of 4724	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe	cmd.exe
PID 5088 wrote to memory of 4724	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe	cmd.exe
PID 5088 wrote to memory of 4724	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe	cmd.exe
PID 5088 wrote to memory of 4296	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe	cmd.exe
PID 5088 wrote to memory of 4296	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe	cmd.exe
PID 5088 wrote to memory of 4296	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe	cmd.exe
PID 5088 wrote to memory of 1968	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe	JavawsJRE06.exe
PID 5088 wrote to memory of 1968	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe	JavawsJRE06.exe
PID 5088 wrote to memory of 1968	5088	24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe	JavawsJRE06.exe
PID 4604 wrote to memory of 1408	4604	cmd.exe	attrib.exe
PID 4604 wrote to memory of 1408	4604	cmd.exe	attrib.exe
PID 4604 wrote to memory of 1408	4604	cmd.exe	attrib.exe
PID 4724 wrote to memory of 740	4724	cmd.exe	attrib.exe
PID 4724 wrote to memory of 740	4724	cmd.exe	attrib.exe
PID 4724 wrote to memory of 740	4724	cmd.exe	attrib.exe
PID 4296 wrote to memory of 3952	4296	cmd.exe	PING.EXE
PID 4296 wrote to memory of 3952	4296	cmd.exe	PING.EXE
PID 4296 wrote to memory of 3952	4296	cmd.exe	PING.EXE

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1408 attrib.exe
740 attrib.exe

pid	process
1408	attrib.exe
740	attrib.exe

C:\Users\Admin\AppData\Local\Temp\24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\24c1e5d419b0eecccc15a74b7c56edeb_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
3⤵
- Runs ping.exe
PID:3952

C:\Users\Admin\AppData\Roaming\Java\JavawsJRE06.exe
"C:\Users\Admin\AppData\Roaming\Java\JavawsJRE06.exe"
2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4308,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:8
1⤵
PID:2488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Java\JavawsJRE06.exe
Filesize
650KB

MD5
24c1e5d419b0eecccc15a74b7c56edeb

SHA1
d67d5dea6e2d3bba041a59b9b60c877ac25931c0

SHA256
8974b93e1437e29d027c8e69c22b4d95b81fa541db02a9848d73a3ae3c231511

SHA512
e72e93f3d5910a231fb4c6b1cf4e6a5b11e929cca76fdf15a4df890c569d59314a64d3ab5bb4f5be004331a870ef303a099c045d94db5e68b1794b613db12986

Download Submit
memory/1968-15-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1968-16-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1968-17-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1968-20-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1968-22-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1968-25-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1968-29-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5088-0-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/5088-14-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download