darkcomet | 6dbc41a48a41c991800d78eb2bd7231512830620880febda4a17e75c4f438a56

General

Target

c52d6bfcb18b48ce0976886fc1c60967.exe
Size

930KB
MD5

c52d6bfcb18b48ce0976886fc1c60967
SHA1

da6575713f50dae6e3ea4fac5aaf0d983c351171
SHA256

6dbc41a48a41c991800d78eb2bd7231512830620880febda4a17e75c4f438a56
SHA512

dc764e1d42bf9a74b5ac14be8ba01c1dfcf013456b2d403bf0e3616a440a5f124fde0909f207eeb02de3ebdad5e65425fb7f86ac204c6e3090ceb8973a19e0e0
SSDEEP

24576:KZ1xuVVjfFoynPaVBUR8f+kN10EBxYAGrW:aQDgok30bAz

Score

10^/10

darkcomet guest16 discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

jesusiscool.no-ip.biz:1604

Mutex

DC_MUTEX-2MFKDUD

Attributes

gencode
hR4kwDNMtXyi
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c52d6bfcb18b48ce0976886fc1c60967.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	c52d6bfcb18b48ce0976886fc1c60967.exe

Executes dropped EXE 1 IoCs

Processes:

BIT.EXE

pid process

1116 BIT.EXE
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2064 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1116	BIT.EXE

pid	process
2064	icacls.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

c52d6bfcb18b48ce0976886fc1c60967.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeSecurityPrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeTakeOwnershipPrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeLoadDriverPrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeSystemProfilePrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeSystemtimePrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeProfSingleProcessPrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeIncBasePriorityPrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeCreatePagefilePrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeBackupPrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeRestorePrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeShutdownPrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeDebugPrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeSystemEnvironmentPrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeChangeNotifyPrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeRemoteShutdownPrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeUndockPrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeManageVolumePrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeImpersonatePrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeCreateGlobalPrivilege	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: 33	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: 34	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: 35	1696	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: 36	1696	c52d6bfcb18b48ce0976886fc1c60967.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c52d6bfcb18b48ce0976886fc1c60967.exejavaw.exe

pid process

1696 c52d6bfcb18b48ce0976886fc1c60967.exe
2876 javaw.exe

pid	process
1696	c52d6bfcb18b48ce0976886fc1c60967.exe
2876	javaw.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

c52d6bfcb18b48ce0976886fc1c60967.exeBIT.EXEjavaw.exe

description	pid	process	target process
PID 1696 wrote to memory of 1116	1696	c52d6bfcb18b48ce0976886fc1c60967.exe	BIT.EXE
PID 1696 wrote to memory of 1116	1696	c52d6bfcb18b48ce0976886fc1c60967.exe	BIT.EXE
PID 1696 wrote to memory of 1116	1696	c52d6bfcb18b48ce0976886fc1c60967.exe	BIT.EXE
PID 1116 wrote to memory of 2876	1116	BIT.EXE	javaw.exe
PID 1116 wrote to memory of 2876	1116	BIT.EXE	javaw.exe
PID 2876 wrote to memory of 2064	2876	javaw.exe	icacls.exe
PID 2876 wrote to memory of 2064	2876	javaw.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\c52d6bfcb18b48ce0976886fc1c60967.exe
"C:\Users\Admin\AppData\Local\Temp\c52d6bfcb18b48ce0976886fc1c60967.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\BIT.EXE
"C:\Users\Admin\AppData\Local\Temp\BIT.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xms512m -Xmx1024m -jar "C:\Users\Admin\AppData\Local\Temp\BIT.EXE"
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
4⤵
- Modifies file permissions
PID:2064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
fd54efe011836e01349a76ba67db2aef

SHA1
262504fe12b4a9f4d7a8fa42bb5084d1b554c141

SHA256
f2a2eaa3e7bea8c6ef81240ce5449541510e968512455bc09e81106c9adf29db

SHA512
c816d9c4de5f301d1b88e2c7f308b9eb1c93986d6b9ec9c93ce2e161d7f3967f6ed6127c2cf4994f6f3abad09bea9ec32466edc476e3e6c7391b5baa9aad824d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIT.EXE
Filesize
272KB

MD5
f3af9e6be544b4a28b2abff08292cde6

SHA1
ce72c12d42135bf9951570f54f8c97d2cd9ea297

SHA256
96ff47ed3a6ee136f5ba1e14ae20f1cc95c20747db444e4b6ed66ef3fe7d7679

SHA512
d84aea057738519472cec5128e1efb32cf18f49ba18942ac46ceecf62ce86a803f95151bc3f9e9860484a27beeaf08c076a6838c2279af40cd1307a93c7be85b

Download Submit
memory/1116-9-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1696-0-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1696-102-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1696-20-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1696-90-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1696-24-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1696-75-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1696-58-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2876-35-0x00000227B7810000-0x00000227B7811000-memory.dmp

Filesize
4KB

Download
memory/2876-39-0x00000227B7810000-0x00000227B7811000-memory.dmp

Filesize
4KB

Download
memory/2876-40-0x00000227B7810000-0x00000227B7811000-memory.dmp

Filesize
4KB

Download
memory/2876-31-0x00000227B7810000-0x00000227B7811000-memory.dmp

Filesize
4KB

Download
memory/2876-64-0x00000227B90C0000-0x00000227BA0C0000-memory.dmp

Filesize
16.0MB

Download
memory/2876-73-0x00000227B7810000-0x00000227B7811000-memory.dmp

Filesize
4KB

Download
memory/2876-30-0x00000227B7810000-0x00000227B7811000-memory.dmp

Filesize
4KB

Download
memory/2876-81-0x00000227B90C0000-0x00000227BA0C0000-memory.dmp

Filesize
16.0MB

Download
memory/2876-23-0x00000227B7810000-0x00000227B7811000-memory.dmp

Filesize
4KB

Download
memory/2876-95-0x00000227B90C0000-0x00000227BA0C0000-memory.dmp

Filesize
16.0MB

Download
memory/2876-15-0x00000227B90C0000-0x00000227BA0C0000-memory.dmp

Filesize
16.0MB

Download
memory/2876-108-0x00000227B90C0000-0x00000227BA0C0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads