darkcomet | 1736d604d6c8a14948ebe5386727ca3de215e1163904eac094b39769b8faea64

General

Target

25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Size

850KB
MD5

25fef2629b1a28be76522da59a85506f
SHA1

e1c6b2ac497f253cb03aa69505111532b4241a38
SHA256

1736d604d6c8a14948ebe5386727ca3de215e1163904eac094b39769b8faea64
SHA512

8656b9393d45dda010013825238b8254404b89316511b66877f78ad5b61008cb4d50e48e749cb646ada5891299b85dd7342336b4024e034865cfa07d47e08617
SSDEEP

12288:j6qvGvd8EgWCKXtWxWT56LbdJ0Ua0c1xHVkPyjRIBTK+jUOq6fgJg0Ges/5rBY6:hvGvd8HK9hwLbdJp6/kIo7f

Score

10^/10

darkcomet guest16 evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

6.tcp.ngrok.io:10371

Mutex

DC_MUTEX-6TC6YTT

Attributes

gencode
6Wpjj0ueCN6h
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Disables Task Manager via registry modification
evasion
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3272 attrib.exe

pid	process
3272	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe

description	pid	process	target process
PID 400 set thread context of 832	400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
PID 832 set thread context of 2368	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe

pid	process
400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeSecurityPrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeSystemtimePrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeBackupPrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeRestorePrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeShutdownPrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeDebugPrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeUndockPrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeManageVolumePrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeImpersonatePrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: 33	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: 34	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: 35	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Token: 36	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe25fef2629b1a28be76522da59a85506f_JaffaCakes118.execmd.exeiexplore.exe

description	pid	process	target process
PID 400 wrote to memory of 832	400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
PID 400 wrote to memory of 832	400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
PID 400 wrote to memory of 832	400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
PID 400 wrote to memory of 832	400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
PID 400 wrote to memory of 832	400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
PID 400 wrote to memory of 832	400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
PID 400 wrote to memory of 832	400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
PID 400 wrote to memory of 832	400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
PID 400 wrote to memory of 832	400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
PID 400 wrote to memory of 832	400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
PID 400 wrote to memory of 832	400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
PID 400 wrote to memory of 832	400	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
PID 832 wrote to memory of 1628	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	cmd.exe
PID 832 wrote to memory of 1628	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	cmd.exe
PID 832 wrote to memory of 1628	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	cmd.exe
PID 832 wrote to memory of 2368	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	iexplore.exe
PID 832 wrote to memory of 2368	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	iexplore.exe
PID 832 wrote to memory of 2368	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	iexplore.exe
PID 832 wrote to memory of 2368	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	iexplore.exe
PID 832 wrote to memory of 2368	832	25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe	iexplore.exe
PID 1628 wrote to memory of 3272	1628	cmd.exe	attrib.exe
PID 1628 wrote to memory of 3272	1628	cmd.exe	attrib.exe
PID 1628 wrote to memory of 3272	1628	cmd.exe	attrib.exe
PID 2368 wrote to memory of 1108	2368	iexplore.exe	msedge.exe
PID 2368 wrote to memory of 1108	2368	iexplore.exe	msedge.exe
PID 2368 wrote to memory of 4064	2368	iexplore.exe	msedge.exe
PID 2368 wrote to memory of 4064	2368	iexplore.exe	msedge.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3272 attrib.exe

pid	process
3272	attrib.exe

C:\Users\Admin\AppData\Local\Temp\25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400

C:\Users\Admin\AppData\Local\Temp\25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3272

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=2092 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:1
1⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5604 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:1
1⤵
PID:4200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4912 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:8
1⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5556 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:1
1⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5664 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:8
1⤵
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5908 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:1
1⤵
PID:2780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5932 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:1
1⤵
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5768 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:8
1⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6236 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:1
1⤵
PID:3408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/400-6-0x000000000AD70000-0x000000000AD7A000-memory.dmp

Filesize
40KB

Download
memory/400-0-0x0000000000AF0000-0x0000000000BCC000-memory.dmp

Filesize
880KB

Download
memory/400-2-0x00000000055C0000-0x00000000055C6000-memory.dmp

Filesize
24KB

Download
memory/400-3-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/400-4-0x000000000B190000-0x000000000B734000-memory.dmp

Filesize
5.6MB

Download
memory/400-5-0x000000000AE00000-0x000000000AE92000-memory.dmp

Filesize
584KB

Download
memory/400-1-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/400-10-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/832-11-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/832-7-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/832-9-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/832-13-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/832-12-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/832-15-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads