darkcomet | 166c477928d3f10104edbb3a44e7922567c70a8bf58f51a76fa971fd2ad8194c

General

Target

6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Size

850KB
MD5

6b5228408867c1a250c177ce49489273
SHA1

a1ad3579cb3666025008484d288b23c5907db80a
SHA256

166c477928d3f10104edbb3a44e7922567c70a8bf58f51a76fa971fd2ad8194c
SHA512

66843e1a618b9908448124bdc6c9b930c5435fa2929186ea613c859d3b4b243e35d4a5b96beb6af348740793159d5ee1d17493142d05f8bd75133365a3d74aed
SSDEEP

24576:OnukqBdH2BuGCZg/vBcOAJaaktmSqvv/IOuAT:m4KBBCgvAJHktmS8vQOuA

Score

10^/10

darkcomet guest16 evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

6.tcp.ngrok.io:10371

Mutex

DC_MUTEX-VHZPBK5

Attributes

gencode
iXnzmGbAY8jT
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2452 attrib.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 6.tcp.ngrok.io
138 6.tcp.ngrok.io

pid	process
2452	attrib.exe

flow	ioc
2	6.tcp.ngrok.io
138	6.tcp.ngrok.io

Suspicious use of SetThreadContext 1 IoCs

Processes:

6b5228408867c1a250c177ce49489273_JaffaCakes118.exe

description	pid	process	target process
PID 844 set thread context of 2892	844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6b5228408867c1a250c177ce49489273_JaffaCakes118.exe

pid process

844 6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
844 6b5228408867c1a250c177ce49489273_JaffaCakes118.exe

pid	process
844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

6b5228408867c1a250c177ce49489273_JaffaCakes118.exe6b5228408867c1a250c177ce49489273_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeSecurityPrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeBackupPrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeRestorePrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeShutdownPrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeDebugPrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeUndockPrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: 33	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: 34	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
Token: 35	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6b5228408867c1a250c177ce49489273_JaffaCakes118.exe

pid process

2892 6b5228408867c1a250c177ce49489273_JaffaCakes118.exe

pid	process
2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

6b5228408867c1a250c177ce49489273_JaffaCakes118.exe6b5228408867c1a250c177ce49489273_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 844 wrote to memory of 2892	844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
PID 844 wrote to memory of 2892	844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
PID 844 wrote to memory of 2892	844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
PID 844 wrote to memory of 2892	844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
PID 844 wrote to memory of 2892	844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
PID 844 wrote to memory of 2892	844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
PID 844 wrote to memory of 2892	844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
PID 844 wrote to memory of 2892	844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
PID 844 wrote to memory of 2892	844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
PID 844 wrote to memory of 2892	844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
PID 844 wrote to memory of 2892	844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
PID 844 wrote to memory of 2892	844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
PID 844 wrote to memory of 2892	844	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
PID 2892 wrote to memory of 2504	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	cmd.exe
PID 2892 wrote to memory of 2504	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	cmd.exe
PID 2892 wrote to memory of 2504	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	cmd.exe
PID 2892 wrote to memory of 2504	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	cmd.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2892 wrote to memory of 2616	2892	6b5228408867c1a250c177ce49489273_JaffaCakes118.exe	notepad.exe
PID 2504 wrote to memory of 2452	2504	cmd.exe	attrib.exe
PID 2504 wrote to memory of 2452	2504	cmd.exe	attrib.exe
PID 2504 wrote to memory of 2452	2504	cmd.exe	attrib.exe
PID 2504 wrote to memory of 2452	2504	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2452 attrib.exe

pid	process
2452	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6b5228408867c1a250c177ce49489273_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Local\Temp\6b5228408867c1a250c177ce49489273_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6b5228408867c1a250c177ce49489273_JaffaCakes118.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\6b5228408867c1a250c177ce49489273_JaffaCakes118.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\6b5228408867c1a250c177ce49489273_JaffaCakes118.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2452

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:2616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-0-0x0000000001160000-0x000000000123C000-memory.dmp

Filesize
880KB

Download
memory/844-1-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/844-2-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/844-3-0x0000000000530000-0x0000000000570000-memory.dmp

Filesize
256KB

Download
memory/844-4-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/844-20-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2616-54-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2616-24-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2892-13-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-58-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-11-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-14-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-15-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2892-18-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-19-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-7-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-21-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-22-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-23-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2892-6-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-5-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-55-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-56-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-57-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-9-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-59-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-60-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-61-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-62-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-63-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-64-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-65-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-66-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-67-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-68-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-69-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-70-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-71-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2892-122-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2892-121-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads