darkcomet | 8a84c9d58284fbe1729e7c8c0ffcc8f47ec59eac7f05faaf6e1ecf69950a08e7

General

Target

e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe
Size

1.1MB
MD5

e2d5f98dbb215361dc39bbf892aafd80
SHA1

0e6eaceea0820c4ccd859a5c1aa1bd7224897f2f
SHA256

8a84c9d58284fbe1729e7c8c0ffcc8f47ec59eac7f05faaf6e1ecf69950a08e7
SHA512

d2163fb08c30cae411da1073b0628b4c12f09ff0961172f7c8828e3a3ac22138a5bc71aaf2321d7cd450543b78071e606da3b63e60a74c0d00234389c889a797
SSDEEP

12288:ZNip5W70M8BJ2ds9q1pfWeOyGtYWDmTis+MdbKBJPA0iLKPlAHBkia4rBwb4X0kF:Ze5ysJN6WarKba1DsaG+huViB

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-X8BTGZP

Attributes

gencode
gLKKW46aGkvG
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

3676 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3676	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdtr = "C:\\Users\\Admin\\AppData\\Roaming\\WinUpdtr\\e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe"	e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 4224 set thread context of 3676	4224	e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe	vbc.exe
PID 3676 set thread context of 388	3676	vbc.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3676	vbc.exe
Token: SeSecurityPrivilege	3676	vbc.exe
Token: SeTakeOwnershipPrivilege	3676	vbc.exe
Token: SeLoadDriverPrivilege	3676	vbc.exe
Token: SeSystemProfilePrivilege	3676	vbc.exe
Token: SeSystemtimePrivilege	3676	vbc.exe
Token: SeProfSingleProcessPrivilege	3676	vbc.exe
Token: SeIncBasePriorityPrivilege	3676	vbc.exe
Token: SeCreatePagefilePrivilege	3676	vbc.exe
Token: SeBackupPrivilege	3676	vbc.exe
Token: SeRestorePrivilege	3676	vbc.exe
Token: SeShutdownPrivilege	3676	vbc.exe
Token: SeDebugPrivilege	3676	vbc.exe
Token: SeSystemEnvironmentPrivilege	3676	vbc.exe
Token: SeChangeNotifyPrivilege	3676	vbc.exe
Token: SeRemoteShutdownPrivilege	3676	vbc.exe
Token: SeUndockPrivilege	3676	vbc.exe
Token: SeManageVolumePrivilege	3676	vbc.exe
Token: SeImpersonatePrivilege	3676	vbc.exe
Token: SeCreateGlobalPrivilege	3676	vbc.exe
Token: 33	3676	vbc.exe
Token: 34	3676	vbc.exe
Token: 35	3676	vbc.exe
Token: 36	3676	vbc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 4224 wrote to memory of 3676	4224	e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe	vbc.exe
PID 4224 wrote to memory of 3676	4224	e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe	vbc.exe
PID 4224 wrote to memory of 3676	4224	e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe	vbc.exe
PID 4224 wrote to memory of 3676	4224	e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe	vbc.exe
PID 4224 wrote to memory of 3676	4224	e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe	vbc.exe
PID 4224 wrote to memory of 3676	4224	e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe	vbc.exe
PID 4224 wrote to memory of 3676	4224	e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe	vbc.exe
PID 4224 wrote to memory of 3676	4224	e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe	vbc.exe
PID 4224 wrote to memory of 3676	4224	e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe	vbc.exe
PID 4224 wrote to memory of 3676	4224	e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe	vbc.exe
PID 4224 wrote to memory of 3676	4224	e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe	vbc.exe
PID 4224 wrote to memory of 3676	4224	e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe	vbc.exe
PID 4224 wrote to memory of 3676	4224	e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe	vbc.exe
PID 4224 wrote to memory of 3676	4224	e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe	vbc.exe
PID 3676 wrote to memory of 388	3676	vbc.exe	iexplore.exe
PID 3676 wrote to memory of 388	3676	vbc.exe	iexplore.exe
PID 3676 wrote to memory of 388	3676	vbc.exe	iexplore.exe
PID 3676 wrote to memory of 388	3676	vbc.exe	iexplore.exe
PID 3676 wrote to memory of 388	3676	vbc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4224

C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\vbc.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
PID:388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/388-16-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/3676-7-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3676-10-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3676-13-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3676-15-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3676-17-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3676-18-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4224-0-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4224-1-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/4224-2-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4224-12-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads