darkcomet | b2e3badbec72d449e2208990a97399540f7ab826af5292107eff7a93cec85629

General

Target

e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Size

944KB
MD5

e3c236d4baa95fe15655673cfe3de9bd
SHA1

64a5c72c26fd019835bbed524861d319f9b2add4
SHA256

b2e3badbec72d449e2208990a97399540f7ab826af5292107eff7a93cec85629
SHA512

4b0a0d2860161656a7bc89f8b33cd1f5da16b5ad28491a644b48888291a4ada37d926b1fe6f3afa6cb2594b7ffebba1aaa7a81d9e8207e8a32f1a7e63ff4470d
SSDEEP

24576:Fz/jdg3Dm5Z2E6rVU3JKD8Xnt5hV/lLXeaFeqSG:JLdg3aP6rVgNnt5hV/UxG

Score

10^/10

darkcomet guest16 evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

minecraftaccount.no-ip.info:1604

Mutex

DC_MUTEX-4ASV9ZC

Attributes

gencode
W36GpkH7SSu9
install
false
offline_keylogger
true
password
cutebro
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3020 attrib.exe
2612 attrib.exe

pid	process
3020	attrib.exe
2612	attrib.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exee3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe

description	pid	process	target process
PID 2200 set thread context of 1376	2200	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 1376 set thread context of 2576	1376	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe

pid process

2576 e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe

pid	process
2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exee3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1376	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeSecurityPrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeBackupPrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeRestorePrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeShutdownPrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeDebugPrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeUndockPrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: 33	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: 34	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
Token: 35	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exee3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exee3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exejavaw.exe

pid	process
2200	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
1376	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
1960	javaw.exe
1960	javaw.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exee3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exee3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.execmd.execmd.exe

description	pid	process	target process
PID 2200 wrote to memory of 1376	2200	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 2200 wrote to memory of 1376	2200	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 2200 wrote to memory of 1376	2200	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 2200 wrote to memory of 1376	2200	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 2200 wrote to memory of 1376	2200	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 2200 wrote to memory of 1376	2200	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 2200 wrote to memory of 1376	2200	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 2200 wrote to memory of 1376	2200	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 2200 wrote to memory of 1376	2200	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 1376 wrote to memory of 2576	1376	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 1376 wrote to memory of 2576	1376	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 1376 wrote to memory of 2576	1376	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 1376 wrote to memory of 2576	1376	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 1376 wrote to memory of 2576	1376	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 1376 wrote to memory of 2576	1376	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 1376 wrote to memory of 2576	1376	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 1376 wrote to memory of 2576	1376	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 1376 wrote to memory of 2576	1376	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 1376 wrote to memory of 2576	1376	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 1376 wrote to memory of 2576	1376	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 1376 wrote to memory of 2576	1376	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 1376 wrote to memory of 2576	1376	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
PID 2576 wrote to memory of 2400	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	cmd.exe
PID 2576 wrote to memory of 2400	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	cmd.exe
PID 2576 wrote to memory of 2400	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	cmd.exe
PID 2576 wrote to memory of 2400	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	cmd.exe
PID 2576 wrote to memory of 2416	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	cmd.exe
PID 2576 wrote to memory of 2416	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	cmd.exe
PID 2576 wrote to memory of 2416	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	cmd.exe
PID 2576 wrote to memory of 2416	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	cmd.exe
PID 2400 wrote to memory of 3020	2400	cmd.exe	attrib.exe
PID 2400 wrote to memory of 3020	2400	cmd.exe	attrib.exe
PID 2400 wrote to memory of 3020	2400	cmd.exe	attrib.exe
PID 2400 wrote to memory of 3020	2400	cmd.exe	attrib.exe
PID 2416 wrote to memory of 2612	2416	cmd.exe	attrib.exe
PID 2416 wrote to memory of 2612	2416	cmd.exe	attrib.exe
PID 2416 wrote to memory of 2612	2416	cmd.exe	attrib.exe
PID 2416 wrote to memory of 2612	2416	cmd.exe	attrib.exe
PID 2576 wrote to memory of 1960	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	javaw.exe
PID 2576 wrote to memory of 1960	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	javaw.exe
PID 2576 wrote to memory of 1960	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	javaw.exe
PID 2576 wrote to memory of 1960	2576	e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe	javaw.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3020 attrib.exe
2612 attrib.exe

pid	process
3020	attrib.exe
2612	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe"
2⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\e3c236d4baa95fe15655673cfe3de9bd_JaffaCakes118.exe" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2612

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\WIRECLIENTLAUNCHER.JAR"
4⤵
- Suspicious use of SetWindowsHookEx
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WIRECLIENTLAUNCHER.JAR
Filesize
180KB

MD5
a4b317832aaad1eda0e63fcc55ff115a

SHA1
61eae4a523d01918a15946862af7f9bf8686fe00

SHA256
fa4564eb42437dd097108b741b620fa9071e70cb4ebc120aa6cb75669cf1d29a

SHA512
ea973813bfde8697bb3a3c25cc9c728b76661fbba25bb8cbffd4e9abef6632ffce5a2dbd7465d2dad7243d19eb7b73a1029200dcfa934f249231e52bd0cedc22

Download Submit
memory/1376-15-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1376-5-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1376-7-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1376-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1376-13-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1376-47-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1376-3-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1960-76-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1960-73-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1960-71-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/1960-70-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/1960-64-0x00000000022E0000-0x00000000052E0000-memory.dmp

Filesize
48.0MB

Download
memory/1960-81-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2200-2-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2576-39-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2576-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2576-42-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2576-49-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2576-50-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2576-36-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2576-57-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2576-46-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2576-32-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2576-61-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2576-66-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2576-28-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2576-25-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2576-22-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2576-20-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2576-18-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads