darkcomet | 87f6887fa47e3e48630a5a46fce5a7470a39dc21a3ac79bdd837ea5b754b6e86

General

Target

f3cc6afc6f9cd465907bdffbf02871be_JaffaCakes118.exe
Size

300KB
MD5

f3cc6afc6f9cd465907bdffbf02871be
SHA1

5325f67e9370827b35c27c9bb3833cf5ddcba58d
SHA256

87f6887fa47e3e48630a5a46fce5a7470a39dc21a3ac79bdd837ea5b754b6e86
SHA512

343b2a6a98c8d2aecdc9c0eb9c84777b863a6cc1b9d32c6efd3c6da3d0bf523157bab839d32bbdb4d0ea34a5d2850902bc13d49475d9b216d6ba2bfb9062ac0d
SSDEEP

6144:EzrYL/EY/UMDqQHIFkC6ROM6XJuEMyGJod/gb9f8ngcv:tLMCFDqAqRM6XJuEMZJodk1

Score

10^/10

darkcomet guest16 rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-MES1FBD

Attributes

gencode
M7aL4hgYlh2s
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Drops file in Drivers directory 1 IoCs

Processes:

NOEX.EXE

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts NOEX.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	NOEX.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f3cc6afc6f9cd465907bdffbf02871be_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	f3cc6afc6f9cd465907bdffbf02871be_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

NOEX.EXEWINDOWSFORMSAPPLICATION2.EXE

pid process

3688 NOEX.EXE
752 WINDOWSFORMSAPPLICATION2.EXE

pid	process
3688	NOEX.EXE
752	WINDOWSFORMSAPPLICATION2.EXE

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/868-0-0x00000000001C0000-0x0000000000217000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\NOEX.EXE	upx
behavioral2/memory/3688-21-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/868-24-0x00000000001C0000-0x0000000000217000-memory.dmp	upx
behavioral2/memory/3688-34-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3688-35-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3688-43-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3688-44-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3688-45-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3688-47-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

NOEX.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	3688	NOEX.EXE
Token: SeSecurityPrivilege	3688	NOEX.EXE
Token: SeTakeOwnershipPrivilege	3688	NOEX.EXE
Token: SeLoadDriverPrivilege	3688	NOEX.EXE
Token: SeSystemProfilePrivilege	3688	NOEX.EXE
Token: SeSystemtimePrivilege	3688	NOEX.EXE
Token: SeProfSingleProcessPrivilege	3688	NOEX.EXE
Token: SeIncBasePriorityPrivilege	3688	NOEX.EXE
Token: SeCreatePagefilePrivilege	3688	NOEX.EXE
Token: SeBackupPrivilege	3688	NOEX.EXE
Token: SeRestorePrivilege	3688	NOEX.EXE
Token: SeShutdownPrivilege	3688	NOEX.EXE
Token: SeDebugPrivilege	3688	NOEX.EXE
Token: SeSystemEnvironmentPrivilege	3688	NOEX.EXE
Token: SeChangeNotifyPrivilege	3688	NOEX.EXE
Token: SeRemoteShutdownPrivilege	3688	NOEX.EXE
Token: SeUndockPrivilege	3688	NOEX.EXE
Token: SeManageVolumePrivilege	3688	NOEX.EXE
Token: SeImpersonatePrivilege	3688	NOEX.EXE
Token: SeCreateGlobalPrivilege	3688	NOEX.EXE
Token: 33	3688	NOEX.EXE
Token: 34	3688	NOEX.EXE
Token: 35	3688	NOEX.EXE
Token: 36	3688	NOEX.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

NOEX.EXE

pid process

3688 NOEX.EXE

pid	process
3688	NOEX.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

f3cc6afc6f9cd465907bdffbf02871be_JaffaCakes118.exe

description	pid	process	target process
PID 868 wrote to memory of 3688	868	f3cc6afc6f9cd465907bdffbf02871be_JaffaCakes118.exe	NOEX.EXE
PID 868 wrote to memory of 3688	868	f3cc6afc6f9cd465907bdffbf02871be_JaffaCakes118.exe	NOEX.EXE
PID 868 wrote to memory of 3688	868	f3cc6afc6f9cd465907bdffbf02871be_JaffaCakes118.exe	NOEX.EXE
PID 868 wrote to memory of 752	868	f3cc6afc6f9cd465907bdffbf02871be_JaffaCakes118.exe	WINDOWSFORMSAPPLICATION2.EXE
PID 868 wrote to memory of 752	868	f3cc6afc6f9cd465907bdffbf02871be_JaffaCakes118.exe	WINDOWSFORMSAPPLICATION2.EXE

C:\Users\Admin\AppData\Local\Temp\f3cc6afc6f9cd465907bdffbf02871be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3cc6afc6f9cd465907bdffbf02871be_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\NOEX.EXE
"C:\Users\Admin\AppData\Local\Temp\NOEX.EXE"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3688

C:\Users\Admin\AppData\Local\Temp\WINDOWSFORMSAPPLICATION2.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWSFORMSAPPLICATION2.EXE"
2⤵
- Executes dropped EXE
PID:752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NOEX.EXE
Filesize
251KB

MD5
dc36da2cd96de2ed728f0c022762fde9

SHA1
27de7fa207f71a82f3a2083c7f65f7d3d54b4978

SHA256
b5fae89919b12cd6a4e3966d67a9937a63053a4a78dad7884038bc2c2180a73c

SHA512
8b8249a86d4e6c8191edfb6da5a4aab5aae50df7afc7e18331367f439dc48192e22765202469b0c46955d586293c19f39593aec59ded7dfbabd18ad7273a9a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWSFORMSAPPLICATION2.EXE
Filesize
7KB

MD5
23b692383aa2c8bdba068694d9296eef

SHA1
24ffb9ba1af0be8cf5bd85880de1cba78a1f8cf2

SHA256
661b8d0821529be59be266f6b6f35190213dcbd2769da69de23485ef5a0eab5e

SHA512
ac5c3c4ed05eb53667c29e0f6e28603ee89074f27e6ed323b38b993f7af5243162e19e7a06a89b3a8edbf9a3eeec6510d69bc9b4d62a3000ffc166d4f2183ac2

Download Submit
memory/752-36-0x00007FFF3FDD0000-0x00007FFF40771000-memory.dmp

Filesize
9.6MB

Download
memory/752-32-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/752-38-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/752-37-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/752-28-0x000000001B710000-0x000000001BBDE000-memory.dmp

Filesize
4.8MB

Download
memory/752-27-0x00007FFF3FDD0000-0x00007FFF40771000-memory.dmp

Filesize
9.6MB

Download
memory/752-29-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/752-30-0x000000001B160000-0x000000001B1FC000-memory.dmp

Filesize
624KB

Download
memory/752-31-0x00007FFF3FDD0000-0x00007FFF40771000-memory.dmp

Filesize
9.6MB

Download
memory/752-33-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/868-0-0x00000000001C0000-0x0000000000217000-memory.dmp

Filesize
348KB

Download
memory/868-24-0x00000000001C0000-0x0000000000217000-memory.dmp

Filesize
348KB

Download
memory/3688-21-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3688-34-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3688-35-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3688-26-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/3688-43-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3688-44-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3688-45-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3688-47-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads