darkcomet | 72330cb358d47851e1ee9b6f9861783478b8882f366dfd5d9d9fe1e1a72e8ed5

General

Target

f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe
Size

436KB
MD5

f4189716c016fd336c8f9273122ce87e
SHA1

f0ca4d55f93293b33edd399ac4a9ca52923f1dff
SHA256

72330cb358d47851e1ee9b6f9861783478b8882f366dfd5d9d9fe1e1a72e8ed5
SHA512

0a87e358c0b4ecf8fcc791924ec29f9963d755f9a62129a0d1224f70d3f3882db11f73e81ddb8dc81d5e67a44a8078832118737f9ab6d7d7ef61cf2d9e060d4c
SSDEEP

6144:4w/kMDudL7RpI9sA0KfEWtxI3PuCcLnw4lkhwDNkW8RaA/V:h/1KdnfAaWQWCYlkhwDD

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 2 IoCs

Processes:

dadanbalan.exestub.exe

pid	Process
2696	dadanbalan.exe
2908	stub.exe

Loads dropped DLL 7 IoCs

Processes:

WerFault.exe

pid	Process
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0009000000012247-9.dat	upx
behavioral1/memory/2696-16-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2696-28-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2696-29-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process
2632	2908	WerFault.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

dadanbalan.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2696	dadanbalan.exe
Token: SeSecurityPrivilege	2696	dadanbalan.exe
Token: SeTakeOwnershipPrivilege	2696	dadanbalan.exe
Token: SeLoadDriverPrivilege	2696	dadanbalan.exe
Token: SeSystemProfilePrivilege	2696	dadanbalan.exe
Token: SeSystemtimePrivilege	2696	dadanbalan.exe
Token: SeProfSingleProcessPrivilege	2696	dadanbalan.exe
Token: SeIncBasePriorityPrivilege	2696	dadanbalan.exe
Token: SeCreatePagefilePrivilege	2696	dadanbalan.exe
Token: SeBackupPrivilege	2696	dadanbalan.exe
Token: SeRestorePrivilege	2696	dadanbalan.exe
Token: SeShutdownPrivilege	2696	dadanbalan.exe
Token: SeDebugPrivilege	2696	dadanbalan.exe
Token: SeSystemEnvironmentPrivilege	2696	dadanbalan.exe
Token: SeChangeNotifyPrivilege	2696	dadanbalan.exe
Token: SeRemoteShutdownPrivilege	2696	dadanbalan.exe
Token: SeUndockPrivilege	2696	dadanbalan.exe
Token: SeManageVolumePrivilege	2696	dadanbalan.exe
Token: SeImpersonatePrivilege	2696	dadanbalan.exe
Token: SeCreateGlobalPrivilege	2696	dadanbalan.exe
Token: 33	2696	dadanbalan.exe
Token: 34	2696	dadanbalan.exe
Token: 35	2696	dadanbalan.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dadanbalan.exe

pid	Process
2696	dadanbalan.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exestub.exe

description	pid	Process	procid_target
PID 2068 wrote to memory of 2696	2068	f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2696	2068	f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2696	2068	f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2696	2068	f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2908	2068	f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe	29
PID 2068 wrote to memory of 2908	2068	f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe	29
PID 2068 wrote to memory of 2908	2068	f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe	29
PID 2068 wrote to memory of 2908	2068	f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe	29
PID 2908 wrote to memory of 2632	2908	stub.exe	30
PID 2908 wrote to memory of 2632	2908	stub.exe	30
PID 2908 wrote to memory of 2632	2908	stub.exe	30
PID 2908 wrote to memory of 2632	2908	stub.exe	30

C:\Users\Admin\AppData\Local\Temp\f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\dadanbalan.exe
  "C:\Users\Admin\AppData\Local\Temp\dadanbalan.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\stub.exe
  "C:\Users\Admin\AppData\Local\Temp\stub.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dadanbalan.exe

Filesize
239KB

MD5
25a92b1e34583f786e85babebb069174

SHA1
26e86b5037413b5a83add66233471901a290ab88

SHA256
73e901ff948ad8e964fa0d8f483854930c38bc324abd7d4b2966e54576c99fc9

SHA512
02808d2df8b56d5ab8e5d51f883f5709c15cfe063a6be655bd25f937aac62a56182a42a11ece4dadcda001911229fbc5d46ceea41e33a526909841d897ae53a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\stub.exe

Filesize
74KB

MD5
efd13d30f2ce9bb8f8e9596b4c1b2e5c

SHA1
119124628b762ee9d8b27d18355b6a6de898301d

SHA256
8d806883d379a8f4d78f2e190abb40978ba953ba04091bbdf8c99d3accba0538

SHA512
dd15e6aa05bb5739384fa555ddeb36109d5a3248c83ed580e1f31de9f4aa5dee17f3e57f825d6e27ccb6d5ba3b19844cbf4fa6e28f392f2355d24563bdae0625

Download Submit
memory/2068-14-0x0000000000250000-0x00000000002D0000-memory.dmp

Filesize
512KB

Download
memory/2068-7-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2068-17-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2068-19-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-16-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2696-26-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2696-28-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2696-29-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2696-31-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2908-18-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads