darkcomet | 72330cb358d47851e1ee9b6f9861783478b8882f366dfd5d9d9fe1e1a72e8ed5

General

Target

f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe
Size

436KB
MD5

f4189716c016fd336c8f9273122ce87e
SHA1

f0ca4d55f93293b33edd399ac4a9ca52923f1dff
SHA256

72330cb358d47851e1ee9b6f9861783478b8882f366dfd5d9d9fe1e1a72e8ed5
SHA512

0a87e358c0b4ecf8fcc791924ec29f9963d755f9a62129a0d1224f70d3f3882db11f73e81ddb8dc81d5e67a44a8078832118737f9ab6d7d7ef61cf2d9e060d4c
SSDEEP

6144:4w/kMDudL7RpI9sA0KfEWtxI3PuCcLnw4lkhwDNkW8RaA/V:h/1KdnfAaWQWCYlkhwDD

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

dadanbalan.exestub.exe

pid	Process
2324	dadanbalan.exe
2104	stub.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000300000001e970-8.dat	upx
behavioral2/memory/2324-22-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/2324-28-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/2324-29-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
5040	2104	WerFault.exe	88

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

dadanbalan.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2324	dadanbalan.exe
Token: SeSecurityPrivilege	2324	dadanbalan.exe
Token: SeTakeOwnershipPrivilege	2324	dadanbalan.exe
Token: SeLoadDriverPrivilege	2324	dadanbalan.exe
Token: SeSystemProfilePrivilege	2324	dadanbalan.exe
Token: SeSystemtimePrivilege	2324	dadanbalan.exe
Token: SeProfSingleProcessPrivilege	2324	dadanbalan.exe
Token: SeIncBasePriorityPrivilege	2324	dadanbalan.exe
Token: SeCreatePagefilePrivilege	2324	dadanbalan.exe
Token: SeBackupPrivilege	2324	dadanbalan.exe
Token: SeRestorePrivilege	2324	dadanbalan.exe
Token: SeShutdownPrivilege	2324	dadanbalan.exe
Token: SeDebugPrivilege	2324	dadanbalan.exe
Token: SeSystemEnvironmentPrivilege	2324	dadanbalan.exe
Token: SeChangeNotifyPrivilege	2324	dadanbalan.exe
Token: SeRemoteShutdownPrivilege	2324	dadanbalan.exe
Token: SeUndockPrivilege	2324	dadanbalan.exe
Token: SeManageVolumePrivilege	2324	dadanbalan.exe
Token: SeImpersonatePrivilege	2324	dadanbalan.exe
Token: SeCreateGlobalPrivilege	2324	dadanbalan.exe
Token: 33	2324	dadanbalan.exe
Token: 34	2324	dadanbalan.exe
Token: 35	2324	dadanbalan.exe
Token: 36	2324	dadanbalan.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dadanbalan.exe

pid	Process
2324	dadanbalan.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe

description	pid	Process	procid_target
PID 3536 wrote to memory of 2324	3536	f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe	87
PID 3536 wrote to memory of 2324	3536	f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe	87
PID 3536 wrote to memory of 2324	3536	f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe	87
PID 3536 wrote to memory of 2104	3536	f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe	88
PID 3536 wrote to memory of 2104	3536	f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe	88
PID 3536 wrote to memory of 2104	3536	f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4189716c016fd336c8f9273122ce87e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\dadanbalan.exe
  "C:\Users\Admin\AppData\Local\Temp\dadanbalan.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\stub.exe
  "C:\Users\Admin\AppData\Local\Temp\stub.exe"
  2⤵
  - Executes dropped EXE
  PID:2104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 224
    3⤵
    - Program crash
    PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2104 -ip 2104
1⤵
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dadanbalan.exe

Filesize
239KB

MD5
25a92b1e34583f786e85babebb069174

SHA1
26e86b5037413b5a83add66233471901a290ab88

SHA256
73e901ff948ad8e964fa0d8f483854930c38bc324abd7d4b2966e54576c99fc9

SHA512
02808d2df8b56d5ab8e5d51f883f5709c15cfe063a6be655bd25f937aac62a56182a42a11ece4dadcda001911229fbc5d46ceea41e33a526909841d897ae53a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\stub.exe

Filesize
74KB

MD5
efd13d30f2ce9bb8f8e9596b4c1b2e5c

SHA1
119124628b762ee9d8b27d18355b6a6de898301d

SHA256
8d806883d379a8f4d78f2e190abb40978ba953ba04091bbdf8c99d3accba0538

SHA512
dd15e6aa05bb5739384fa555ddeb36109d5a3248c83ed580e1f31de9f4aa5dee17f3e57f825d6e27ccb6d5ba3b19844cbf4fa6e28f392f2355d24563bdae0625

Download Submit
memory/2104-25-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2324-22-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2324-27-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2324-28-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2324-29-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3536-1-0x00007FFE1C6C0000-0x00007FFE1D061000-memory.dmp

Filesize
9.6MB

Download
memory/3536-0-0x000000001BFD0000-0x000000001C076000-memory.dmp

Filesize
664KB

Download
memory/3536-2-0x0000000001950000-0x0000000001960000-memory.dmp

Filesize
64KB

Download
memory/3536-4-0x00007FFE1C6C0000-0x00007FFE1D061000-memory.dmp

Filesize
9.6MB

Download
memory/3536-26-0x00007FFE1C6C0000-0x00007FFE1D061000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads