darkcomet | 952a8b918722a1c01fe28bf5399d5410ede22e48aab8f99a277266c31de9ff76

General

Target

f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Size

746KB
MD5

f6d70f49f5591a869286ebe73d8e6a7c
SHA1

446780aff428eb8f96b136e19c2a3f591b6c1c4f
SHA256

952a8b918722a1c01fe28bf5399d5410ede22e48aab8f99a277266c31de9ff76
SHA512

0a78c9015877c8c80bdaaf671d120098fba9abd1be9a07155e3528c1e901e88b7c3f38ae615524f39242c7c0d05010082c046918afb29e2e16edaf2189f64c03
SSDEEP

12288:Z6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfh:8AmBpVKHu0Mu9Xo20VGLVP5

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

Disables Task Manager via registry modification
evasion

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
2272	attrib.exe
2592	attrib.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

pid	Process
2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeSecurityPrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeBackupPrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeRestorePrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeShutdownPrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeDebugPrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeUndockPrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: 33	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: 34	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Token: 35	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

pid	Process
2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.execmd.execmd.exe

description	pid	Process	procid_target
PID 2056 wrote to memory of 2576	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe	28
PID 2056 wrote to memory of 2576	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe	28
PID 2056 wrote to memory of 2576	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe	28
PID 2056 wrote to memory of 2576	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe	28
PID 2056 wrote to memory of 3028	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe	30
PID 2056 wrote to memory of 3028	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe	30
PID 2056 wrote to memory of 3028	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe	30
PID 2056 wrote to memory of 3028	2056	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe	30
PID 2576 wrote to memory of 2592	2576	cmd.exe	32
PID 2576 wrote to memory of 2592	2576	cmd.exe	32
PID 2576 wrote to memory of 2592	2576	cmd.exe	32
PID 2576 wrote to memory of 2592	2576	cmd.exe	32
PID 3028 wrote to memory of 2272	3028	cmd.exe	33
PID 3028 wrote to memory of 2272	3028	cmd.exe	33
PID 3028 wrote to memory of 2272	3028	cmd.exe	33
PID 3028 wrote to memory of 2272	3028	cmd.exe	33

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
2592	attrib.exe
2272	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\f6d70f49f5591a869286ebe73d8e6a7c_JaffaCakes118.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2056-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2056-1-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2056-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2056-4-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads