darkcomet | fde5d7ff378a963efb1f7a43e6f92a4eba3442e56f8042a7fc428e128866e59d

General

Target

fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe
Size

644KB
MD5

fdea3787ce63bebc5ded1b8124005bfb
SHA1

55be10e8a4452f2a2856775ed06caa1721c576f9
SHA256

fde5d7ff378a963efb1f7a43e6f92a4eba3442e56f8042a7fc428e128866e59d
SHA512

d344da2dcf1f31bdb4369fb6f2d3f099bd08afe923e51b6d8c377c662efafd3292b374370ea136db841cf4dec49990ab5963ec7d8e1a8c27025933ac715ae7b3
SSDEEP

12288:FXWw5rArh3i/5hzJTIuN7w92L7FAQB+4H6IKZDIZ:F/5eyPrFfi54HQDE

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Disables Task Manager via registry modification
evasion

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp843D.tmp.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	tmp843D.tmp.exe

Executes dropped EXE 1 IoCs

Processes:

tmp843D.tmp.exe

pid	Process
1740	tmp843D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp843D.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp843D.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	tmp843D.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	tmp843D.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	tmp843D.tmp.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp843D.tmp.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	tmp843D.tmp.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exetmp843D.tmp.exe

description	pid	Process
Token: SeDebugPrivilege	2980	fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1740	tmp843D.tmp.exe
Token: SeSecurityPrivilege	1740	tmp843D.tmp.exe
Token: SeTakeOwnershipPrivilege	1740	tmp843D.tmp.exe
Token: SeLoadDriverPrivilege	1740	tmp843D.tmp.exe
Token: SeSystemProfilePrivilege	1740	tmp843D.tmp.exe
Token: SeSystemtimePrivilege	1740	tmp843D.tmp.exe
Token: SeProfSingleProcessPrivilege	1740	tmp843D.tmp.exe
Token: SeIncBasePriorityPrivilege	1740	tmp843D.tmp.exe
Token: SeCreatePagefilePrivilege	1740	tmp843D.tmp.exe
Token: SeBackupPrivilege	1740	tmp843D.tmp.exe
Token: SeRestorePrivilege	1740	tmp843D.tmp.exe
Token: SeShutdownPrivilege	1740	tmp843D.tmp.exe
Token: SeDebugPrivilege	1740	tmp843D.tmp.exe
Token: SeSystemEnvironmentPrivilege	1740	tmp843D.tmp.exe
Token: SeChangeNotifyPrivilege	1740	tmp843D.tmp.exe
Token: SeRemoteShutdownPrivilege	1740	tmp843D.tmp.exe
Token: SeUndockPrivilege	1740	tmp843D.tmp.exe
Token: SeManageVolumePrivilege	1740	tmp843D.tmp.exe
Token: SeImpersonatePrivilege	1740	tmp843D.tmp.exe
Token: SeCreateGlobalPrivilege	1740	tmp843D.tmp.exe
Token: 33	1740	tmp843D.tmp.exe
Token: 34	1740	tmp843D.tmp.exe
Token: 35	1740	tmp843D.tmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exetmp843D.tmp.exe

description	pid	Process	procid_target
PID 2980 wrote to memory of 1740	2980	fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe	28
PID 2980 wrote to memory of 1740	2980	fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe	28
PID 2980 wrote to memory of 1740	2980	fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe	28
PID 2980 wrote to memory of 1740	2980	fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2512	1740	tmp843D.tmp.exe	29
PID 1740 wrote to memory of 2512	1740	tmp843D.tmp.exe	29
PID 1740 wrote to memory of 2512	1740	tmp843D.tmp.exe	29
PID 1740 wrote to memory of 2512	1740	tmp843D.tmp.exe	29

C:\Users\Admin\AppData\Local\Temp\fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\tmp843D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp843D.tmp.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp843D.tmp.exe

Filesize
635KB

MD5
cbfd323cebec548725018ba849934b08

SHA1
e1203b9ee87c598597d10959657730ed697c3776

SHA256
ae4af2d497968f52f40d1146f4b283ab1f21f86460c3e87c76abf268fc23d63a

SHA512
f8ce40c64d3041f6949344af3eaa0dc50c2d40cd2f48240dee7b175ec7d9b6ee759e56dca2e49a97b6b7c38214200204bd6536b222777290e8905129ea50094b

Download Submit
memory/1740-18-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1740-11-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1740-13-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1740-15-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1740-16-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1740-21-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1740-23-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1740-25-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1740-27-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2980-8-0x0000000000B60000-0x0000000000BE0000-memory.dmp

Filesize
512KB

Download
memory/2980-9-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-10-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-6-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads