darkcomet | fde5d7ff378a963efb1f7a43e6f92a4eba3442e56f8042a7fc428e128866e59d

General

Target

fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe
Size

644KB
MD5

fdea3787ce63bebc5ded1b8124005bfb
SHA1

55be10e8a4452f2a2856775ed06caa1721c576f9
SHA256

fde5d7ff378a963efb1f7a43e6f92a4eba3442e56f8042a7fc428e128866e59d
SHA512

d344da2dcf1f31bdb4369fb6f2d3f099bd08afe923e51b6d8c377c662efafd3292b374370ea136db841cf4dec49990ab5963ec7d8e1a8c27025933ac715ae7b3
SSDEEP

12288:FXWw5rArh3i/5hzJTIuN7w92L7FAQB+4H6IKZDIZ:F/5eyPrFfi54HQDE

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Disables Task Manager via registry modification
evasion

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp39CD.tmp.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	tmp39CD.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

tmp39CD.tmp.exe

pid	Process
3848	tmp39CD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp39CD.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp39CD.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	tmp39CD.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	tmp39CD.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	tmp39CD.tmp.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp39CD.tmp.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	tmp39CD.tmp.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exetmp39CD.tmp.exe

description	pid	Process
Token: SeDebugPrivilege	4828	fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3848	tmp39CD.tmp.exe
Token: SeSecurityPrivilege	3848	tmp39CD.tmp.exe
Token: SeTakeOwnershipPrivilege	3848	tmp39CD.tmp.exe
Token: SeLoadDriverPrivilege	3848	tmp39CD.tmp.exe
Token: SeSystemProfilePrivilege	3848	tmp39CD.tmp.exe
Token: SeSystemtimePrivilege	3848	tmp39CD.tmp.exe
Token: SeProfSingleProcessPrivilege	3848	tmp39CD.tmp.exe
Token: SeIncBasePriorityPrivilege	3848	tmp39CD.tmp.exe
Token: SeCreatePagefilePrivilege	3848	tmp39CD.tmp.exe
Token: SeBackupPrivilege	3848	tmp39CD.tmp.exe
Token: SeRestorePrivilege	3848	tmp39CD.tmp.exe
Token: SeShutdownPrivilege	3848	tmp39CD.tmp.exe
Token: SeDebugPrivilege	3848	tmp39CD.tmp.exe
Token: SeSystemEnvironmentPrivilege	3848	tmp39CD.tmp.exe
Token: SeChangeNotifyPrivilege	3848	tmp39CD.tmp.exe
Token: SeRemoteShutdownPrivilege	3848	tmp39CD.tmp.exe
Token: SeUndockPrivilege	3848	tmp39CD.tmp.exe
Token: SeManageVolumePrivilege	3848	tmp39CD.tmp.exe
Token: SeImpersonatePrivilege	3848	tmp39CD.tmp.exe
Token: SeCreateGlobalPrivilege	3848	tmp39CD.tmp.exe
Token: 33	3848	tmp39CD.tmp.exe
Token: 34	3848	tmp39CD.tmp.exe
Token: 35	3848	tmp39CD.tmp.exe
Token: 36	3848	tmp39CD.tmp.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exetmp39CD.tmp.exe

description	pid	Process	procid_target
PID 4828 wrote to memory of 3848	4828	fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe	86
PID 4828 wrote to memory of 3848	4828	fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe	86
PID 4828 wrote to memory of 3848	4828	fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe	86
PID 3848 wrote to memory of 3672	3848	tmp39CD.tmp.exe	91
PID 3848 wrote to memory of 3672	3848	tmp39CD.tmp.exe	91
PID 3848 wrote to memory of 3672	3848	tmp39CD.tmp.exe	91

C:\Users\Admin\AppData\Local\Temp\fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdea3787ce63bebc5ded1b8124005bfb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\tmp39CD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp39CD.tmp.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

5

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp39CD.tmp.exe

Filesize
635KB

MD5
cbfd323cebec548725018ba849934b08

SHA1
e1203b9ee87c598597d10959657730ed697c3776

SHA256
ae4af2d497968f52f40d1146f4b283ab1f21f86460c3e87c76abf268fc23d63a

SHA512
f8ce40c64d3041f6949344af3eaa0dc50c2d40cd2f48240dee7b175ec7d9b6ee759e56dca2e49a97b6b7c38214200204bd6536b222777290e8905129ea50094b

Download Submit
memory/3848-14-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3848-15-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3848-17-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3848-20-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3848-22-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3848-24-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3848-26-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3848-28-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4828-2-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/4828-0-0x000000001B1C0000-0x000000001B266000-memory.dmp

Filesize
664KB

Download
memory/4828-8-0x00007FF83F880000-0x00007FF840221000-memory.dmp

Filesize
9.6MB

Download
memory/4828-13-0x00007FF83F880000-0x00007FF840221000-memory.dmp

Filesize
9.6MB

Download
memory/4828-1-0x00007FF83F880000-0x00007FF840221000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads