darkcomet | 8f5bfa1785455e30f95dc1aab6855220db3077a497448cedc15b435274efe238

General

Target

1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Size

660KB
MD5

1b13fd5d2438595750bd28c0512a5efc
SHA1

12fa776a5a2c2f6b6abbb23512c32f5f89e09e6d
SHA256

8f5bfa1785455e30f95dc1aab6855220db3077a497448cedc15b435274efe238
SHA512

7013c113fe427a3c35cfe8fc29850cef0569a5e2319d13ec6df4679528fa88cf3b18e8f577405b2ae0543f3b0acab0ffbbc823370ce0fbd6e0511bf43bd62f2e
SSDEEP

12288:gXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Un:mnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JX

Score

10^/10

darkcomet guest16 evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

myramic.hopto.org:1604

192.168.1.34:1604

Mutex

DC_MUTEX-U21HY5A

Attributes

gencode
17wuPD1x7bTT
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2532 attrib.exe
2576 attrib.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2532	attrib.exe
2576	attrib.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeSecurityPrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeBackupPrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeRestorePrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeShutdownPrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeDebugPrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeUndockPrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: 33	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: 34	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
Token: 35	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe

pid process

1268 1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe

pid	process
1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.execmd.execmd.exe

description	pid	process	target process
PID 1268 wrote to memory of 2284	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	cmd.exe
PID 1268 wrote to memory of 2284	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	cmd.exe
PID 1268 wrote to memory of 2284	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	cmd.exe
PID 1268 wrote to memory of 2284	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	cmd.exe
PID 1268 wrote to memory of 2728	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	cmd.exe
PID 1268 wrote to memory of 2728	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	cmd.exe
PID 1268 wrote to memory of 2728	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	cmd.exe
PID 1268 wrote to memory of 2728	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	cmd.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 1268 wrote to memory of 2892	1268	1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe	notepad.exe
PID 2728 wrote to memory of 2532	2728	cmd.exe	attrib.exe
PID 2728 wrote to memory of 2532	2728	cmd.exe	attrib.exe
PID 2728 wrote to memory of 2532	2728	cmd.exe	attrib.exe
PID 2728 wrote to memory of 2532	2728	cmd.exe	attrib.exe
PID 2284 wrote to memory of 2576	2284	cmd.exe	attrib.exe
PID 2284 wrote to memory of 2576	2284	cmd.exe	attrib.exe
PID 2284 wrote to memory of 2576	2284	cmd.exe	attrib.exe
PID 2284 wrote to memory of 2576	2284	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2532 attrib.exe
2576 attrib.exe

pid	process
2532	attrib.exe
2576	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2532

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
PID:2892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1268-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1268-28-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1268-30-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1268-32-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1268-34-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1268-36-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1268-38-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1268-40-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2892-1-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2892-27-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing