darkcomet | f61de838ff7a7bf2fd9be74124d2de1d66d32a2f2d1faad315516d3e5b8b9bf4

General

Target

4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Size

798KB
MD5

4a5ec9a006c5b7d0081c87ef2c2b72c9
SHA1

06f6da417bf491e03e95a77e6a10f147161579b6
SHA256

f61de838ff7a7bf2fd9be74124d2de1d66d32a2f2d1faad315516d3e5b8b9bf4
SHA512

11d3bd7a0b06245ae4071d0cac2ac8d428124202eaf97c010964f1ae67a0c7deb1d8ee08ce2ebef3a72046f8f0a69ecba55f371cfbae8f8dbab6f9273491461a
SSDEEP

24576:JUKoN0bUxgGa/pfBHDb+y1LS7D0QZh9u:+K1A6OY

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2728 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

2588 msdcsc.exe
Loads dropped DLL 2 IoCs

Processes:

4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe

pid process

3004 4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
3004 4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe

pid	process
2728	cmd.exe

pid	process
2588	msdcsc.exe

pid	process
3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exemsdcsc.exeiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

msdcsc.exe

description pid process target process

PID 2588 set thread context of 2688 2588 msdcsc.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2580 PING.EXE

description	pid	process	target process
PID 2588 set thread context of 2688	2588	msdcsc.exe	iexplore.exe

pid	process
2580	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exemsdcsc.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeSecurityPrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeBackupPrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeRestorePrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeShutdownPrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeDebugPrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeUndockPrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: 33	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: 34	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: 35	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2588	msdcsc.exe
Token: SeSecurityPrivilege	2588	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2588	msdcsc.exe
Token: SeLoadDriverPrivilege	2588	msdcsc.exe
Token: SeSystemProfilePrivilege	2588	msdcsc.exe
Token: SeSystemtimePrivilege	2588	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2588	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2588	msdcsc.exe
Token: SeCreatePagefilePrivilege	2588	msdcsc.exe
Token: SeBackupPrivilege	2588	msdcsc.exe
Token: SeRestorePrivilege	2588	msdcsc.exe
Token: SeShutdownPrivilege	2588	msdcsc.exe
Token: SeDebugPrivilege	2588	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2588	msdcsc.exe
Token: SeChangeNotifyPrivilege	2588	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2588	msdcsc.exe
Token: SeUndockPrivilege	2588	msdcsc.exe
Token: SeManageVolumePrivilege	2588	msdcsc.exe
Token: SeImpersonatePrivilege	2588	msdcsc.exe
Token: SeCreateGlobalPrivilege	2588	msdcsc.exe
Token: 33	2588	msdcsc.exe
Token: 34	2588	msdcsc.exe
Token: 35	2588	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2688	iexplore.exe
Token: SeSecurityPrivilege	2688	iexplore.exe
Token: SeTakeOwnershipPrivilege	2688	iexplore.exe
Token: SeLoadDriverPrivilege	2688	iexplore.exe
Token: SeSystemProfilePrivilege	2688	iexplore.exe
Token: SeSystemtimePrivilege	2688	iexplore.exe
Token: SeProfSingleProcessPrivilege	2688	iexplore.exe
Token: SeIncBasePriorityPrivilege	2688	iexplore.exe
Token: SeCreatePagefilePrivilege	2688	iexplore.exe
Token: SeBackupPrivilege	2688	iexplore.exe
Token: SeRestorePrivilege	2688	iexplore.exe
Token: SeShutdownPrivilege	2688	iexplore.exe
Token: SeDebugPrivilege	2688	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2688	iexplore.exe
Token: SeChangeNotifyPrivilege	2688	iexplore.exe
Token: SeRemoteShutdownPrivilege	2688	iexplore.exe
Token: SeUndockPrivilege	2688	iexplore.exe
Token: SeManageVolumePrivilege	2688	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2940 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

2688 iexplore.exe

pid	process
2940	DllHost.exe

pid	process
2688	iexplore.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.execmd.exemsdcsc.exe

description	pid	process	target process
PID 3004 wrote to memory of 2728	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe	cmd.exe
PID 3004 wrote to memory of 2728	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe	cmd.exe
PID 3004 wrote to memory of 2728	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe	cmd.exe
PID 3004 wrote to memory of 2728	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe	cmd.exe
PID 2728 wrote to memory of 2580	2728	cmd.exe	PING.EXE
PID 2728 wrote to memory of 2580	2728	cmd.exe	PING.EXE
PID 2728 wrote to memory of 2580	2728	cmd.exe	PING.EXE
PID 2728 wrote to memory of 2580	2728	cmd.exe	PING.EXE
PID 3004 wrote to memory of 2588	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe	msdcsc.exe
PID 3004 wrote to memory of 2588	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe	msdcsc.exe
PID 3004 wrote to memory of 2588	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe	msdcsc.exe
PID 3004 wrote to memory of 2588	3004	4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe	msdcsc.exe
PID 2588 wrote to memory of 2688	2588	msdcsc.exe	iexplore.exe
PID 2588 wrote to memory of 2688	2588	msdcsc.exe	iexplore.exe
PID 2588 wrote to memory of 2688	2588	msdcsc.exe	iexplore.exe
PID 2588 wrote to memory of 2688	2588	msdcsc.exe	iexplore.exe
PID 2588 wrote to memory of 2688	2588	msdcsc.exe	iexplore.exe
PID 2588 wrote to memory of 2688	2588	msdcsc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\4a5ec9a006c5b7d0081c87ef2c2b72c9_JaffaCakes118.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
3⤵
- Runs ping.exe
PID:2580

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2688

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\50S_WIRING_INDI.JPG
Filesize
53KB

MD5
4a7f85a214f7f0d5a88ce51a9493edea

SHA1
e99331acb73549395bb843af639723251a9c89ee

SHA256
f4422e9983ead25991f9de0cc5c910a941736da694538b472fcd8518eb86edc6

SHA512
438011135d057801d9a39385f27bdc39f041524cec31e941f5e624a25715dd27596ba094a7635720447402d15bd73a36d356f79c64a19b97ddc63b3194f0a67d

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
798KB

MD5
4a5ec9a006c5b7d0081c87ef2c2b72c9

SHA1
06f6da417bf491e03e95a77e6a10f147161579b6

SHA256
f61de838ff7a7bf2fd9be74124d2de1d66d32a2f2d1faad315516d3e5b8b9bf4

SHA512
11d3bd7a0b06245ae4071d0cac2ac8d428124202eaf97c010964f1ae67a0c7deb1d8ee08ce2ebef3a72046f8f0a69ecba55f371cfbae8f8dbab6f9273491461a

Download Submit
memory/2588-20-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2688-19-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2940-6-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2940-7-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2940-21-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/3004-0-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3004-5-0x00000000026A0000-0x00000000026A2000-memory.dmp

Filesize
8KB

Download
memory/3004-17-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads