darkcomet | b272f8adb317c5fa71ca69becbca71ad661081f963ffdd01105eab2332e3c298

General

Target

5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
Size

1.5MB
MD5

5f44ff7305c97d69e90a70cb11a51f08
SHA1

be1454f0194e0d67967f488fece3b95479362b32
SHA256

b272f8adb317c5fa71ca69becbca71ad661081f963ffdd01105eab2332e3c298
SHA512

d5b237b06dc115eeb39817b7fe04461c8c4ac05eb996244ea65afcab715e28f0bea7efeadfcdede6f9461802ba0f67e1642638e01b75adbd49535a83136ff311
SSDEEP

24576:oRmJkcoQricOIQxiZY1iaFWR444fq4444444444444444444444444444444444N:NJZoQrbTFZY1iaAR444ftVB7LvP2ky

Score

10^/10

darkcomet host...7 rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Host...7

C2

jimmykarcter.ddnsking.com:1491

Mutex

DC_MUTEX-PS4J221

Attributes

gencode
61wK7ycJ0Rd9
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe

Drops startup file 2 IoCs

Processes:

5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4372-10-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-11-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-12-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2672-13-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/4372-14-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2672-19-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/4372-18-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2672-16-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/4372-23-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-22-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-24-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2672-25-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/4372-26-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-27-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-29-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-31-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-33-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-35-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-37-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-39-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-41-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-43-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-45-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-47-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-49-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4372-51-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\GFQYjs\SXxTxW.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe

description	pid	process	target process
PID 1484 set thread context of 4372	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 1484 set thread context of 2672	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2608 schtasks.exe

pid	process
2608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exevbc.exe

pid	process
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
2672	vbc.exe
2672	vbc.exe
2672	vbc.exe
2672	vbc.exe
2672	vbc.exe
2672	vbc.exe
2672	vbc.exe
2672	vbc.exe
2672	vbc.exe
2672	vbc.exe
2672	vbc.exe
2672	vbc.exe
2672	vbc.exe
2672	vbc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4372	vbc.exe
Token: SeSecurityPrivilege	4372	vbc.exe
Token: SeTakeOwnershipPrivilege	4372	vbc.exe
Token: SeLoadDriverPrivilege	4372	vbc.exe
Token: SeSystemProfilePrivilege	4372	vbc.exe
Token: SeSystemtimePrivilege	4372	vbc.exe
Token: SeProfSingleProcessPrivilege	4372	vbc.exe
Token: SeIncBasePriorityPrivilege	4372	vbc.exe
Token: SeCreatePagefilePrivilege	4372	vbc.exe
Token: SeBackupPrivilege	4372	vbc.exe
Token: SeRestorePrivilege	4372	vbc.exe
Token: SeShutdownPrivilege	4372	vbc.exe
Token: SeDebugPrivilege	4372	vbc.exe
Token: SeSystemEnvironmentPrivilege	4372	vbc.exe
Token: SeChangeNotifyPrivilege	4372	vbc.exe
Token: SeRemoteShutdownPrivilege	4372	vbc.exe
Token: SeUndockPrivilege	4372	vbc.exe
Token: SeManageVolumePrivilege	4372	vbc.exe
Token: SeImpersonatePrivilege	4372	vbc.exe
Token: SeCreateGlobalPrivilege	4372	vbc.exe
Token: 33	4372	vbc.exe
Token: 34	4372	vbc.exe
Token: 35	4372	vbc.exe
Token: 36	4372	vbc.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe

pid	process
532	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
532	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
532	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe

pid	process
532	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
532	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
532	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exevbc.exe

pid process

2672 vbc.exe
4372 vbc.exe

pid	process
2672	vbc.exe
4372	vbc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 532 wrote to memory of 1484	532	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
PID 532 wrote to memory of 1484	532	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
PID 532 wrote to memory of 1484	532	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
PID 1484 wrote to memory of 4372	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 4372	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 4372	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 4372	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 4372	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 4372	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 4372	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 4372	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 2672	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 2672	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 2672	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 2672	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 2672	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 2672	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 2672	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 1484 wrote to memory of 2672	1484	5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe	vbc.exe
PID 2672 wrote to memory of 4340	2672	vbc.exe	cmd.exe
PID 2672 wrote to memory of 4340	2672	vbc.exe	cmd.exe
PID 2672 wrote to memory of 4340	2672	vbc.exe	cmd.exe
PID 2672 wrote to memory of 3056	2672	vbc.exe	schtasks.exe
PID 2672 wrote to memory of 3056	2672	vbc.exe	schtasks.exe
PID 2672 wrote to memory of 3056	2672	vbc.exe	schtasks.exe
PID 2672 wrote to memory of 2608	2672	vbc.exe	schtasks.exe
PID 2672 wrote to memory of 2608	2672	vbc.exe	schtasks.exe
PID 2672 wrote to memory of 2608	2672	vbc.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:532

C:\Users\Admin\AppData\Local\Temp\5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f44ff7305c97d69e90a70cb11a51f08_JaffaCakes118.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\wVcdqWuew"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4372

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\SysWOW64\cmd.exe
cmd /c del /q /f %temp%\*.lnk
4⤵
PID:4340

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn WindowsUpdateFBqVJ0x8429524
4⤵
PID:3056

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn WindowsUpdateFBqVJ0x8429525 /tr "C:\ProgramData\FBqVJZhh\IhhZJVqBF.exe" /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:2608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wVcdqWuew
Filesize
517KB

MD5
ab9d8703e4ec6f130bd1867fb7dba5d4

SHA1
8575f9164b4090292f0319186abc4afacfe1aa36

SHA256
783a5010b8c1b00d78a2cbd470ac2858be182a27622a4bffd4dd89fd213f4dbe

SHA512
446c0e1d369260bc5b8646549e89a0e8a037ae8b67ec99172733da2fafaa88cb96526e082025a8ae97e4631420a47179a87cad9ed2a111441124b4293acc431d

Download Submit
C:\Users\Admin\AppData\Roaming\GFQYjs\SXxTxW.exe
Filesize
1.5MB

MD5
5f44ff7305c97d69e90a70cb11a51f08

SHA1
be1454f0194e0d67967f488fece3b95479362b32

SHA256
b272f8adb317c5fa71ca69becbca71ad661081f963ffdd01105eab2332e3c298

SHA512
d5b237b06dc115eeb39817b7fe04461c8c4ac05eb996244ea65afcab715e28f0bea7efeadfcdede6f9461802ba0f67e1642638e01b75adbd49535a83136ff311

Download Submit
memory/2672-19-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2672-25-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2672-16-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2672-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4372-26-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-31-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-18-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-12-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-23-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-22-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-24-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-11-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-10-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-27-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-29-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-14-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-33-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-35-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-37-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-39-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-41-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-43-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-45-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-47-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-49-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4372-51-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads