darkcomet | e033486b4c119f41962837b8b84f91c8d86a3bf6d0b9ce8e5221ef18311f6268

General

Target

731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Size

821KB
MD5

731f51dcfb5d968e90f82457084f2849
SHA1

0a06d69c986a21f37310b6b0bc4df8b2e66eca3f
SHA256

e033486b4c119f41962837b8b84f91c8d86a3bf6d0b9ce8e5221ef18311f6268
SHA512

a2d4dd55efe459ca2c6e092b58d4b2511dd504b82dbc8277c2a78ca8b0709b97832926467008abbbb01aae991e1a8297e987a9750a8ac93aca5dfd1abbf78f36
SSDEEP

12288:PFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJZYG:d3nbWmJVJFwSddIXvfhqbiaxvRxq9x

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

Disables Task Manager via registry modification
evasion

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeSecurityPrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeBackupPrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeRestorePrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeShutdownPrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeDebugPrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeUndockPrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: 33	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: 34	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: 35	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Token: 36	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

pid process

2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

pid	process
2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

description	pid	process	target process
PID 2752 wrote to memory of 2324	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe	iexplore.exe
PID 2752 wrote to memory of 2324	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe	iexplore.exe
PID 2752 wrote to memory of 2324	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe	iexplore.exe
PID 2752 wrote to memory of 4376	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe	explorer.exe
PID 2752 wrote to memory of 4376	2752	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe	explorer.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2752

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:2324

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:4376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Modify Registry

5

T1112

Impair Defenses

2

T1562

Disable or Modify Tools

2

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2752-0-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/2752-1-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2752-3-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2752-4-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2752-6-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads