darkcomet | 582035e362c45975270e6868f215f00ee07866ae05e7a7b63fbaab44381bf423

General

Target

0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Size

660KB
MD5

0290e54eb7e7f652fe81aedd265721d5
SHA1

5b910e05680f4305a0cfe542b12841c8ca6453cf
SHA256

582035e362c45975270e6868f215f00ee07866ae05e7a7b63fbaab44381bf423
SHA512

2c0d8dc7332f2b56b85f0f547224a2d9566d2493c6c35122a5cd8d227c0688142aec25f6c9edc013243b236ad1507ba04d5ab40edb08034f0b6e5adeb55efeae
SSDEEP

12288:4X2JVHMRtDaSm3TJvVNvWV5YTsY7tHwbz/htfcoCoK632zb7G/Q0n:uss2Sm39NNv9wY7tHwbzfIoK6Mof

Score

10^/10

darkcomet retards persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Retards

C2

tehboss.no-ip.org:1604

Mutex

DC_MUTEX-5BJCK2U

Attributes

InstallPath
microsoft\svchost.exe
gencode
EpZ3tJtuYHzf
install
true
offline_keylogger
true
persistence
true
reg_key
winlogon

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\svchost.exe"	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

2888 notepad.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2904 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe

pid process

3016 0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
3016 0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe

pid	process
2888	notepad.exe

pid	process
2904	svchost.exe

pid	process
3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exesvchost.exeiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\svchost.exe"	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\svchost.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2904 set thread context of 2500 2904 svchost.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2904 set thread context of 2500	2904	svchost.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exesvchost.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeSecurityPrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeShutdownPrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeDebugPrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeUndockPrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: 33	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: 34	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: 35	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2904	svchost.exe
Token: SeSecurityPrivilege	2904	svchost.exe
Token: SeTakeOwnershipPrivilege	2904	svchost.exe
Token: SeLoadDriverPrivilege	2904	svchost.exe
Token: SeSystemProfilePrivilege	2904	svchost.exe
Token: SeSystemtimePrivilege	2904	svchost.exe
Token: SeProfSingleProcessPrivilege	2904	svchost.exe
Token: SeIncBasePriorityPrivilege	2904	svchost.exe
Token: SeCreatePagefilePrivilege	2904	svchost.exe
Token: SeBackupPrivilege	2904	svchost.exe
Token: SeRestorePrivilege	2904	svchost.exe
Token: SeShutdownPrivilege	2904	svchost.exe
Token: SeDebugPrivilege	2904	svchost.exe
Token: SeSystemEnvironmentPrivilege	2904	svchost.exe
Token: SeChangeNotifyPrivilege	2904	svchost.exe
Token: SeRemoteShutdownPrivilege	2904	svchost.exe
Token: SeUndockPrivilege	2904	svchost.exe
Token: SeManageVolumePrivilege	2904	svchost.exe
Token: SeImpersonatePrivilege	2904	svchost.exe
Token: SeCreateGlobalPrivilege	2904	svchost.exe
Token: 33	2904	svchost.exe
Token: 34	2904	svchost.exe
Token: 35	2904	svchost.exe
Token: SeIncreaseQuotaPrivilege	2500	iexplore.exe
Token: SeSecurityPrivilege	2500	iexplore.exe
Token: SeTakeOwnershipPrivilege	2500	iexplore.exe
Token: SeLoadDriverPrivilege	2500	iexplore.exe
Token: SeSystemProfilePrivilege	2500	iexplore.exe
Token: SeSystemtimePrivilege	2500	iexplore.exe
Token: SeProfSingleProcessPrivilege	2500	iexplore.exe
Token: SeIncBasePriorityPrivilege	2500	iexplore.exe
Token: SeCreatePagefilePrivilege	2500	iexplore.exe
Token: SeBackupPrivilege	2500	iexplore.exe
Token: SeRestorePrivilege	2500	iexplore.exe
Token: SeShutdownPrivilege	2500	iexplore.exe
Token: SeDebugPrivilege	2500	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2500	iexplore.exe
Token: SeChangeNotifyPrivilege	2500	iexplore.exe
Token: SeRemoteShutdownPrivilege	2500	iexplore.exe
Token: SeUndockPrivilege	2500	iexplore.exe
Token: SeManageVolumePrivilege	2500	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

2500 iexplore.exe

pid	process
2500	iexplore.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exesvchost.exeiexplore.exe

description	pid	process	target process
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2888	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	notepad.exe
PID 3016 wrote to memory of 2904	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	svchost.exe
PID 3016 wrote to memory of 2904	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	svchost.exe
PID 3016 wrote to memory of 2904	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	svchost.exe
PID 3016 wrote to memory of 2904	3016	0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe	svchost.exe
PID 2904 wrote to memory of 2500	2904	svchost.exe	iexplore.exe
PID 2904 wrote to memory of 2500	2904	svchost.exe	iexplore.exe
PID 2904 wrote to memory of 2500	2904	svchost.exe	iexplore.exe
PID 2904 wrote to memory of 2500	2904	svchost.exe	iexplore.exe
PID 2904 wrote to memory of 2500	2904	svchost.exe	iexplore.exe
PID 2904 wrote to memory of 2500	2904	svchost.exe	iexplore.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe
PID 2500 wrote to memory of 2640	2500	iexplore.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0290e54eb7e7f652fe81aedd265721d5_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Deletes itself
PID:2888

C:\Users\Admin\AppData\Roaming\microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\microsoft\svchost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
660KB

MD5
0290e54eb7e7f652fe81aedd265721d5

SHA1
5b910e05680f4305a0cfe542b12841c8ca6453cf

SHA256
582035e362c45975270e6868f215f00ee07866ae05e7a7b63fbaab44381bf423

SHA512
2c0d8dc7332f2b56b85f0f547224a2d9566d2493c6c35122a5cd8d227c0688142aec25f6c9edc013243b236ad1507ba04d5ab40edb08034f0b6e5adeb55efeae

Download Submit
memory/2500-33-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2640-74-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2888-3-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2888-22-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2904-34-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3016-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3016-31-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads