darkcomet | 72c9070be456333066ed0e73a025c86b0d6ddbca01d536654dd248b8e567e66e

General

Target

0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe
Size

958KB
MD5

0a5581b73f12f54b73aae0ce0dafd6ec
SHA1

9c35b8268f0b9d311f302ef3b242f18d652dcdca
SHA256

72c9070be456333066ed0e73a025c86b0d6ddbca01d536654dd248b8e567e66e
SHA512

08051bf0041b45228704b2b6d17b4a9d73502bc1cba27295014acc5b84c25203e612241449d33570e343f90e270cb6c613dff08d8a969fc5806c4e6c3a3aad03
SSDEEP

12288:VCCBiBFRiCnO361gsCEBR1+cXpSSEDpJdHbmpu5Ac8/oGCaU/6ouMXOvnFdNDR07:VhMviWX2LiQSAQQf5yow3wj

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

inglap.no-ip.org:8547

Mutex

DC_MUTEX-MNKUWVZ

Attributes

gencode
hTSvsnbrAh61
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Micro = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soft.exe"	0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 2384 set thread context of 4040	2384	0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe	vbc.exe
PID 4040 set thread context of 1268	4040	vbc.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4040	vbc.exe
Token: SeSecurityPrivilege	4040	vbc.exe
Token: SeTakeOwnershipPrivilege	4040	vbc.exe
Token: SeLoadDriverPrivilege	4040	vbc.exe
Token: SeSystemProfilePrivilege	4040	vbc.exe
Token: SeSystemtimePrivilege	4040	vbc.exe
Token: SeProfSingleProcessPrivilege	4040	vbc.exe
Token: SeIncBasePriorityPrivilege	4040	vbc.exe
Token: SeCreatePagefilePrivilege	4040	vbc.exe
Token: SeBackupPrivilege	4040	vbc.exe
Token: SeRestorePrivilege	4040	vbc.exe
Token: SeShutdownPrivilege	4040	vbc.exe
Token: SeDebugPrivilege	4040	vbc.exe
Token: SeSystemEnvironmentPrivilege	4040	vbc.exe
Token: SeChangeNotifyPrivilege	4040	vbc.exe
Token: SeRemoteShutdownPrivilege	4040	vbc.exe
Token: SeUndockPrivilege	4040	vbc.exe
Token: SeManageVolumePrivilege	4040	vbc.exe
Token: SeImpersonatePrivilege	4040	vbc.exe
Token: SeCreateGlobalPrivilege	4040	vbc.exe
Token: 33	4040	vbc.exe
Token: 34	4040	vbc.exe
Token: 35	4040	vbc.exe
Token: 36	4040	vbc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 2384 wrote to memory of 4040	2384	0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe	vbc.exe
PID 2384 wrote to memory of 4040	2384	0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe	vbc.exe
PID 2384 wrote to memory of 4040	2384	0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe	vbc.exe
PID 2384 wrote to memory of 4040	2384	0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe	vbc.exe
PID 2384 wrote to memory of 4040	2384	0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe	vbc.exe
PID 2384 wrote to memory of 4040	2384	0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe	vbc.exe
PID 2384 wrote to memory of 4040	2384	0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe	vbc.exe
PID 2384 wrote to memory of 4040	2384	0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe	vbc.exe
PID 2384 wrote to memory of 4040	2384	0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe	vbc.exe
PID 2384 wrote to memory of 4040	2384	0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe	vbc.exe
PID 2384 wrote to memory of 4040	2384	0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe	vbc.exe
PID 2384 wrote to memory of 4040	2384	0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe	vbc.exe
PID 2384 wrote to memory of 4040	2384	0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe	vbc.exe
PID 2384 wrote to memory of 4040	2384	0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe	vbc.exe
PID 4040 wrote to memory of 1268	4040	vbc.exe	iexplore.exe
PID 4040 wrote to memory of 1268	4040	vbc.exe	iexplore.exe
PID 4040 wrote to memory of 1268	4040	vbc.exe	iexplore.exe
PID 4040 wrote to memory of 1268	4040	vbc.exe	iexplore.exe
PID 4040 wrote to memory of 1268	4040	vbc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a5581b73f12f54b73aae0ce0dafd6ec_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
PID:1268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1268-11-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2384-0-0x00000000746A2000-0x00000000746A3000-memory.dmp

Filesize
4KB

Download
memory/2384-1-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/2384-2-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/2384-8-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/4040-3-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4040-4-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4040-7-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4040-9-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4040-10-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4040-12-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads