darkcomet | 5534bb7a49b308e814c184ed36232dfa2ad69b9222749441c902375e0e0beb21

General

Target

0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Size

311KB
MD5

0f94212a02d7bf9800730f01accf22b5
SHA1

836f60020dfa5d8ddfe9d56f07b37aef3c01ae89
SHA256

5534bb7a49b308e814c184ed36232dfa2ad69b9222749441c902375e0e0beb21
SHA512

aca82c975fb4ec5069a7f44f152adc6ab1c92dbe8e24f6980475fc3a263ca4d712314838f085a021fb20b49f5584b0296d654daec97a0042f5d45665ca7224d8
SSDEEP

6144:WDwD7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZaJ086FCWd:W8l8E4w5huat7UovONzbXw2Jp6cq

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

ayada.no-ip.info:1604

Mutex

DC_MUTEX-LZ3GD3B

Attributes

InstallPath
MSDCSC\explorer.exe
gencode
mp7S2byRaslY
install
true
offline_keylogger
true
password
999999999
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\explorer.exe"	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

1356 explorer.exe
Loads dropped DLL 2 IoCs

Processes:

0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe

pid process

1484 0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
1484 0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe

pid	process
1356	explorer.exe

pid	process
1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\explorer.exe"	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2328 2600 WerFault.exe notepad.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1356 explorer.exe

pid	pid_target	process	target process
2328	2600	WerFault.exe	notepad.exe

pid	process
1356	explorer.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exeexplorer.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeSecurityPrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeBackupPrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeRestorePrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeShutdownPrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeDebugPrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeUndockPrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: 33	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: 34	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: 35	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1356	explorer.exe
Token: SeSecurityPrivilege	1356	explorer.exe
Token: SeTakeOwnershipPrivilege	1356	explorer.exe
Token: SeLoadDriverPrivilege	1356	explorer.exe
Token: SeSystemProfilePrivilege	1356	explorer.exe
Token: SeSystemtimePrivilege	1356	explorer.exe
Token: SeProfSingleProcessPrivilege	1356	explorer.exe
Token: SeIncBasePriorityPrivilege	1356	explorer.exe
Token: SeCreatePagefilePrivilege	1356	explorer.exe
Token: SeBackupPrivilege	1356	explorer.exe
Token: SeRestorePrivilege	1356	explorer.exe
Token: SeShutdownPrivilege	1356	explorer.exe
Token: SeDebugPrivilege	1356	explorer.exe
Token: SeSystemEnvironmentPrivilege	1356	explorer.exe
Token: SeChangeNotifyPrivilege	1356	explorer.exe
Token: SeRemoteShutdownPrivilege	1356	explorer.exe
Token: SeUndockPrivilege	1356	explorer.exe
Token: SeManageVolumePrivilege	1356	explorer.exe
Token: SeImpersonatePrivilege	1356	explorer.exe
Token: SeCreateGlobalPrivilege	1356	explorer.exe
Token: 33	1356	explorer.exe
Token: 34	1356	explorer.exe
Token: 35	1356	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

1356 explorer.exe

pid	process
1356	explorer.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exeexplorer.exenotepad.exe

description	pid	process	target process
PID 1484 wrote to memory of 1356	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe	explorer.exe
PID 1484 wrote to memory of 1356	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe	explorer.exe
PID 1484 wrote to memory of 1356	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe	explorer.exe
PID 1484 wrote to memory of 1356	1484	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe	explorer.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 1356 wrote to memory of 2600	1356	explorer.exe	notepad.exe
PID 2600 wrote to memory of 2328	2600	notepad.exe	WerFault.exe
PID 2600 wrote to memory of 2328	2600	notepad.exe	WerFault.exe
PID 2600 wrote to memory of 2328	2600	notepad.exe	WerFault.exe
PID 2600 wrote to memory of 2328	2600	notepad.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\MSDCSC\explorer.exe
"C:\MSDCSC\explorer.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 264
4⤵
- Program crash
PID:2328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\MSDCSC\explorer.exe
Filesize
311KB

MD5
0f94212a02d7bf9800730f01accf22b5

SHA1
836f60020dfa5d8ddfe9d56f07b37aef3c01ae89

SHA256
5534bb7a49b308e814c184ed36232dfa2ad69b9222749441c902375e0e0beb21

SHA512
aca82c975fb4ec5069a7f44f152adc6ab1c92dbe8e24f6980475fc3a263ca4d712314838f085a021fb20b49f5584b0296d654daec97a0042f5d45665ca7224d8

Download Submit
memory/1356-40-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1356-16-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1356-41-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1356-44-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1356-43-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1356-54-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1356-17-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1356-53-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1356-52-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1356-50-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1356-49-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1356-48-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1356-47-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1356-45-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1484-14-0x0000000003640000-0x0000000003715000-memory.dmp

Filesize
852KB

Download
memory/1484-1-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1484-12-0x0000000003640000-0x0000000003715000-memory.dmp

Filesize
852KB

Download
memory/1484-0-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1484-13-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2600-39-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2600-18-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads