darkcomet | 5534bb7a49b308e814c184ed36232dfa2ad69b9222749441c902375e0e0beb21

General

Target

0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Size

311KB
MD5

0f94212a02d7bf9800730f01accf22b5
SHA1

836f60020dfa5d8ddfe9d56f07b37aef3c01ae89
SHA256

5534bb7a49b308e814c184ed36232dfa2ad69b9222749441c902375e0e0beb21
SHA512

aca82c975fb4ec5069a7f44f152adc6ab1c92dbe8e24f6980475fc3a263ca4d712314838f085a021fb20b49f5584b0296d654daec97a0042f5d45665ca7224d8
SSDEEP

6144:WDwD7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZaJ086FCWd:W8l8E4w5huat7UovONzbXw2Jp6cq

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

ayada.no-ip.info:1604

Mutex

DC_MUTEX-LZ3GD3B

Attributes

InstallPath
MSDCSC\explorer.exe
gencode
mp7S2byRaslY
install
true
offline_keylogger
true
password
999999999
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\explorer.exe"	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

388 explorer.exe

pid	process
388	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\explorer.exe"	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2664 5112 WerFault.exe notepad.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

388 explorer.exe

pid	pid_target	process	target process
2664	5112	WerFault.exe	notepad.exe

pid	process
388	explorer.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exeexplorer.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeSecurityPrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeBackupPrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeRestorePrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeShutdownPrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeDebugPrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeUndockPrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: 33	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: 34	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: 35	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: 36	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	388	explorer.exe
Token: SeSecurityPrivilege	388	explorer.exe
Token: SeTakeOwnershipPrivilege	388	explorer.exe
Token: SeLoadDriverPrivilege	388	explorer.exe
Token: SeSystemProfilePrivilege	388	explorer.exe
Token: SeSystemtimePrivilege	388	explorer.exe
Token: SeProfSingleProcessPrivilege	388	explorer.exe
Token: SeIncBasePriorityPrivilege	388	explorer.exe
Token: SeCreatePagefilePrivilege	388	explorer.exe
Token: SeBackupPrivilege	388	explorer.exe
Token: SeRestorePrivilege	388	explorer.exe
Token: SeShutdownPrivilege	388	explorer.exe
Token: SeDebugPrivilege	388	explorer.exe
Token: SeSystemEnvironmentPrivilege	388	explorer.exe
Token: SeChangeNotifyPrivilege	388	explorer.exe
Token: SeRemoteShutdownPrivilege	388	explorer.exe
Token: SeUndockPrivilege	388	explorer.exe
Token: SeManageVolumePrivilege	388	explorer.exe
Token: SeImpersonatePrivilege	388	explorer.exe
Token: SeCreateGlobalPrivilege	388	explorer.exe
Token: 33	388	explorer.exe
Token: 34	388	explorer.exe
Token: 35	388	explorer.exe
Token: 36	388	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

388 explorer.exe

pid	process
388	explorer.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 1840 wrote to memory of 388	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe	explorer.exe
PID 1840 wrote to memory of 388	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe	explorer.exe
PID 1840 wrote to memory of 388	1840	0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe	explorer.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe
PID 388 wrote to memory of 5112	388	explorer.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f94212a02d7bf9800730f01accf22b5_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\MSDCSC\explorer.exe
"C:\MSDCSC\explorer.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 428
4⤵
- Program crash
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5112 -ip 5112
1⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4308,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=3924 /prefetch:8
1⤵
PID:3392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSDCSC\explorer.exe
Filesize
311KB

MD5
0f94212a02d7bf9800730f01accf22b5

SHA1
836f60020dfa5d8ddfe9d56f07b37aef3c01ae89

SHA256
5534bb7a49b308e814c184ed36232dfa2ad69b9222749441c902375e0e0beb21

SHA512
aca82c975fb4ec5069a7f44f152adc6ab1c92dbe8e24f6980475fc3a263ca4d712314838f085a021fb20b49f5584b0296d654daec97a0042f5d45665ca7224d8

Download Submit
memory/388-23-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/388-17-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/388-24-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/388-26-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/388-25-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/388-34-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/388-20-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/388-21-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/388-22-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/388-33-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/388-32-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/388-31-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/388-16-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/388-27-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/388-28-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/388-29-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/388-30-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1840-1-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/1840-15-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1840-0-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/5112-18-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads