darkcomet | c71228dd40c9cca4cf7dbd4d36bd92b3857ce006fbdadba7607457d8d04678e5

General

Target

1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Size

1.4MB
MD5

1593241035013c441a7a4b0facf68d11
SHA1

ebb2690cc893204a574ca94945d76359f88edd8b
SHA256

c71228dd40c9cca4cf7dbd4d36bd92b3857ce006fbdadba7607457d8d04678e5
SHA512

318945ed544a202c4ec8d09bce921ef3c9c9336dee16f633106cbebca7fa53b09dc390fafe024d214f4392eb46a6c08b6d5467876ad31693b110eda20fa2c5fd
SSDEEP

24576:knAw2WWeFcfbP9VPSPMTSPL/rWvzq4JJfpkgX51oiyzZozG7XVNyVbZ:OELbVMTrOq4GgX51py17XnyxZ

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

dr-hacker.no-ip.org:81

Mutex

DC_MUTEX-F54S21D

Attributes

gencode
4mFiu4NvJRJC
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

GAMEZER POINT EDITER.EXEGAMEZER POINT EDITER.EXE

pid process

1916 GAMEZER POINT EDITER.EXE
3956 GAMEZER POINT EDITER.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1916	GAMEZER POINT EDITER.EXE
3956	GAMEZER POINT EDITER.EXE

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeSecurityPrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeSystemtimePrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeBackupPrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeRestorePrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeShutdownPrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeDebugPrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeUndockPrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeManageVolumePrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeImpersonatePrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: 33	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: 34	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: 35	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: 36	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe

pid process

440 1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe

pid	process
440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe

description	pid	process	target process
PID 440 wrote to memory of 1916	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe	GAMEZER POINT EDITER.EXE
PID 440 wrote to memory of 1916	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe	GAMEZER POINT EDITER.EXE
PID 440 wrote to memory of 3956	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe	GAMEZER POINT EDITER.EXE
PID 440 wrote to memory of 3956	440	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe	GAMEZER POINT EDITER.EXE

C:\Users\Admin\AppData\Local\Temp\1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:440

C:\Users\Admin\AppData\Local\Temp\GAMEZER POINT EDITER.EXE
"C:\Users\Admin\AppData\Local\Temp\GAMEZER POINT EDITER.EXE"
2⤵
- Executes dropped EXE
PID:1916

C:\Users\Admin\AppData\Local\Temp\GAMEZER POINT EDITER.EXE
"C:\Users\Admin\AppData\Local\Temp\GAMEZER POINT EDITER.EXE"
2⤵
- Executes dropped EXE
PID:3956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GAMEZER POINT EDITER.EXE
Filesize
315KB

MD5
cde53926cc3102f8dc248675cadb45f2

SHA1
fd54ace3fc301c53e3772613970247556adfc634

SHA256
8a8536d5a062633abf2b6657347b919e30146cca4be04bd10d141d7dff95dc77

SHA512
06d81e13bda87f4cfe4d3bff538beafa4fe3a2a69d3325f43c6897803a43aa0d784413c86404fe940977a180593c7bfcad6f778650ad4f5d0a283ec894e78de4

Download Submit
memory/440-52-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/440-46-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/440-53-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/440-6-0x0000000075971000-0x0000000075972000-memory.dmp

Filesize
4KB

Download
memory/440-5-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/440-7-0x0000000075950000-0x0000000075A40000-memory.dmp

Filesize
960KB

Download
memory/440-9-0x0000000075950000-0x0000000075A40000-memory.dmp

Filesize
960KB

Download
memory/440-8-0x0000000075950000-0x0000000075A40000-memory.dmp

Filesize
960KB

Download
memory/440-4-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/440-2-0x00000000022E0000-0x00000000022F0000-memory.dmp

Filesize
64KB

Download
memory/440-3-0x00000000776D2000-0x00000000776D3000-memory.dmp

Filesize
4KB

Download
memory/440-56-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/440-55-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/440-54-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/440-0-0x0000000002180000-0x0000000002184000-memory.dmp

Filesize
16KB

Download
memory/440-51-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/440-1-0x00000000021C0000-0x00000000021F9000-memory.dmp

Filesize
228KB

Download
memory/440-50-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/440-49-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/440-48-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/440-47-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/440-33-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/440-34-0x0000000075950000-0x0000000075A40000-memory.dmp

Filesize
960KB

Download
memory/440-35-0x00000000021C0000-0x00000000021F9000-memory.dmp

Filesize
228KB

Download
memory/440-37-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/440-39-0x0000000075950000-0x0000000075A40000-memory.dmp

Filesize
960KB

Download
memory/440-38-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/440-36-0x00000000022E0000-0x00000000022F0000-memory.dmp

Filesize
64KB

Download
memory/440-40-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/440-41-0x0000000075950000-0x0000000075A40000-memory.dmp

Filesize
960KB

Download
memory/440-42-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1916-21-0x00007FFA86ED5000-0x00007FFA86ED6000-memory.dmp

Filesize
4KB

Download
memory/1916-27-0x000000001C750000-0x000000001C7EC000-memory.dmp

Filesize
624KB

Download
memory/1916-22-0x000000001BBF0000-0x000000001BC96000-memory.dmp

Filesize
664KB

Download
memory/1916-43-0x00007FFA86ED5000-0x00007FFA86ED6000-memory.dmp

Filesize
4KB

Download
memory/1916-44-0x00007FFA86C20000-0x00007FFA875C1000-memory.dmp

Filesize
9.6MB

Download
memory/1916-23-0x00007FFA86C20000-0x00007FFA875C1000-memory.dmp

Filesize
9.6MB

Download
memory/1916-30-0x00000000014F0000-0x00000000014F8000-memory.dmp

Filesize
32KB

Download
memory/1916-24-0x000000001C170000-0x000000001C63E000-memory.dmp

Filesize
4.8MB

Download
memory/1916-25-0x00007FFA86C20000-0x00007FFA875C1000-memory.dmp

Filesize
9.6MB

Download
memory/3956-32-0x000000001C340000-0x000000001C38C000-memory.dmp

Filesize
304KB

Download
memory/3956-28-0x00007FFA86C20000-0x00007FFA875C1000-memory.dmp

Filesize
9.6MB

Download
memory/3956-29-0x00007FFA86C20000-0x00007FFA875C1000-memory.dmp

Filesize
9.6MB

Download
memory/3956-31-0x00007FFA86C20000-0x00007FFA875C1000-memory.dmp

Filesize
9.6MB

Download
memory/3956-45-0x00007FFA86C20000-0x00007FFA875C1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads