darkcomet | 113ce9531b63f5632f6f71982235a8ef08ce9d9a39cfcfcf87eed4a999f187f5

General

Target

a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe
Size

1.3MB
MD5

a90a831be3b6242816714cafe59eda9a
SHA1

6dbb008fd637ae00e1d7b2390d99776fff13f800
SHA256

113ce9531b63f5632f6f71982235a8ef08ce9d9a39cfcfcf87eed4a999f187f5
SHA512

50ae58b387049b01f22634da56d9acff3d4e51e1387297cf730037446de1a903d877820aff7f600dfd7e3d6079b0fd00ac749a97320ea77fc217777cdec4338d
SSDEEP

24576:dIp0jwWZFybBDxIPlaQSbWaRDoZNKLqMKNrjFLTrTnEK5IsgssDssPsgWS6DZZ/:XwWZkBtelaQgRDoZomNXFLTXdo6DZ

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3488	ǭƜƐƉƏ.exe
3644	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MsMpEng.exe"	ǭƜƐƉƏ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4800 set thread context of 3644	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ǭƜƐƉƏ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3644	svchost.exe
Token: SeSecurityPrivilege	3644	svchost.exe
Token: SeTakeOwnershipPrivilege	3644	svchost.exe
Token: SeLoadDriverPrivilege	3644	svchost.exe
Token: SeSystemProfilePrivilege	3644	svchost.exe
Token: SeSystemtimePrivilege	3644	svchost.exe
Token: SeProfSingleProcessPrivilege	3644	svchost.exe
Token: SeIncBasePriorityPrivilege	3644	svchost.exe
Token: SeCreatePagefilePrivilege	3644	svchost.exe
Token: SeBackupPrivilege	3644	svchost.exe
Token: SeRestorePrivilege	3644	svchost.exe
Token: SeShutdownPrivilege	3644	svchost.exe
Token: SeDebugPrivilege	3644	svchost.exe
Token: SeSystemEnvironmentPrivilege	3644	svchost.exe
Token: SeChangeNotifyPrivilege	3644	svchost.exe
Token: SeRemoteShutdownPrivilege	3644	svchost.exe
Token: SeUndockPrivilege	3644	svchost.exe
Token: SeManageVolumePrivilege	3644	svchost.exe
Token: SeImpersonatePrivilege	3644	svchost.exe
Token: SeCreateGlobalPrivilege	3644	svchost.exe
Token: 33	3644	svchost.exe
Token: 34	3644	svchost.exe
Token: 35	3644	svchost.exe
Token: 36	3644	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3644	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 3564	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	87
PID 4800 wrote to memory of 3564	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	87
PID 4800 wrote to memory of 3564	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	87
PID 3564 wrote to memory of 2544	3564	csc.exe	89
PID 3564 wrote to memory of 2544	3564	csc.exe	89
PID 3564 wrote to memory of 2544	3564	csc.exe	89
PID 4800 wrote to memory of 3488	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	94
PID 4800 wrote to memory of 3488	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	94
PID 4800 wrote to memory of 3488	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	94
PID 4800 wrote to memory of 3644	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	95
PID 4800 wrote to memory of 3644	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	95
PID 4800 wrote to memory of 3644	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	95
PID 4800 wrote to memory of 3644	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	95
PID 4800 wrote to memory of 3644	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	95
PID 4800 wrote to memory of 3644	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	95
PID 4800 wrote to memory of 3644	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	95
PID 4800 wrote to memory of 3644	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	95
PID 4800 wrote to memory of 3644	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	95
PID 4800 wrote to memory of 3644	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	95
PID 4800 wrote to memory of 3644	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	95
PID 4800 wrote to memory of 3644	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	95
PID 4800 wrote to memory of 3644	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	95
PID 4800 wrote to memory of 3644	4800	a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a90a831be3b6242816714cafe59eda9a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r0jfvtyq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EE5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7EE4.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2544
- C:\Users\Admin\AppData\Local\Temp\ǭƜƐƉƏ.exe
  "C:\Users\Admin\AppData\Local\Temp\ǭƜƐƉƏ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3488
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7EE5.tmp

Filesize
1KB

MD5
34b2b5aacf0b8c65ff6eeb35a35c2d09

SHA1
42a6816f23948141d4eea7b1555e3116117a9408

SHA256
c387e1ff2a7d1943795254f32609bcda4b05c925ac7033cb2a500c5421c766d7

SHA512
fdf9af93eaacc7d5b236e2155a223e05868a06081fffa43ba64c90c34321b07febf4145112f953bd84d231047ba73e94777f2b1d76b1eb77bd2db7f0636c3d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ǭƜƐƉƏ.exe

Filesize
4KB

MD5
e4ca6a80c5198b557874a6fd95c57c91

SHA1
ca12d07df73a775f69d9be3a2567575f48f916b6

SHA256
98bf1fc3905f78b1d3a55252099dc955e6b9cf6f54634ff3a94f2e8ac37bfc0c

SHA512
f031fd2940d0261030d981190c5a93a2f01d1337cfe9c3af8dd6e2cee50c35a21ae8e0a300e7adbd949ecfec979e0deefa5e28073e9a2306f48b633f0d8ee9f2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7EE4.tmp

Filesize
636B

MD5
aa55bfb476edff4caf06776dd476a7eb

SHA1
2a7a48f3a18ea75bd09fa1f00f09de6efae51da0

SHA256
45b60e742758075b2814da6fbe51e7e87730dde243ec6c19fced91f2e0fb30ad

SHA512
f46f71ea00a2f5c494ce4ed9df08445b2e0ab55676eefac54846fdaca62b0cdbae122957f659cc365d10c8ebf5b79b19915e9f6fa256b57cfe33d6e219df68df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r0jfvtyq.0.cs

Filesize
1KB

MD5
c444b297bee6496d6ec55c6d8403cf10

SHA1
98dd2bb27e9b12196a9904ac9837da8dae7f2604

SHA256
c1c146f485e88b1334eb91ebd9a0178e6afe13864bd54d9cf30786cf78628f9e

SHA512
63de86de5d336686cde5c28adc42b256511c21512ee7e444051909690266f71835f176318c57c2a681527e1496954eac2c0acfe66ba44a5a253be51d3fad8e7d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r0jfvtyq.cmdline

Filesize
263B

MD5
06749763ffa004d11375e040a64d48af

SHA1
1936c57c40261b357a510c5e2987b53d751361e4

SHA256
c0c5708b5c31fafa0d0e7bddfa4f0bb026b50e5c5a776d5ef9a71743b9966fc5

SHA512
4472fc45b40f01bfb94feaf8e9e0d24b8edd94d8b0b458e12c5c159a4946c7fe4340158693387b416199a8d125a4f493f77e494c09ebc2c2bf6579791d4baf0b

Download Submit
memory/3488-19-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/3488-36-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/3564-8-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/3564-15-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/3644-31-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-39-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-51-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-22-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-27-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-50-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-33-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-32-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-49-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-30-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-48-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-37-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-38-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-25-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-40-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-41-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-42-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-43-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-44-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-45-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-46-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3644-47-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4800-1-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/4800-0-0x0000000074D32000-0x0000000074D33000-memory.dmp

Filesize
4KB

Download
memory/4800-29-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/4800-2-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads