darkcomet | 578eb32648c415f048d0a357ec5aba580ee14292ce77cc143fbbd9bca9f22b47

General

Target

155c15fa44f501df0e5cf64a40dda8b7_JaffaCakes118.exe
Size

1.3MB
MD5

155c15fa44f501df0e5cf64a40dda8b7
SHA1

98b748c9a27d7da0e803035dcfb6e8425cd006c7
SHA256

578eb32648c415f048d0a357ec5aba580ee14292ce77cc143fbbd9bca9f22b47
SHA512

b69eaef73dd1e1fea43d53197dfab70d3a672885d07547579d2f929978d0ed288b59e0b5af39396ee06e913589a72dab7302d114541353a2e964f4d09b46bbe8
SSDEEP

24576:SDRfULfyBlOI29Pb7OGPOjv7URO0lfIlmwMRvPlmKEYlmIQMRSNWK4YC:SVklgzpmwMJK7C

Score

10^/10

darkcomet guest16_min discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

127.0.0.1:100

Mutex

DCMIN_MUTEX-FDQ0K24

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
T7ltFxUeoHFm
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Crypted.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	Crypted.exe

Executes dropped EXE 2 IoCs

Processes:

Crypted.exeIMDCSC.exe

pid process

2792 Crypted.exe
2804 IMDCSC.exe
Loads dropped DLL 4 IoCs

Processes:

155c15fa44f501df0e5cf64a40dda8b7_JaffaCakes118.exeCrypted.exe

pid process

764 155c15fa44f501df0e5cf64a40dda8b7_JaffaCakes118.exe
764 155c15fa44f501df0e5cf64a40dda8b7_JaffaCakes118.exe
2792 Crypted.exe
2792 Crypted.exe

pid	process
2792	Crypted.exe
2804	IMDCSC.exe

pid	process
764	155c15fa44f501df0e5cf64a40dda8b7_JaffaCakes118.exe
764	155c15fa44f501df0e5cf64a40dda8b7_JaffaCakes118.exe
2792	Crypted.exe
2792	Crypted.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Crypted.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	Crypted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

155c15fa44f501df0e5cf64a40dda8b7_JaffaCakes118.exeCrypted.exeIMDCSC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	155c15fa44f501df0e5cf64a40dda8b7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

Crypted.exeIMDCSC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2792	Crypted.exe
Token: SeSecurityPrivilege	2792	Crypted.exe
Token: SeTakeOwnershipPrivilege	2792	Crypted.exe
Token: SeLoadDriverPrivilege	2792	Crypted.exe
Token: SeSystemProfilePrivilege	2792	Crypted.exe
Token: SeSystemtimePrivilege	2792	Crypted.exe
Token: SeProfSingleProcessPrivilege	2792	Crypted.exe
Token: SeIncBasePriorityPrivilege	2792	Crypted.exe
Token: SeCreatePagefilePrivilege	2792	Crypted.exe
Token: SeBackupPrivilege	2792	Crypted.exe
Token: SeRestorePrivilege	2792	Crypted.exe
Token: SeShutdownPrivilege	2792	Crypted.exe
Token: SeDebugPrivilege	2792	Crypted.exe
Token: SeSystemEnvironmentPrivilege	2792	Crypted.exe
Token: SeChangeNotifyPrivilege	2792	Crypted.exe
Token: SeRemoteShutdownPrivilege	2792	Crypted.exe
Token: SeUndockPrivilege	2792	Crypted.exe
Token: SeManageVolumePrivilege	2792	Crypted.exe
Token: SeImpersonatePrivilege	2792	Crypted.exe
Token: SeCreateGlobalPrivilege	2792	Crypted.exe
Token: 33	2792	Crypted.exe
Token: 34	2792	Crypted.exe
Token: 35	2792	Crypted.exe
Token: SeIncreaseQuotaPrivilege	2804	IMDCSC.exe
Token: SeSecurityPrivilege	2804	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	2804	IMDCSC.exe
Token: SeLoadDriverPrivilege	2804	IMDCSC.exe
Token: SeSystemProfilePrivilege	2804	IMDCSC.exe
Token: SeSystemtimePrivilege	2804	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	2804	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	2804	IMDCSC.exe
Token: SeCreatePagefilePrivilege	2804	IMDCSC.exe
Token: SeBackupPrivilege	2804	IMDCSC.exe
Token: SeRestorePrivilege	2804	IMDCSC.exe
Token: SeShutdownPrivilege	2804	IMDCSC.exe
Token: SeDebugPrivilege	2804	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	2804	IMDCSC.exe
Token: SeChangeNotifyPrivilege	2804	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	2804	IMDCSC.exe
Token: SeUndockPrivilege	2804	IMDCSC.exe
Token: SeManageVolumePrivilege	2804	IMDCSC.exe
Token: SeImpersonatePrivilege	2804	IMDCSC.exe
Token: SeCreateGlobalPrivilege	2804	IMDCSC.exe
Token: 33	2804	IMDCSC.exe
Token: 34	2804	IMDCSC.exe
Token: 35	2804	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IMDCSC.exe

pid process

2804 IMDCSC.exe

pid	process
2804	IMDCSC.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

155c15fa44f501df0e5cf64a40dda8b7_JaffaCakes118.exeCrypted.exe

description	pid	process	target process
PID 764 wrote to memory of 2792	764	155c15fa44f501df0e5cf64a40dda8b7_JaffaCakes118.exe	Crypted.exe
PID 764 wrote to memory of 2792	764	155c15fa44f501df0e5cf64a40dda8b7_JaffaCakes118.exe	Crypted.exe
PID 764 wrote to memory of 2792	764	155c15fa44f501df0e5cf64a40dda8b7_JaffaCakes118.exe	Crypted.exe
PID 764 wrote to memory of 2792	764	155c15fa44f501df0e5cf64a40dda8b7_JaffaCakes118.exe	Crypted.exe
PID 2792 wrote to memory of 2804	2792	Crypted.exe	IMDCSC.exe
PID 2792 wrote to memory of 2804	2792	Crypted.exe	IMDCSC.exe
PID 2792 wrote to memory of 2804	2792	Crypted.exe	IMDCSC.exe
PID 2792 wrote to memory of 2804	2792	Crypted.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\155c15fa44f501df0e5cf64a40dda8b7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\155c15fa44f501df0e5cf64a40dda8b7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\Crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
    "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
658KB

MD5
47b1ec13ad50ecbc1a2cb0395d27d57e

SHA1
831db81b1cbcd26e9298e184773689b7bd15190e

SHA256
29a29fc4451db81334507c3f350e663cd74134e722da3503c0a92d44f650f0d2

SHA512
0ee800239fd24b00dd91515a2cdbaa28e718b12bc0839879174167f7d1c9d83a11c60015bdb63e656e0c255016efaca91b2a45d636e2632b6d6149d667a036a1

Download Submit
memory/764-0-0x00000000748D1000-0x00000000748D2000-memory.dmp

Filesize
4KB

Download
memory/764-1-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/764-2-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/764-25-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-12-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2792-24-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2804-26-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2804-29-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads