darkcomet | bf9236bc467d179dd9119f9444f724b526f929bacb3295cfbbff4cfa18d43a68

General

Target

175f4a750caf0d226362165ee8498dd0_JaffaCakes118.exe
Size

403KB
MD5

175f4a750caf0d226362165ee8498dd0
SHA1

8d6483d5eeb3aa18ad81befd0058f56500bcb070
SHA256

bf9236bc467d179dd9119f9444f724b526f929bacb3295cfbbff4cfa18d43a68
SHA512

87993bc5aee2b40146162b2a4b6793d5e72da5754d5993a199b7f4df20effdfbf1f94935e16d84a6bd4bbd3ec46c898576669bb2a3651ab89b5c6f4d24a0fa63
SSDEEP

12288:ClghoSqVNJ/Jj03vCGk9wsVzvCGNqHvuCJ:Qg2VNb0Xk9wsBCGqHv/

Score

10^/10

darkcomet guest16 discovery rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

marexack1996.no-ip.org:200

Mutex

DC_MUTEX-HJ266LU

Attributes

gencode
WvT8qVomrzLp
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	175f4a750caf0d226362165ee8498dd0_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2840	Stage2.exe
2520	Stage1.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2208-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x000a00000002343d-5.dat	upx
behavioral2/memory/2840-12-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/2840-16-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/2208-20-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	175f4a750caf0d226362165ee8498dd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stage2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stage1.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2520	Stage1.exe
Token: SeSecurityPrivilege	2520	Stage1.exe
Token: SeTakeOwnershipPrivilege	2520	Stage1.exe
Token: SeLoadDriverPrivilege	2520	Stage1.exe
Token: SeSystemProfilePrivilege	2520	Stage1.exe
Token: SeSystemtimePrivilege	2520	Stage1.exe
Token: SeProfSingleProcessPrivilege	2520	Stage1.exe
Token: SeIncBasePriorityPrivilege	2520	Stage1.exe
Token: SeCreatePagefilePrivilege	2520	Stage1.exe
Token: SeBackupPrivilege	2520	Stage1.exe
Token: SeRestorePrivilege	2520	Stage1.exe
Token: SeShutdownPrivilege	2520	Stage1.exe
Token: SeDebugPrivilege	2520	Stage1.exe
Token: SeSystemEnvironmentPrivilege	2520	Stage1.exe
Token: SeChangeNotifyPrivilege	2520	Stage1.exe
Token: SeRemoteShutdownPrivilege	2520	Stage1.exe
Token: SeUndockPrivilege	2520	Stage1.exe
Token: SeManageVolumePrivilege	2520	Stage1.exe
Token: SeImpersonatePrivilege	2520	Stage1.exe
Token: SeCreateGlobalPrivilege	2520	Stage1.exe
Token: 33	2520	Stage1.exe
Token: 34	2520	Stage1.exe
Token: 35	2520	Stage1.exe
Token: 36	2520	Stage1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2520	Stage1.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2840	2208	175f4a750caf0d226362165ee8498dd0_JaffaCakes118.exe	82
PID 2208 wrote to memory of 2840	2208	175f4a750caf0d226362165ee8498dd0_JaffaCakes118.exe	82
PID 2208 wrote to memory of 2840	2208	175f4a750caf0d226362165ee8498dd0_JaffaCakes118.exe	82
PID 2208 wrote to memory of 2520	2208	175f4a750caf0d226362165ee8498dd0_JaffaCakes118.exe	84
PID 2208 wrote to memory of 2520	2208	175f4a750caf0d226362165ee8498dd0_JaffaCakes118.exe	84
PID 2208 wrote to memory of 2520	2208	175f4a750caf0d226362165ee8498dd0_JaffaCakes118.exe	84
PID 2520 wrote to memory of 2436	2520	Stage1.exe	85
PID 2520 wrote to memory of 2436	2520	Stage1.exe	85
PID 2520 wrote to memory of 2436	2520	Stage1.exe	85
PID 2520 wrote to memory of 2512	2520	Stage1.exe	86
PID 2520 wrote to memory of 2512	2520	Stage1.exe	86

C:\Users\Admin\AppData\Local\Temp\175f4a750caf0d226362165ee8498dd0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\175f4a750caf0d226362165ee8498dd0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\Stage2.exe
  "C:\Users\Admin\AppData\Local\Temp\Stage2.exe" x -y -oC:\Users\Admin\AppData\Local\Temp -pxnq8rPMxVI87ciGwWJHxRTy3iauHcIirteOOELv3B5vkS9kJoHBUAahY1dWxj8yA
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\Stage1.exe
  "C:\Users\Admin\AppData\Local\Temp\Stage1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2436
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Stage1.exe

Filesize
658KB

MD5
8e06615ea9e2894d5ae0e4ce99520fbb

SHA1
911c192978fcbd4ce09942d45edcc34705e3395f

SHA256
0e773d4e2c91076a6bc35f30793697994938e626acbb61339710777c3d9289aa

SHA512
bdabe62c7be64066c5ba1cee44d29e432583be911aee272c27523e1c571d0f0b3c7744ee4ca9590e6a6dfbf972036fad390c70ee368c6c14050b1cffe89ba582

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stage2.exe

Filesize
356KB

MD5
63d5aa89b38e069731bef763ff2d506e

SHA1
628aa05360a926c1892a390c24e80851986a8605

SHA256
6f66ea4369dbf59f4b9ea08d3d706f3582b51b0f7a5181884d3f6266eb82dad6

SHA512
aef8a3c95c882550dc3e6c3bf9ab0f1877cdee42d882df9cad65708c0040c287b005275ab90030de0f1313a37d0db5ba339db8d354cdc6e64bac1d96cb254960

Download Submit
memory/2208-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2208-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2520-27-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2520-33-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2520-49-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2520-23-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2520-22-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2520-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2520-47-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2520-29-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2520-31-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2520-19-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2520-35-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2520-37-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2520-39-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2520-41-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2520-43-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2520-45-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2840-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2840-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing