darkcomet | d6c04968ad6d636d10292cee6a79d9cef40249dcf85748540bdbc035e0f7272f

General

Target

17db6b63abdf05059a5da75ad3827a15_JaffaCakes118.exe
Size

482KB
MD5

17db6b63abdf05059a5da75ad3827a15
SHA1

3804d4f14faf27a69e0cdc2ff16a9d632d683d6b
SHA256

d6c04968ad6d636d10292cee6a79d9cef40249dcf85748540bdbc035e0f7272f
SHA512

07130d273579cec897a210e327015871b013b258925dc93e43190f57f61e094aae46859a36b1dca7367833515423c050aa912495fa118708fea286fc904f368d
SSDEEP

12288:keulMGw/qn159UyLOBIXDS/zujIKDsiqHHlR8bQOo5hmrbSd:znGwyDKyLPGLpKDs1l6QO4si

Score

10^/10

darkcomet guest16 discovery rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-621PKS9

Attributes

gencode
JEGsEmifGvri
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 2 IoCs

pid	Process
308	b2e.exe
2660	batchfile.bat

Loads dropped DLL 7 IoCs

pid	Process
2460	17db6b63abdf05059a5da75ad3827a15_JaffaCakes118.exe
2460	17db6b63abdf05059a5da75ad3827a15_JaffaCakes118.exe
308	b2e.exe
308	b2e.exe
308	b2e.exe
308	b2e.exe
308	b2e.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2460-17-0x0000000000400000-0x00000000004BC000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batchfile.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17db6b63abdf05059a5da75ad3827a15_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2e.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2660	batchfile.bat
Token: SeSecurityPrivilege	2660	batchfile.bat
Token: SeTakeOwnershipPrivilege	2660	batchfile.bat
Token: SeLoadDriverPrivilege	2660	batchfile.bat
Token: SeSystemProfilePrivilege	2660	batchfile.bat
Token: SeSystemtimePrivilege	2660	batchfile.bat
Token: SeProfSingleProcessPrivilege	2660	batchfile.bat
Token: SeIncBasePriorityPrivilege	2660	batchfile.bat
Token: SeCreatePagefilePrivilege	2660	batchfile.bat
Token: SeBackupPrivilege	2660	batchfile.bat
Token: SeRestorePrivilege	2660	batchfile.bat
Token: SeShutdownPrivilege	2660	batchfile.bat
Token: SeDebugPrivilege	2660	batchfile.bat
Token: SeSystemEnvironmentPrivilege	2660	batchfile.bat
Token: SeChangeNotifyPrivilege	2660	batchfile.bat
Token: SeRemoteShutdownPrivilege	2660	batchfile.bat
Token: SeUndockPrivilege	2660	batchfile.bat
Token: SeManageVolumePrivilege	2660	batchfile.bat
Token: SeImpersonatePrivilege	2660	batchfile.bat
Token: SeCreateGlobalPrivilege	2660	batchfile.bat
Token: 33	2660	batchfile.bat
Token: 34	2660	batchfile.bat
Token: 35	2660	batchfile.bat

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2660	batchfile.bat

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 308	2460	17db6b63abdf05059a5da75ad3827a15_JaffaCakes118.exe	31
PID 2460 wrote to memory of 308	2460	17db6b63abdf05059a5da75ad3827a15_JaffaCakes118.exe	31
PID 2460 wrote to memory of 308	2460	17db6b63abdf05059a5da75ad3827a15_JaffaCakes118.exe	31
PID 2460 wrote to memory of 308	2460	17db6b63abdf05059a5da75ad3827a15_JaffaCakes118.exe	31
PID 308 wrote to memory of 2660	308	b2e.exe	32
PID 308 wrote to memory of 2660	308	b2e.exe	32
PID 308 wrote to memory of 2660	308	b2e.exe	32
PID 308 wrote to memory of 2660	308	b2e.exe	32

C:\Users\Admin\AppData\Local\Temp\17db6b63abdf05059a5da75ad3827a15_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17db6b63abdf05059a5da75ad3827a15_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\17db6b63abdf05059a5da75ad3827a15_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Users\Admin\AppData\Local\Temp\EA7E.tmp\batchfile.bat
    "C:\Users\Admin\AppData\Local\Temp\EA7E.tmp\batchfile.bat"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EA7E.tmp\batchfile.bat

Filesize
658KB

MD5
7dec066cc4784b819b6dbb2406fb861d

SHA1
2ea04a0c6cd0e748f4b9dd425c6d33a649a647c6

SHA256
705111e098b101ccad70f12e080a2c42d61ca0204bf83996060ca7dff31044d5

SHA512
d2f950ad32782c059388dc254522f41697cefd80987c567b5350e2b0ea513aacd7a28ca42fbf32053ae851db205df1065481159b8fbcccfc9d2cc8bef86eac99

Download Submit
\Users\Admin\AppData\Local\Temp\E9A4.tmp\b2e.exe

Filesize
666KB

MD5
d374331748de9ec578cebdbced378fa2

SHA1
b2c373b99e759df721aa5b94595bfaf709fcdccf

SHA256
1230ac53efc428d6f6ac5a4a34b871715eb216fab3517eeb77efa7c62b6b30b6

SHA512
878f7e673a68d068aa5fece99a7853967e53f99565eef44d44fbdc174c1bb70e5e4b9b9e9c18dceab8fa6a268e59c0f4f344007526bab4e91b988af2d4e91cbb

Download Submit
memory/308-21-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2460-18-0x0000000000220000-0x000000000026E000-memory.dmp

Filesize
312KB

Download
memory/2460-22-0x00000000760E0000-0x00000000761F0000-memory.dmp

Filesize
1.1MB

Download
memory/2460-3-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/2460-6-0x00000000760E0000-0x00000000761F0000-memory.dmp

Filesize
1.1MB

Download
memory/2460-5-0x00000000760F1000-0x00000000760F2000-memory.dmp

Filesize
4KB

Download
memory/2460-11-0x0000000000610000-0x0000000000615000-memory.dmp

Filesize
20KB

Download
memory/2460-0-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2460-1-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2460-17-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2460-4-0x0000000077BC0000-0x0000000077BC1000-memory.dmp

Filesize
4KB

Download
memory/2460-2-0x0000000000220000-0x000000000026E000-memory.dmp

Filesize
312KB

Download
memory/2660-39-0x00000000760E0000-0x00000000761F0000-memory.dmp

Filesize
1.1MB

Download
memory/2660-41-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2660-42-0x00000000760E0000-0x00000000761F0000-memory.dmp

Filesize
1.1MB

Download
memory/2660-44-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2660-48-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2660-51-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing