darkcomet | d49bd5525128b200e713c8f4bf31d5573fa39b425e49ca30cd11c76f17115cc9

General

Target

1aded2f7199b22f184fd8e5937782fec_JaffaCakes118.exe
Size

672KB
MD5

1aded2f7199b22f184fd8e5937782fec
SHA1

b2d63ee25d93d803c28840e1de5c98486af16fb4
SHA256

d49bd5525128b200e713c8f4bf31d5573fa39b425e49ca30cd11c76f17115cc9
SHA512

570b956a08f6b188a075bb5f47b84c2657df9610481036dd5b24d6e14d77de3a9a8cb3f6dab42990102b8c85e8d28514eb8cf04058cbb673f667228f48d044ef
SSDEEP

12288:N9AFlAd0Z+89cxTGzO4AucTD8QP2lmFSrVs9LqnKVE:bAQ6Zx9cxTmOrucTIEFSpOGEE

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	my shit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	1aded2f7199b22f184fd8e5937782fec_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3236	my shit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1aded2f7199b22f184fd8e5937782fec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	my shit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	my shit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	my shit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	my shit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	my shit.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	my shit.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3236	my shit.exe
Token: SeSecurityPrivilege	3236	my shit.exe
Token: SeTakeOwnershipPrivilege	3236	my shit.exe
Token: SeLoadDriverPrivilege	3236	my shit.exe
Token: SeSystemProfilePrivilege	3236	my shit.exe
Token: SeSystemtimePrivilege	3236	my shit.exe
Token: SeProfSingleProcessPrivilege	3236	my shit.exe
Token: SeIncBasePriorityPrivilege	3236	my shit.exe
Token: SeCreatePagefilePrivilege	3236	my shit.exe
Token: SeBackupPrivilege	3236	my shit.exe
Token: SeRestorePrivilege	3236	my shit.exe
Token: SeShutdownPrivilege	3236	my shit.exe
Token: SeDebugPrivilege	3236	my shit.exe
Token: SeSystemEnvironmentPrivilege	3236	my shit.exe
Token: SeChangeNotifyPrivilege	3236	my shit.exe
Token: SeRemoteShutdownPrivilege	3236	my shit.exe
Token: SeUndockPrivilege	3236	my shit.exe
Token: SeManageVolumePrivilege	3236	my shit.exe
Token: SeImpersonatePrivilege	3236	my shit.exe
Token: SeCreateGlobalPrivilege	3236	my shit.exe
Token: 33	3236	my shit.exe
Token: 34	3236	my shit.exe
Token: 35	3236	my shit.exe
Token: 36	3236	my shit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2136	1aded2f7199b22f184fd8e5937782fec_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 3236	2136	1aded2f7199b22f184fd8e5937782fec_JaffaCakes118.exe	82
PID 2136 wrote to memory of 3236	2136	1aded2f7199b22f184fd8e5937782fec_JaffaCakes118.exe	82
PID 2136 wrote to memory of 3236	2136	1aded2f7199b22f184fd8e5937782fec_JaffaCakes118.exe	82
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83
PID 3236 wrote to memory of 2000	3236	my shit.exe	83

C:\Users\Admin\AppData\Local\Temp\1aded2f7199b22f184fd8e5937782fec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1aded2f7199b22f184fd8e5937782fec_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\my shit.exe
  "C:\Users\Admin\AppData\Local\Temp\my shit.exe" 0
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\SysWOW64\notepad.exe
    C:\Windows\SysWOW64\notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

5

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\my shit.exe

Filesize
658KB

MD5
8ed77cf3d04b2c1129fda755515c216a

SHA1
ea25eee12552fd748a8cc828cd0272d58f26e6d6

SHA256
0ba5f705de460ef323dc3984a38dfd8c58a99a22c0f78041771aba6c2e9542b3

SHA512
a020a1c2da9a723feee923bd58a12ceeee1f7b82570d46b36221ab5d48bccee0550007c7aa4c2186d8c6a03c3b6e06c106a05e45ff8a985a3bebb1fdb9a41341

Download Submit
memory/2000-11-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/3236-10-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3236-12-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3236-13-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/3236-15-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/3236-17-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/3236-19-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/3236-21-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/3236-23-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/3236-25-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads