darkcomet | 7c87cdb90f0d491daae2eccd5086369be8c6bedf0a64949fbdef56b9b669e952

General

Target

3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Size

743KB
MD5

3e985bdc5f361dd3888e297a16954ef7
SHA1

155fc36725ba673639801b010bd08c0f1e8be20b
SHA256

7c87cdb90f0d491daae2eccd5086369be8c6bedf0a64949fbdef56b9b669e952
SHA512

fd47445e80bd395309092642a69a1e39b32c3a07adf197276061732a87d3e8482984454620a82f32c87cf2438afcff955030c7decb657b7364bcce22f364b7d5
SSDEEP

12288:pb6irgErd6tBwz0b4EQboJoMzv2Q5nWQBiroq40oDqV77nu3PbQoh:p+Mh0M0cUJpeQrAsmV77uTQi

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 1692	2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeSecurityPrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeBackupPrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeRestorePrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeShutdownPrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeDebugPrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeUndockPrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: 33	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: 34	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
Token: 35	1692	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 1692	2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1692	2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1692	2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1692	2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1692	2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1692	2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1692	2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1692	2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1692	2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1692	2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1692	2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1692	2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1692	2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1692	2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1692	2448	3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\3e985bdc5f361dd3888e297a16954ef7_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1692-2-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1692-3-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1692-4-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1692-5-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1692-6-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1692-7-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1692-8-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1692-9-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1692-11-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing