darkcomet | ce0a51650f34b2fe144bb4e75e3c02ce17620747286261cfc63d203afda26d21

General

Target

512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe
Size

1.3MB
MD5

512e15f39afaf4bd204454deb4f2bea0
SHA1

861246e9af0ecdc148ee87f1103d6ebdef5ce991
SHA256

ce0a51650f34b2fe144bb4e75e3c02ce17620747286261cfc63d203afda26d21
SHA512

75a09c73f4531ec80fb51b24e0592d231f52257a25f1e243403cebf1ca0e01af38e4545e8f4b9612c5fce0e82045d85380360e3ed4f25693165a9cfdc8d63e39
SSDEEP

12288:2MeRfvBd3gpuNWd0nGTpcTJAmfCppjLTQ14CtYMyhEeWcb2/iM5xZGQ8WwYSYryJ:2hpCzNkeEpFwLzISPTr+p9D0QZh9u

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

192.168.1.66:1604

scottreadingfc.zapto.org:1604

Mutex

DC_MUTEX-KDK4V5U

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
yPpxaq4gnzED
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	vbc.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid	Process
2292	msdcsc.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	vbc.exe

Drops file in System32 directory 3 IoCs

Processes:

vbc.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe

description	pid	Process	procid_target
PID 4296 set thread context of 3800	4296	512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe	85

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exevbc.exemsdcsc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vbc.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3800	vbc.exe
Token: SeSecurityPrivilege	3800	vbc.exe
Token: SeTakeOwnershipPrivilege	3800	vbc.exe
Token: SeLoadDriverPrivilege	3800	vbc.exe
Token: SeSystemProfilePrivilege	3800	vbc.exe
Token: SeSystemtimePrivilege	3800	vbc.exe
Token: SeProfSingleProcessPrivilege	3800	vbc.exe
Token: SeIncBasePriorityPrivilege	3800	vbc.exe
Token: SeCreatePagefilePrivilege	3800	vbc.exe
Token: SeBackupPrivilege	3800	vbc.exe
Token: SeRestorePrivilege	3800	vbc.exe
Token: SeShutdownPrivilege	3800	vbc.exe
Token: SeDebugPrivilege	3800	vbc.exe
Token: SeSystemEnvironmentPrivilege	3800	vbc.exe
Token: SeChangeNotifyPrivilege	3800	vbc.exe
Token: SeRemoteShutdownPrivilege	3800	vbc.exe
Token: SeUndockPrivilege	3800	vbc.exe
Token: SeManageVolumePrivilege	3800	vbc.exe
Token: SeImpersonatePrivilege	3800	vbc.exe
Token: SeCreateGlobalPrivilege	3800	vbc.exe
Token: 33	3800	vbc.exe
Token: 34	3800	vbc.exe
Token: 35	3800	vbc.exe
Token: 36	3800	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exevbc.exe

description	pid	Process	procid_target
PID 4296 wrote to memory of 3800	4296	512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe	85
PID 4296 wrote to memory of 3800	4296	512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe	85
PID 4296 wrote to memory of 3800	4296	512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe	85
PID 4296 wrote to memory of 3800	4296	512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe	85
PID 4296 wrote to memory of 3800	4296	512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe	85
PID 4296 wrote to memory of 3800	4296	512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe	85
PID 4296 wrote to memory of 3800	4296	512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe	85
PID 4296 wrote to memory of 3800	4296	512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe	85
PID 4296 wrote to memory of 3800	4296	512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe	85
PID 4296 wrote to memory of 3800	4296	512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe	85
PID 4296 wrote to memory of 3800	4296	512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe	85
PID 4296 wrote to memory of 3800	4296	512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe	85
PID 4296 wrote to memory of 3800	4296	512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe	85
PID 4296 wrote to memory of 3800	4296	512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe	85
PID 3800 wrote to memory of 2292	3800	vbc.exe	87
PID 3800 wrote to memory of 2292	3800	vbc.exe	87
PID 3800 wrote to memory of 2292	3800	vbc.exe	87

C:\Users\Admin\AppData\Local\Temp\512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\512e15f39afaf4bd204454deb4f2bea0_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
    "C:\Windows\system32\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/3800-3-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3800-4-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3800-6-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3800-7-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3800-8-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3800-21-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4296-0-0x0000000075242000-0x0000000075243000-memory.dmp

Filesize
4KB

Download
memory/4296-1-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4296-2-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4296-19-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads