darkcomet | e9ea71bbc7a83a1745464586854b571a1f09c553865f1f5f7fc32eeccf452037

General

Target

5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Size

776KB
MD5

5997d3d363834fd18a0a3295cd139069
SHA1

902004ad30a42685637fc248288e7ae970398078
SHA256

e9ea71bbc7a83a1745464586854b571a1f09c553865f1f5f7fc32eeccf452037
SHA512

8b00e9f893ef6da2213dd84ea5e65468a941d215b3856e884126532b157c007571a3312799f23449cccd36f8c0f108bac20e54ec8b7c19e66f3c9e4c584f04b6
SSDEEP

12288:29AFlAd0Z+89cxTGzO4AucTD8QP2lmFSrVs9LqnKEW:MAQ6Zx9cxTmOrucTIEFSpOGpW

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exeDllHost.exenotepad.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeSecurityPrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeBackupPrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeRestorePrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeShutdownPrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeDebugPrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeUndockPrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: 33	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: 34	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
Token: 35	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

DllHost.exe

pid	Process
2984	DllHost.exe
2984	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

DllHost.exe

pid	Process
2984	DllHost.exe
2984	DllHost.exe
2984	DllHost.exe
2984	DllHost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32
PID 2404 wrote to memory of 1220	2404	5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5997d3d363834fd18a0a3295cd139069_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\SysWOW64\notepad.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1220

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WINDOWS-8-LOADER.PNG

Filesize
19KB

MD5
779d9014183ba53186bf193232c79218

SHA1
dbdad6acf7b91190497c09b3eb4984a0ad560a8f

SHA256
5650a3ba42989aeba050a23053bff8fa816957274ea258d42ef6e7958183b7ef

SHA512
1924a5fb5d066d9041827835b0231790d63710668d95e3c430f6949bd650a95b80c75ab0202a67bca4bc21eeb6185f00809df563aa428e3e450bb282e612afea

Download Submit
memory/1220-31-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1220-6-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2404-37-0x0000000013140000-0x0000000013214000-memory.dmp

Filesize
848KB

Download
memory/2404-2-0x00000000023F0000-0x00000000023F2000-memory.dmp

Filesize
8KB

Download
memory/2404-34-0x0000000013140000-0x0000000013214000-memory.dmp

Filesize
848KB

Download
memory/2404-0-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2404-39-0x0000000013140000-0x0000000013214000-memory.dmp

Filesize
848KB

Download
memory/2404-41-0x0000000013140000-0x0000000013214000-memory.dmp

Filesize
848KB

Download
memory/2404-43-0x0000000013140000-0x0000000013214000-memory.dmp

Filesize
848KB

Download
memory/2404-45-0x0000000013140000-0x0000000013214000-memory.dmp

Filesize
848KB

Download
memory/2404-48-0x0000000013140000-0x0000000013214000-memory.dmp

Filesize
848KB

Download
memory/2984-4-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2984-3-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2984-35-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads