darkcomet | dbabc36e5e839d5ed494b445ca299a6e9e54efe0e03f64e2afa285cc64f34b51

General

Target

57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exe
Size

404KB
MD5

57b7df8a95bcb662ee8265c3bf15ef2f
SHA1

2dda9d1e85c819d3858fb05b894d96aa3900004d
SHA256

dbabc36e5e839d5ed494b445ca299a6e9e54efe0e03f64e2afa285cc64f34b51
SHA512

5c70f525db0b5c46de87dea77456368c4737416fc91f3b5d37890fd7b4a60aea5dd5b902a62f6e696c39d0a8ee2dfe35715cd5706886eb2077b896f1e56531a6
SSDEEP

12288:clghoSqkNJ/Jj0vhgskOzkvCtZvAhvSrY6q6M:yg2kNb0vf9Dt2P9J

Score

10^/10

darkcomet server discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Server

C2

holahoop14.no-ip.biz:222

Mutex

DC_MUTEX-8RMKN4F

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
kggQNoLXaaqt
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Stage1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	Stage1.exe

Executes dropped EXE 3 IoCs

Processes:

Stage2.exeStage1.exemsdcsc.exe

pid process

2608 Stage2.exe
2628 Stage1.exe
2788 msdcsc.exe

pid	process
2608	Stage2.exe
2628	Stage1.exe
2788	msdcsc.exe

Loads dropped DLL 6 IoCs

Processes:

57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exeStage1.exe

pid	process
1392	57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exe
1392	57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exe
1392	57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exe
1392	57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exe
2628	Stage1.exe
2628	Stage1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Stage1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	Stage1.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1392-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\Stage2.exe	upx
behavioral1/memory/1392-5-0x0000000002A60000-0x0000000002AA3000-memory.dmp	upx
behavioral1/memory/2608-15-0x0000000000400000-0x0000000000443000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Stage1.exe	upx
behavioral1/memory/1392-19-0x0000000002A60000-0x0000000002B1A000-memory.dmp	upx
behavioral1/memory/2628-22-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2788-39-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1392-40-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1392-37-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2628-36-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2788-41-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2788-42-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2788-43-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2788-44-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2788-45-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2788-46-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2788-47-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2788-48-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2788-49-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2788-50-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2788-51-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2788-52-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2788-53-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2788-54-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2788-55-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exeStage2.exeStage1.exemsdcsc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stage2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stage1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

Stage1.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2628	Stage1.exe
Token: SeSecurityPrivilege	2628	Stage1.exe
Token: SeTakeOwnershipPrivilege	2628	Stage1.exe
Token: SeLoadDriverPrivilege	2628	Stage1.exe
Token: SeSystemProfilePrivilege	2628	Stage1.exe
Token: SeSystemtimePrivilege	2628	Stage1.exe
Token: SeProfSingleProcessPrivilege	2628	Stage1.exe
Token: SeIncBasePriorityPrivilege	2628	Stage1.exe
Token: SeCreatePagefilePrivilege	2628	Stage1.exe
Token: SeBackupPrivilege	2628	Stage1.exe
Token: SeRestorePrivilege	2628	Stage1.exe
Token: SeShutdownPrivilege	2628	Stage1.exe
Token: SeDebugPrivilege	2628	Stage1.exe
Token: SeSystemEnvironmentPrivilege	2628	Stage1.exe
Token: SeChangeNotifyPrivilege	2628	Stage1.exe
Token: SeRemoteShutdownPrivilege	2628	Stage1.exe
Token: SeUndockPrivilege	2628	Stage1.exe
Token: SeManageVolumePrivilege	2628	Stage1.exe
Token: SeImpersonatePrivilege	2628	Stage1.exe
Token: SeCreateGlobalPrivilege	2628	Stage1.exe
Token: 33	2628	Stage1.exe
Token: 34	2628	Stage1.exe
Token: 35	2628	Stage1.exe
Token: SeIncreaseQuotaPrivilege	2788	msdcsc.exe
Token: SeSecurityPrivilege	2788	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2788	msdcsc.exe
Token: SeLoadDriverPrivilege	2788	msdcsc.exe
Token: SeSystemProfilePrivilege	2788	msdcsc.exe
Token: SeSystemtimePrivilege	2788	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2788	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2788	msdcsc.exe
Token: SeCreatePagefilePrivilege	2788	msdcsc.exe
Token: SeBackupPrivilege	2788	msdcsc.exe
Token: SeRestorePrivilege	2788	msdcsc.exe
Token: SeShutdownPrivilege	2788	msdcsc.exe
Token: SeDebugPrivilege	2788	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2788	msdcsc.exe
Token: SeChangeNotifyPrivilege	2788	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2788	msdcsc.exe
Token: SeUndockPrivilege	2788	msdcsc.exe
Token: SeManageVolumePrivilege	2788	msdcsc.exe
Token: SeImpersonatePrivilege	2788	msdcsc.exe
Token: SeCreateGlobalPrivilege	2788	msdcsc.exe
Token: 33	2788	msdcsc.exe
Token: 34	2788	msdcsc.exe
Token: 35	2788	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

2788 msdcsc.exe

pid	process
2788	msdcsc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exeStage1.exe

description	pid	process	target process
PID 1392 wrote to memory of 2608	1392	57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exe	Stage2.exe
PID 1392 wrote to memory of 2608	1392	57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exe	Stage2.exe
PID 1392 wrote to memory of 2608	1392	57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exe	Stage2.exe
PID 1392 wrote to memory of 2608	1392	57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exe	Stage2.exe
PID 1392 wrote to memory of 2628	1392	57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exe	Stage1.exe
PID 1392 wrote to memory of 2628	1392	57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exe	Stage1.exe
PID 1392 wrote to memory of 2628	1392	57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exe	Stage1.exe
PID 1392 wrote to memory of 2628	1392	57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exe	Stage1.exe
PID 2628 wrote to memory of 2788	2628	Stage1.exe	msdcsc.exe
PID 2628 wrote to memory of 2788	2628	Stage1.exe	msdcsc.exe
PID 2628 wrote to memory of 2788	2628	Stage1.exe	msdcsc.exe
PID 2628 wrote to memory of 2788	2628	Stage1.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\57b7df8a95bcb662ee8265c3bf15ef2f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Users\Admin\AppData\Local\Temp\Stage2.exe
  "C:\Users\Admin\AppData\Local\Temp\Stage2.exe" x -y -oC:\Users\Admin\AppData\Local\Temp -pxnq8rPMxVI87ciGwWJHxRTy3iauHcIirteOOELv3B5vkS9kJoHBUAahY1dWxj8yA
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2608
- C:\Users\Admin\AppData\Local\Temp\Stage1.exe
  "C:\Users\Admin\AppData\Local\Temp\Stage1.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Stage1.exe

Filesize
253KB

MD5
af392b292d8d7914df9fc6c91f15e109

SHA1
8a408dc39225ce1aebac7c835b914a42fc96a847

SHA256
5b43dfa6014ac5f481c888355475754b8cf0451335a701f4923e240b486767d2

SHA512
98ab13e60a7a5eabe4a5db2c2bfe5def6783ec248baa9c9af87a4b175e78ae4e65c4472cfd07544bb4441a4f54415e27ad050719e01a873cf1786a8a09e2463f

Download Submit
\Users\Admin\AppData\Local\Temp\Stage2.exe

Filesize
358KB

MD5
552323029bd0547efb7d469a8b28eb89

SHA1
3d00da046efc3a6933794561c3f8200c0e8783e2

SHA256
113e57c1aa2142b730ef263792459d0ea0a15b936c672ad7b6f381859d0c1042

SHA512
0f0cec1136a313a0092973ee39244f17024c3451a95849a07f6a2a5c5983bd80a6f23d6c3510143b459df21545d2b79c6f7873adb0f21abfbf9d68fea922e442

Download Submit
memory/1392-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1392-5-0x0000000002A60000-0x0000000002AA3000-memory.dmp

Filesize
268KB

Download
memory/1392-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1392-19-0x0000000002A60000-0x0000000002B1A000-memory.dmp

Filesize
744KB

Download
memory/1392-40-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1392-20-0x0000000002A60000-0x0000000002B1A000-memory.dmp

Filesize
744KB

Download
memory/2608-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2628-23-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2628-22-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2628-33-0x00000000035F0000-0x00000000036AA000-memory.dmp

Filesize
744KB

Download
memory/2628-36-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2788-41-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2788-47-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2788-42-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2788-43-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2788-44-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2788-45-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2788-46-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2788-39-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2788-48-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2788-49-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2788-50-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2788-51-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2788-52-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2788-53-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2788-54-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2788-55-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads