darkcomet | 0c1296c11ed22130856eb97d47c8339936e92012fa7a9922b51ea14ecb9d8f64

General

Target

5aea56156ab7da5161f1d14261e77bd5_JaffaCakes118.exe
Size

1.1MB
MD5

5aea56156ab7da5161f1d14261e77bd5
SHA1

709050c574a9426c3058e216ff04538fe7b0488e
SHA256

0c1296c11ed22130856eb97d47c8339936e92012fa7a9922b51ea14ecb9d8f64
SHA512

ca642d6c9883e13dddd7565170480ae1dbe2f5fbcf11a41fe0b3ad299db955ac27707427bfdf3c76fbb4527010f83dc7339b24bb2f64d64cb389dc383445ae4b
SSDEEP

24576:UV63UYgSZUX6dsgw83xUJjGXT3pcXRKY59Z1nRZI:VUWPjMZK

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

guyfawkesfc.no-ip.org:1604

Mutex

DC_MUTEX-MQD9M76

Attributes

gencode
TWryUTMgn8jV
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5aea56156ab7da5161f1d14261e77bd5_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	5aea56156ab7da5161f1d14261e77bd5_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

Floodjvc.exetest.exe

pid	Process
1084	Floodjvc.exe
4396	test.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

test.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	test.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

test.exe

description	pid	Process	procid_target
PID 4396 set thread context of 2672	4396	test.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Floodjvc.exetest.exevbc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floodjvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vbc.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2672	vbc.exe
Token: SeSecurityPrivilege	2672	vbc.exe
Token: SeTakeOwnershipPrivilege	2672	vbc.exe
Token: SeLoadDriverPrivilege	2672	vbc.exe
Token: SeSystemProfilePrivilege	2672	vbc.exe
Token: SeSystemtimePrivilege	2672	vbc.exe
Token: SeProfSingleProcessPrivilege	2672	vbc.exe
Token: SeIncBasePriorityPrivilege	2672	vbc.exe
Token: SeCreatePagefilePrivilege	2672	vbc.exe
Token: SeBackupPrivilege	2672	vbc.exe
Token: SeRestorePrivilege	2672	vbc.exe
Token: SeShutdownPrivilege	2672	vbc.exe
Token: SeDebugPrivilege	2672	vbc.exe
Token: SeSystemEnvironmentPrivilege	2672	vbc.exe
Token: SeChangeNotifyPrivilege	2672	vbc.exe
Token: SeRemoteShutdownPrivilege	2672	vbc.exe
Token: SeUndockPrivilege	2672	vbc.exe
Token: SeManageVolumePrivilege	2672	vbc.exe
Token: SeImpersonatePrivilege	2672	vbc.exe
Token: SeCreateGlobalPrivilege	2672	vbc.exe
Token: 33	2672	vbc.exe
Token: 34	2672	vbc.exe
Token: 35	2672	vbc.exe
Token: 36	2672	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid	Process
2672	vbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5aea56156ab7da5161f1d14261e77bd5_JaffaCakes118.exetest.exe

description	pid	Process	procid_target
PID 3120 wrote to memory of 1084	3120	5aea56156ab7da5161f1d14261e77bd5_JaffaCakes118.exe	86
PID 3120 wrote to memory of 1084	3120	5aea56156ab7da5161f1d14261e77bd5_JaffaCakes118.exe	86
PID 3120 wrote to memory of 1084	3120	5aea56156ab7da5161f1d14261e77bd5_JaffaCakes118.exe	86
PID 3120 wrote to memory of 4396	3120	5aea56156ab7da5161f1d14261e77bd5_JaffaCakes118.exe	87
PID 3120 wrote to memory of 4396	3120	5aea56156ab7da5161f1d14261e77bd5_JaffaCakes118.exe	87
PID 3120 wrote to memory of 4396	3120	5aea56156ab7da5161f1d14261e77bd5_JaffaCakes118.exe	87
PID 4396 wrote to memory of 2672	4396	test.exe	99
PID 4396 wrote to memory of 2672	4396	test.exe	99
PID 4396 wrote to memory of 2672	4396	test.exe	99
PID 4396 wrote to memory of 2672	4396	test.exe	99
PID 4396 wrote to memory of 2672	4396	test.exe	99
PID 4396 wrote to memory of 2672	4396	test.exe	99
PID 4396 wrote to memory of 2672	4396	test.exe	99
PID 4396 wrote to memory of 2672	4396	test.exe	99
PID 4396 wrote to memory of 2672	4396	test.exe	99
PID 4396 wrote to memory of 2672	4396	test.exe	99
PID 4396 wrote to memory of 2672	4396	test.exe	99
PID 4396 wrote to memory of 2672	4396	test.exe	99
PID 4396 wrote to memory of 2672	4396	test.exe	99
PID 4396 wrote to memory of 2672	4396	test.exe	99

C:\Users\Admin\AppData\Local\Temp\5aea56156ab7da5161f1d14261e77bd5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5aea56156ab7da5161f1d14261e77bd5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Users\Admin\AppData\Local\Temp\Floodjvc.exe
  "C:\Users\Admin\AppData\Local\Temp\Floodjvc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1084
- C:\Users\Admin\AppData\Local\Temp\test.exe
  "C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Floodjvc.exe

Filesize
46KB

MD5
b31884828f329fd0fc1f6e9336f97491

SHA1
5d1ec9182ca83a9200d335d1e20511598cebc5eb

SHA256
4290921396db0980b244a5420be4e11eddf5e127c8de6c051a6224c98272b99c

SHA512
e3f5bd12bd4dbd6ecdfad69a6965186ec40b8440b1d00cfb95e7c77860a48542c6cc1a08e10b69584a9d19313cb7a2a3b0fea8710c060e36827f7503ee667428

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
758KB

MD5
28205def139e7630b9ede4ecff7d5480

SHA1
cc82f953e7a221438ddadc8a61f4dd27aeaea824

SHA256
61bf4f5c234956c6fd66a0fdc3e08277efc88b4520be4cb2f6b6dea72d6c692d

SHA512
9f0c9733840f4898dafd2db04ca357a62ad2b11df72a4c3a6743afcb37cfed2cf492d7c7949e6d638f1b3edeffc7e56374c3112e3422cffd7f74fcd1dedee1be

Download Submit
memory/1084-31-0x00000000009D0000-0x00000000009E2000-memory.dmp

Filesize
72KB

Download
memory/1084-40-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/1084-36-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download
memory/1084-35-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/1084-34-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/1084-33-0x0000000005A40000-0x0000000005FE4000-memory.dmp

Filesize
5.6MB

Download
memory/1084-27-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/2672-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2672-49-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2672-54-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2672-55-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2672-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2672-53-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2672-52-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2672-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2672-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2672-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2672-51-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2672-41-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2672-45-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2672-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2672-48-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2672-47-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2672-50-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3120-32-0x00007FF94BC60000-0x00007FF94C601000-memory.dmp

Filesize
9.6MB

Download
memory/3120-1-0x000000001B390000-0x000000001B436000-memory.dmp

Filesize
664KB

Download
memory/3120-2-0x00007FF94BC60000-0x00007FF94C601000-memory.dmp

Filesize
9.6MB

Download
memory/3120-4-0x00007FF94BC60000-0x00007FF94C601000-memory.dmp

Filesize
9.6MB

Download
memory/3120-0-0x00007FF94BF15000-0x00007FF94BF16000-memory.dmp

Filesize
4KB

Download
memory/4396-30-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4396-46-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4396-38-0x0000000074DE2000-0x0000000074DE3000-memory.dmp

Filesize
4KB

Download
memory/4396-39-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4396-37-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/4396-28-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/4396-29-0x0000000074DE2000-0x0000000074DE3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads