darkcomet | e4e7ffcd0118c714714562021a506d4ebcbd9f309241f2a3b11c5d3e8fa67da3

General

Target

70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Size

346KB
MD5

70f22c9b30cec321b16a7985ade6c5a1
SHA1

74b17653e66569422cfdea9b3794458a271b1016
SHA256

e4e7ffcd0118c714714562021a506d4ebcbd9f309241f2a3b11c5d3e8fa67da3
SHA512

8b3a1bcf830bf45c924afc6b26d09150ab0c59b2c721d9a944662abe64f70cd69e513e0b70278665bd290af282e1c52ee5b7ef9aa8293f37519dae649307f8ed
SSDEEP

6144:wlT+yzHJUFWy3teOWniBWYp3VbW9Cu6Cr4VoA5y6GBefeGeLHILNeTH:wrpU8uVWB8lKEuVr4VofefX+8N0

Score

10^/10

darkcomet discovery persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\mstfservice\\mstf.exe"	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstfservice = "C:\\Users\\Admin\\AppData\\Roaming\\mstfservice\\mstf.exe"	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2376 set thread context of 2628	2376	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	29

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2628-10-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2628-6-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2628-11-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2628-12-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2628-4-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2628-13-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2628-15-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2628-16-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2628-14-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2628-17-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2628-38-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2628-40-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2904	2628	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.execmd.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeSecurityPrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeBackupPrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeRestorePrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeShutdownPrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeDebugPrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeUndockPrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: 33	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: 34	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
Token: 35	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2376 wrote to memory of 2628	2376	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	29
PID 2376 wrote to memory of 2628	2376	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	29
PID 2376 wrote to memory of 2628	2376	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	29
PID 2376 wrote to memory of 2628	2376	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	29
PID 2376 wrote to memory of 2628	2376	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	29
PID 2376 wrote to memory of 2628	2376	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	29
PID 2376 wrote to memory of 2628	2376	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	29
PID 2376 wrote to memory of 2628	2376	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	29
PID 2628 wrote to memory of 2932	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	30
PID 2628 wrote to memory of 2932	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	30
PID 2628 wrote to memory of 2932	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	30
PID 2628 wrote to memory of 2932	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	30
PID 2628 wrote to memory of 3028	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	32
PID 2628 wrote to memory of 3028	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	32
PID 2628 wrote to memory of 3028	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	32
PID 2628 wrote to memory of 3028	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	32
PID 2628 wrote to memory of 2904	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	34
PID 2628 wrote to memory of 2904	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	34
PID 2628 wrote to memory of 2904	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	34
PID 2628 wrote to memory of 2904	2628	70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\70f22c9b30cec321b16a7985ade6c5a1_JaffaCakes118.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 636
    3⤵
    - Program crash
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
101B

MD5
53fa73936d9496f6f809e3f0b94db056

SHA1
49872492f49dda0d2a5af667e4ff410b70e72f83

SHA256
7bbccef3e1f7d868918ce4a89372762eeac0bad1069ecb51475c015029cad0de

SHA512
1c833ee08480b1780f6830c3dda6fcc991f27427d3f6972f532d80517e5930104e75306c3f7b955c000d1506c45eb289590994815038201d986e5a27f06a0bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
50B

MD5
b774ae3fb1da087e1f83b4f7b2060e5a

SHA1
97eb9be49ac3af9c851c9e1e84e32bfd53e325a8

SHA256
adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b

SHA512
f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701

Download Submit
memory/2376-1-0x00000000066C0000-0x00000000066C9000-memory.dmp

Filesize
36KB

Download
memory/2376-0-0x00000000066C0000-0x00000000066C9000-memory.dmp

Filesize
36KB

Download
memory/2628-4-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2628-16-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2628-11-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2628-12-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2628-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2628-13-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2628-15-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2628-6-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2628-14-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2628-17-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2628-10-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2628-2-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2628-38-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2628-40-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads