darkcomet | c9ba7c36815298c744bb3297ed7d219ecfc2d6170f5fcdd892cc82e9b5417445

General

Target

794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Size

264KB
MD5

794ce9961d461517686b4994f951d2fb
SHA1

2982705985cdac1ae6ae377fb94e44da24a29b22
SHA256

c9ba7c36815298c744bb3297ed7d219ecfc2d6170f5fcdd892cc82e9b5417445
SHA512

9f9d8114dde733cf5e96828ccec7d65d51128304481207ab5559ab63edbbaa72575eac5bfa3dc12bc1455705ce9672bb2bd54b4b892d51624974a4f7ba42bc76
SSDEEP

6144:ie4CFfifD2gVKVTQQ249HZ52KTh9XKOCgLJacj5/AZtRsf:zXgr8VMQDT52WXKq9fj5/AZjk

Score

10^/10

darkcomet discovery evasion rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1084-0-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1084-2-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1084-6-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1084-8-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1084-10-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1084-12-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1084-14-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1084-16-0x0000000000400000-0x00000000004C5000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeSecurityPrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeBackupPrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeRestorePrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeShutdownPrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeDebugPrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeUndockPrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: 33	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: 34	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: 35	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
Token: 36	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

pid	Process
1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1084 wrote to memory of 1932	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe	86
PID 1084 wrote to memory of 1932	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe	86
PID 1084 wrote to memory of 1932	1084	794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\794ce9961d461517686b4994f951d2fb_JaffaCakes118.exe"
1⤵
- Windows security bypass
- Checks BIOS information in registry
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1084-0-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1084-1-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/1084-2-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1084-4-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/1084-6-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1084-8-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1084-10-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1084-12-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1084-14-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1084-16-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads