darkcomet | b5fecdf1c937b094b4506c140650425ff042a35d00f2aa0f75f4e9e3ad89cefe

General

Target

82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Size

920KB
MD5

82c68ab1fdf9ca1340f3a5842be8933f
SHA1

c21ec79120d9834d63b2cbca880edf9bbe477da9
SHA256

b5fecdf1c937b094b4506c140650425ff042a35d00f2aa0f75f4e9e3ad89cefe
SHA512

4206426cfc654c0e12a9c81dffa0ef1e3b697ad44848b6906d7a255176eaa98626a2239101b05cef4a9db4860c4dd914a7a92ca15a8bbfd6210d676223e25b7d
SSDEEP

12288:dNOHNrVZrovG42qZoHgofyWzALJ45I8jWtJ8KL27rd69bk5NCgGhSFB7/QYcA6Rk:derVbblG4ktjKd6F6CNFpA6HnH2nG

Score

10^/10

darkcomet guest16 discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-F54S21D

Attributes

gencode
SuZUDq82nDk3
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe

pid	process
3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeSecurityPrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeBackupPrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeRestorePrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeShutdownPrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeDebugPrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeUndockPrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: 33	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: 34	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: 35	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
Token: 36	3468	82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe

pid process

3468 82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
3468 82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82c68ab1fdf9ca1340f3a5842be8933f_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3468-0-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-1-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-2-0x0000000000773000-0x0000000000813000-memory.dmp

Filesize
640KB

Download
memory/3468-3-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-4-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-5-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-6-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-7-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-8-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-9-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-10-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-11-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-12-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-13-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-14-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-15-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-16-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-17-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-18-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3468-19-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing