darkcomet | e2da2cf00a3d33fd8d416d6883a162079fe5fe21a2785d48e992d497425703bd

General

Target

a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Size

2.2MB
MD5

a4d2cd5d1efc7fab78e480cf28dd16bb
SHA1

4ee1508b6d0e31d73e8509c2b4b60a25a025bdbc
SHA256

e2da2cf00a3d33fd8d416d6883a162079fe5fe21a2785d48e992d497425703bd
SHA512

bebad14834cf0fe73b9003406963920fa03935318aec39b228bca1ad2e67cc1b658eb80cd6b54a9ca3b672f7f62ea6ceb5b6d1e56a7118c267be5e684ff855e9
SSDEEP

49152:lK1A6CWs7ypd+jBzEtxmk1C08QtLwhdSOp:lK1xNs7yKBimKUQtL4S8

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 1 IoCs

pid	Process
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE

Loads dropped DLL 2 IoCs

pid	Process
2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	CRYPTER ANGEL BY DR ZINOU 2012.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	CRYPTER ANGEL BY DR ZINOU 2012.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeSecurityPrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeBackupPrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeRestorePrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeShutdownPrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeDebugPrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeUndockPrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: 33	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: 34	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
Token: 35	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE
2664	CRYPTER ANGEL BY DR ZINOU 2012.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2664	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2664	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2664	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2664	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2556	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2556	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2556	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2556	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2920	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2920	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2920	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2920	2756	a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4d2cd5d1efc7fab78e480cf28dd16bb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\CRYPTER ANGEL BY DR ZINOU 2012.EXE
  "C:\Users\Admin\AppData\Local\Temp\CRYPTER ANGEL BY DR ZINOU 2012.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2664
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  PID:2556
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\CRYPTER ANGEL BY DR ZINOU 2012.EXE

Filesize
1.6MB

MD5
c4cf1de9eaca71ff1dd26cb660248aff

SHA1
c08cbe78c649f68a3a2b7354ba97ef77d46909ad

SHA256
76d34459b09b6d8a695fb2fb87eb518fc2186d3400c924efb88d403f12800c3c

SHA512
48d7385b27c6cc75e74177097545f7e42e350cc24c62a050798199826e52e2f1b5631a14d19e33a9bed5946bfdd143c9d17d0109874369c5163457d1ddffd0be

Download Submit
memory/2664-16-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-19-0x000007FEF62FE000-0x000007FEF62FF000-memory.dmp

Filesize
4KB

Download
memory/2664-12-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-11-0x000000001B2F0000-0x000000001B458000-memory.dmp

Filesize
1.4MB

Download
memory/2664-21-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-14-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-10-0x000007FEF62FE000-0x000007FEF62FF000-memory.dmp

Filesize
4KB

Download
memory/2664-15-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-13-0x000000001B120000-0x000000001B22C000-memory.dmp

Filesize
1.0MB

Download
memory/2664-18-0x000000001E850000-0x000000001E860000-memory.dmp

Filesize
64KB

Download
memory/2664-20-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-0-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2756-17-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2756-22-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/2756-25-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/2756-27-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing