darkcomet | eb49514b8692a9659a1c49ccde9b21677abb8e01590d86271f66d36bc06bccdf

General

Target

b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe
Size

2.3MB
MD5

b24234d0209cdfad1e5cba875eb55354
SHA1

899c4e1c8d44a581e7aa033aa43b2ab7bb29f296
SHA256

eb49514b8692a9659a1c49ccde9b21677abb8e01590d86271f66d36bc06bccdf
SHA512

e84494172d62d95519c653c5bb8d1b37ee97e3da78910db6ae8f304c54a436aedd07618918d27b6cf2603b244cb388045838a2cde8e5f5e20517dbeb966e47ff
SSDEEP

24576:QtnoXTKpkjcty9FrjuZPfrlnii7liPAkSvWhgAUlP:SoXwAjoPjlJ1uhgA

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 2284	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2752	ipconfig.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2204	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2204	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2204	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2204	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2284	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2284	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2284	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2284	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2284	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2284	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2284	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2284	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2284	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2284	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2284	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2284	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2840	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	32
PID 2100 wrote to memory of 2840	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	32
PID 2100 wrote to memory of 2840	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	32
PID 2100 wrote to memory of 2840	2100	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	32
PID 2840 wrote to memory of 2752	2840	cmd.exe	34
PID 2840 wrote to memory of 2752	2840	cmd.exe	34
PID 2840 wrote to memory of 2752	2840	cmd.exe	34
PID 2840 wrote to memory of 2752	2840	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2204
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DNS.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdnsipconfig/releaseipconfig/renew
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DNS.bat

Filesize
47B

MD5
4b403bd7ff6fe021fcf3ecdd2c029f87

SHA1
890642fc02dbfffd5d3aef0ec652fa636a48c3ee

SHA256
267c9197388ab6b34c7516e728a3529df2b7aab5029588ffb47540bbe651f654

SHA512
3bdef29cfeab451d45182420bd179f9450a0da5c842992260a420728e212635f90cc1f394687c8ac852ccd8caf529e9bdb4aff24e2d07f6705594931b3ef5e6d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
1e3bac557fd2718212f2306ab9671b47

SHA1
49e39343e82d3ec38063ef327832f2a0fbacc8d1

SHA256
1fa11e0761fa0471e28ebe32015cb75aa9758bfc05b54827867f97408d498986

SHA512
483f898930ad7f7485a7586dc2198a3f3254e4076bc7556ec67a47fbd9bb9a88713f6690884eedb3cecb913457465ce623bf29a4cdb4fc59dc40ef5d1acc45bd

Download Submit
memory/2100-0-0x00000000744E1000-0x00000000744E2000-memory.dmp

Filesize
4KB

Download
memory/2100-1-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2100-2-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2100-47-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2284-13-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2284-19-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2284-11-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2284-9-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2284-7-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2284-4-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2284-17-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2284-15-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2284-5-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download

Analysis

Sharing