darkcomet | eb49514b8692a9659a1c49ccde9b21677abb8e01590d86271f66d36bc06bccdf

General

Target

b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe
Size

2.3MB
MD5

b24234d0209cdfad1e5cba875eb55354
SHA1

899c4e1c8d44a581e7aa033aa43b2ab7bb29f296
SHA256

eb49514b8692a9659a1c49ccde9b21677abb8e01590d86271f66d36bc06bccdf
SHA512

e84494172d62d95519c653c5bb8d1b37ee97e3da78910db6ae8f304c54a436aedd07618918d27b6cf2603b244cb388045838a2cde8e5f5e20517dbeb966e47ff
SSDEEP

24576:QtnoXTKpkjcty9FrjuZPfrlnii7liPAkSvWhgAUlP:SoXwAjoPjlJ1uhgA

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2596 set thread context of 1608	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4944	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	explorer.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 1968	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	83
PID 2596 wrote to memory of 1968	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	83
PID 2596 wrote to memory of 1608	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	84
PID 2596 wrote to memory of 1608	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	84
PID 2596 wrote to memory of 1608	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	84
PID 2596 wrote to memory of 1608	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	84
PID 2596 wrote to memory of 1608	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	84
PID 2596 wrote to memory of 1608	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	84
PID 2596 wrote to memory of 1608	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	84
PID 2596 wrote to memory of 1608	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	84
PID 2596 wrote to memory of 1608	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	84
PID 2596 wrote to memory of 1608	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	84
PID 2596 wrote to memory of 1608	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	84
PID 2596 wrote to memory of 1608	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	84
PID 2596 wrote to memory of 1264	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	85
PID 2596 wrote to memory of 1264	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	85
PID 2596 wrote to memory of 1264	2596	b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe	85
PID 1264 wrote to memory of 4944	1264	cmd.exe	87
PID 1264 wrote to memory of 4944	1264	cmd.exe	87
PID 1264 wrote to memory of 4944	1264	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b24234d0209cdfad1e5cba875eb55354_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1968
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Modifies registry class
  PID:1608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DNS.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdnsipconfig/releaseipconfig/renew
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DNS.bat

Filesize
47B

MD5
4b403bd7ff6fe021fcf3ecdd2c029f87

SHA1
890642fc02dbfffd5d3aef0ec652fa636a48c3ee

SHA256
267c9197388ab6b34c7516e728a3529df2b7aab5029588ffb47540bbe651f654

SHA512
3bdef29cfeab451d45182420bd179f9450a0da5c842992260a420728e212635f90cc1f394687c8ac852ccd8caf529e9bdb4aff24e2d07f6705594931b3ef5e6d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
353eb148f1548b7cfe6535d466aec419

SHA1
eb6debca23bd9f5de0b48b50ce80cf508f94d05b

SHA256
935c3c03427de65a23891c75db33d3e6c64697a60327d416adf30b31a68c52eb

SHA512
eec53e6c93a5294ab41bc981b0f9c1cfe043701fe0bbfc944953dc5c41fa3265db3c4a867d8ce7075a4cf7e3ea3b23af7968c4cf0b82d920e929d2e94a37b267

Download Submit
memory/1608-3-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2596-0-0x0000000074DC2000-0x0000000074DC3000-memory.dmp

Filesize
4KB

Download
memory/2596-1-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/2596-2-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/2596-27-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads