darkcomet | 1f5c8423e03b1745115448f8a618891e9fbe4c8693a8cf01f593c1a6b959394c

General

Target

b42ea2a14fff5db36f28f71e66d5239e_JaffaCakes118.exe
Size

1.7MB
MD5

b42ea2a14fff5db36f28f71e66d5239e
SHA1

400104689f114534c6826c10d8308b9e787553e5
SHA256

1f5c8423e03b1745115448f8a618891e9fbe4c8693a8cf01f593c1a6b959394c
SHA512

4644b6714dd7f4f5ca101e38d879b00c58ef8716a3a2598ef2cea2f9753af880d8c8d2acab1d1f434f1abc5730f290eff49e236ed829b54e2f6ff207875a7f77
SSDEEP

12288:NyggX4kXcIa4wtIXRigvriBFFdbIG2oIvvQgwTULraI5sdFTjq7BE726AOvX/lnW:qIwQC9urx+Kzri

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	376.exe

Executes dropped EXE 1 IoCs

pid	Process
3836	376.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	376.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	376.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	376.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	376.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	376.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	376.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3836	376.exe
Token: SeSecurityPrivilege	3836	376.exe
Token: SeTakeOwnershipPrivilege	3836	376.exe
Token: SeLoadDriverPrivilege	3836	376.exe
Token: SeSystemProfilePrivilege	3836	376.exe
Token: SeSystemtimePrivilege	3836	376.exe
Token: SeProfSingleProcessPrivilege	3836	376.exe
Token: SeIncBasePriorityPrivilege	3836	376.exe
Token: SeCreatePagefilePrivilege	3836	376.exe
Token: SeBackupPrivilege	3836	376.exe
Token: SeRestorePrivilege	3836	376.exe
Token: SeShutdownPrivilege	3836	376.exe
Token: SeDebugPrivilege	3836	376.exe
Token: SeSystemEnvironmentPrivilege	3836	376.exe
Token: SeChangeNotifyPrivilege	3836	376.exe
Token: SeRemoteShutdownPrivilege	3836	376.exe
Token: SeUndockPrivilege	3836	376.exe
Token: SeManageVolumePrivilege	3836	376.exe
Token: SeImpersonatePrivilege	3836	376.exe
Token: SeCreateGlobalPrivilege	3836	376.exe
Token: 33	3836	376.exe
Token: 34	3836	376.exe
Token: 35	3836	376.exe
Token: 36	3836	376.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 3836	4828	b42ea2a14fff5db36f28f71e66d5239e_JaffaCakes118.exe	84
PID 4828 wrote to memory of 3836	4828	b42ea2a14fff5db36f28f71e66d5239e_JaffaCakes118.exe	84
PID 4828 wrote to memory of 3836	4828	b42ea2a14fff5db36f28f71e66d5239e_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\b42ea2a14fff5db36f28f71e66d5239e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b42ea2a14fff5db36f28f71e66d5239e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\376.exe
  C:\Users\Admin\AppData\Local\Temp\376.exe
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\376.exe

Filesize
634KB

MD5
3653c96f8994ea7e715669e3ee23be96

SHA1
1a267b2f7924610cda06a7b5d495cf8698acb1a8

SHA256
4d79562304670b82a13b18dbd42179420acdf86933ba43944ce6ad6429c6d3fe

SHA512
302ee9027108c1a67a529ecdfdd0133704fa5a8260ece8102e7434b4e7fbe910ff23878ce00113e2bc045003a9cd58feb2e7a3a4fc9356cdaa1c3129ae4e493d

Download Submit
memory/3836-14-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3836-18-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3836-13-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3836-23-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3836-8-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3836-21-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3836-11-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3836-15-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3836-24-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3836-22-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3836-12-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3836-16-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3836-17-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3836-20-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3836-19-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4828-2-0x00007FFA96EE0000-0x00007FFA97881000-memory.dmp

Filesize
9.6MB

Download
memory/4828-10-0x00007FFA96EE0000-0x00007FFA97881000-memory.dmp

Filesize
9.6MB

Download
memory/4828-0-0x00007FFA97195000-0x00007FFA97196000-memory.dmp

Filesize
4KB

Download
memory/4828-7-0x00007FFA96EE0000-0x00007FFA97881000-memory.dmp

Filesize
9.6MB

Download
memory/4828-1-0x000000001B740000-0x000000001B7E6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads