darkcomet | 0dde97f2e1ddb3f648401610b75c2d232913eede48efd1cdb5ca064b41479f81

General

Target

bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Size

1.2MB
MD5

bcbb23159e37d1ad9ace10a71d911666
SHA1

1eb96604ba38f71c0703025bc61fc9536870f229
SHA256

0dde97f2e1ddb3f648401610b75c2d232913eede48efd1cdb5ca064b41479f81
SHA512

b0f53bae599d15b37db1a3f8c47ed89064cde3550ee530c383b79d09f944224ff014accea8da97482f2e6e8285e0ac66fb709b6b49651476a2377106e3790ca5
SSDEEP

12288:5sMwXUna2kGYrKg6+hBIlngZWQbz8DvrtgTmzF7FLuc3j2rn4gVGBgi3/XV9vMIx:mxK0BBSvrWmhZ04gV4fXNCc7zUI4DG

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe

Loads dropped DLL 4 IoCs

pid	Process
344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 344 set thread context of 4068	344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeSecurityPrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeBackupPrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeRestorePrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeShutdownPrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeDebugPrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeUndockPrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: 33	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: 34	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: 35	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
Token: 36	4068	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 4068	344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	82
PID 344 wrote to memory of 4068	344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	82
PID 344 wrote to memory of 4068	344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	82
PID 344 wrote to memory of 4068	344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	82
PID 344 wrote to memory of 4068	344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	82
PID 344 wrote to memory of 4068	344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	82
PID 344 wrote to memory of 4068	344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	82
PID 344 wrote to memory of 4068	344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	82
PID 344 wrote to memory of 4068	344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	82
PID 344 wrote to memory of 4068	344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	82
PID 344 wrote to memory of 4068	344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	82
PID 344 wrote to memory of 4068	344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	82
PID 344 wrote to memory of 4068	344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	82
PID 344 wrote to memory of 4068	344	bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:344
- C:\Users\Admin\AppData\Roaming\bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
  C:\Users\Admin\AppData\Roaming\bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.dll

Filesize
13KB

MD5
2caa9a96e2b3d1a1f4293f8e9141b05b

SHA1
39aeb06f87c6d2a6d8b073651b613aa9513c74a5

SHA256
5db938dca7d1aef88eec9f84f410ce05a95f8bf6a3ec53d28b8d1546cbac2055

SHA512
ac84b2b939467de7e0e757c04da85c2accb5f4afa899fcf9f845c305cbc550e0bd00030b8120a8093c8b69f13aeb96bbbe6e58189243155f54dd50943fdb6cc9

Download Submit
C:\Users\Admin\AppData\Roaming\bcbb23159e37d1ad9ace10a71d911666_JaffaCakes118.exe

Filesize
16KB

MD5
0b7c5314773fd4e348a018fde865f905

SHA1
365fad7cc27f0052f2de0f144127743903ed94e0

SHA256
af324be7e569f9420a66e4b8b33c29e7876f08432aa523f3ab10fb0cca0aab88

SHA512
a9b4f03439464d5cb12f5a3563d953184dc0e400bad1f03e4a0c5c1ff8f976d7672bccff03000f2e4d6320fdb0ff617a026f4c868c4346ac23557b9883a3e7f4

Download Submit
memory/344-0-0x00000000754B2000-0x00000000754B3000-memory.dmp

Filesize
4KB

Download
memory/344-1-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/344-2-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/344-28-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/344-27-0x00000000754B2000-0x00000000754B3000-memory.dmp

Filesize
4KB

Download
memory/4068-20-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-32-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-23-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/4068-24-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-26-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-25-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-19-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-16-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-29-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-30-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-31-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-22-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-33-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-34-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-35-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-36-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-37-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-38-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-39-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-40-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-41-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4068-42-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads