darkcomet | 042b817574858b81ea5b48845ac43d5b6b2ea22505510578fcd3da19d89eb6f8

General

Target

c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Size

821KB
MD5

c80c76f303ecda2a75c7719539987692
SHA1

172f56e99ae2428dc12f72ed085f3fdc8d361368
SHA256

042b817574858b81ea5b48845ac43d5b6b2ea22505510578fcd3da19d89eb6f8
SHA512

8e1ad1f010a3df7cfd47c6d19072fb550cbaf5a8ca9bbef6c5e060650e97507c0cee710a660f45a1e036f54151d2d4f9b34400a373f9a0dda0bc62577d55596e
SSDEEP

12288:q+/NvNnSbiTldkLjiLAd5FqQ5kIVeHKOTYIfm2jzeWeJnc:q+/NlnWiTldNUdfqyr2K8tCjN

Score

10^/10

darkcomet yes defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

YES

C2

zchau.no-ip.biz:1604

Mutex

DC_MUTEX-VY9JREP

Attributes

gencode
6hJTqKYeY6qG
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CTGKjX = "C:\\Users\\Admin\\AppData\\Roaming\\crss\\DwPMjF.exe"	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 1864	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	31

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\crss\DwPMjF.exe:ZONE.identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\crss\DwPMjF.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeSecurityPrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeBackupPrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeRestorePrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeShutdownPrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeDebugPrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeUndockPrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: 33	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: 34	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
Token: 35	1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1864	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1864	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	31
PID 1928 wrote to memory of 1864	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	31
PID 1928 wrote to memory of 1864	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	31
PID 1928 wrote to memory of 1864	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	31
PID 1928 wrote to memory of 1864	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	31
PID 1928 wrote to memory of 1864	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	31
PID 1928 wrote to memory of 1864	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	31
PID 1928 wrote to memory of 1864	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	31
PID 1928 wrote to memory of 1864	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	31
PID 1928 wrote to memory of 1864	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	31
PID 1928 wrote to memory of 1864	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	31
PID 1928 wrote to memory of 1864	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	31
PID 1928 wrote to memory of 1864	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	31
PID 1928 wrote to memory of 3040	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	32
PID 1928 wrote to memory of 3040	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	32
PID 1928 wrote to memory of 3040	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	32
PID 1928 wrote to memory of 3040	1928	c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c80c76f303ecda2a75c7719539987692_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1864
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\crss\DwPMjF.exe:ZONE.identifier

Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
memory/1864-13-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-30-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-14-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-3-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-11-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-19-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-18-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-9-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-5-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-29-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1864-17-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-20-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-21-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-22-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1864-24-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1928-1-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-28-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-2-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-0-0x0000000074B71000-0x0000000074B72000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads