darkcomet | 441e0e8d70c611cb217d66ed4371ecf431620338441547d173547f8a897260df

General

Target

e4effdae64132f9f253179edb746ad39_JaffaCakes118.exe
Size

759KB
MD5

e4effdae64132f9f253179edb746ad39
SHA1

830f1267ace003b18c3f92316d4051eab618cb65
SHA256

441e0e8d70c611cb217d66ed4371ecf431620338441547d173547f8a897260df
SHA512

522214a265a30fc8ee5632178829380f672433e481441fd617980d7ab36aa5b61f17058ed715399a182f9134e081b134d01872461e49c48664d114330adc09a4
SSDEEP

12288:L46hnWJ6jINMlXVe+LEE1oJDu0sHY1b98Wl8E4w5huat7UovONzbXwnjoEFEG:LPeMGwsJ60IY3dhHwNzbXq/j

Score

10^/10

darkcomet guest16 discovery rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

192.168.0.100:1604

99.241.109.24:1604

joinme.no-ip.biz:1604

Mutex

DC_MUTEX-10AJJXB

Attributes

gencode
KFKw3CPq7lsj
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 1 IoCs

pid	Process
2836	MINECRAP.EXE

Loads dropped DLL 2 IoCs

pid	Process
2900	e4effdae64132f9f253179edb746ad39_JaffaCakes118.exe
2900	e4effdae64132f9f253179edb746ad39_JaffaCakes118.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016dd0-9.dat	upx
behavioral1/memory/2836-18-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral1/memory/2836-28-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral1/memory/2836-29-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral1/memory/2836-31-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral1/memory/2836-33-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral1/memory/2836-35-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral1/memory/2836-37-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral1/memory/2836-38-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral1/memory/2836-40-0x0000000000400000-0x00000000004CA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MINECRAP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4effdae64132f9f253179edb746ad39_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2836	MINECRAP.EXE
Token: SeSecurityPrivilege	2836	MINECRAP.EXE
Token: SeTakeOwnershipPrivilege	2836	MINECRAP.EXE
Token: SeLoadDriverPrivilege	2836	MINECRAP.EXE
Token: SeSystemProfilePrivilege	2836	MINECRAP.EXE
Token: SeSystemtimePrivilege	2836	MINECRAP.EXE
Token: SeProfSingleProcessPrivilege	2836	MINECRAP.EXE
Token: SeIncBasePriorityPrivilege	2836	MINECRAP.EXE
Token: SeCreatePagefilePrivilege	2836	MINECRAP.EXE
Token: SeBackupPrivilege	2836	MINECRAP.EXE
Token: SeRestorePrivilege	2836	MINECRAP.EXE
Token: SeShutdownPrivilege	2836	MINECRAP.EXE
Token: SeDebugPrivilege	2836	MINECRAP.EXE
Token: SeSystemEnvironmentPrivilege	2836	MINECRAP.EXE
Token: SeChangeNotifyPrivilege	2836	MINECRAP.EXE
Token: SeRemoteShutdownPrivilege	2836	MINECRAP.EXE
Token: SeUndockPrivilege	2836	MINECRAP.EXE
Token: SeManageVolumePrivilege	2836	MINECRAP.EXE
Token: SeImpersonatePrivilege	2836	MINECRAP.EXE
Token: SeCreateGlobalPrivilege	2836	MINECRAP.EXE
Token: 33	2836	MINECRAP.EXE
Token: 34	2836	MINECRAP.EXE
Token: 35	2836	MINECRAP.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1884	DllHost.exe
1884	DllHost.exe
1884	DllHost.exe
1884	DllHost.exe
1884	DllHost.exe
1884	DllHost.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1884	DllHost.exe
1884	DllHost.exe
1884	DllHost.exe
1884	DllHost.exe
1884	DllHost.exe
1884	DllHost.exe
1884	DllHost.exe
1884	DllHost.exe
1884	DllHost.exe
1884	DllHost.exe
1884	DllHost.exe
1884	DllHost.exe
2836	MINECRAP.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2836	2900	e4effdae64132f9f253179edb746ad39_JaffaCakes118.exe	31
PID 2900 wrote to memory of 2836	2900	e4effdae64132f9f253179edb746ad39_JaffaCakes118.exe	31
PID 2900 wrote to memory of 2836	2900	e4effdae64132f9f253179edb746ad39_JaffaCakes118.exe	31
PID 2900 wrote to memory of 2836	2900	e4effdae64132f9f253179edb746ad39_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\e4effdae64132f9f253179edb746ad39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4effdae64132f9f253179edb746ad39_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\MINECRAP.EXE
  "C:\Users\Admin\AppData\Local\Temp\MINECRAP.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2836

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!@#$ SOPA!.JPG

Filesize
83KB

MD5
2fbbc01cbc0f55a5f7ec34399879cc15

SHA1
d8b9a65e0693fef7b71851ba41eccbf352a7f1aa

SHA256
d35031b773fecb8b8de6944b0b406ed1535c40b106ab514f09a8cbce2c8fb4c7

SHA512
4b6958e9f358f11dc00026100a48a7ae125224318190b12ff0e297347accde43f8bbf43b164b5226c427e4c87371bdcd888a8f5be6c0dfa25975c7eafb425404

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANONYMOUS.JPG

Filesize
4KB

MD5
1f1cfa2938c44ea6b4204a28f2c16131

SHA1
8abec0646ff0651829255af2ca25b6ad70e2f74f

SHA256
44166810c9404cc45bcc1381d59e55c5f1e4bc7296bb2eee2e371ed411171e84

SHA512
5afacca479415fa60a660942692947779b42997cf23c5d5102aef1fcf6b75a2b74d7c75b5730d4ddead2e1a00b50341710e1ec352b1d44418f09d7770f825830

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAPTAIN-JACK-SPARROW-WALLPAPER.JPG

Filesize
192KB

MD5
6ae4206985f1f210de40258865aec4f2

SHA1
dc6bdfad994cdf497e1ab153414b2ab17cf96618

SHA256
83cd10eea0be63b70b7f4c67796b0d690c72d31d5802ec1efffb39b64e4724a8

SHA512
b8053869b30f89c0984a3b251239b9f7611ec6e04ce0699a02531b5c8914e018b4bc39be287a88c03843a047ab323f7759734fed4ffdf7ca7c3ec0aa7aca0eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MARVELOUS MOTION.JPG

Filesize
17KB

MD5
a9c7e1815b117e3801a36e5f63fb12a0

SHA1
7deb1fa49277e297becca96387d8df43563f164f

SHA256
c8d0bc09dcb115ceb06519ac2a9306f8e965183479958e1dcfbf0482642b59dd

SHA512
1ce051936a47810fb385181f648510e9978e530a3f1a6af3cfae6388ea78003652a764f28c90086f9222baa4e35178e5511701490bd1809db1d36a6ebc4f93a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUGAR PANCAKES.JPG

Filesize
14KB

MD5
1622e86fc2565989304a39fd8548949d

SHA1
8f57590eb1e6e67b5352b86b7f4589f587007264

SHA256
5e5317408375efda25b96d6cdc5fc297b17cef27bd539948a8815e02e0df3dad

SHA512
05338255f4ddc0c4a43ec353977a4db4fb6a31dd9b309d267efc6887f6e48b088f65ff7c88cd857ec22b511b033a870f86ffa7cef356d57661ca49acf9230b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\WORLD WIDE SPIDER.JPG

Filesize
9KB

MD5
a64893bdec84b6b3123bb8c6a20b8a4e

SHA1
df7cf87d6634ae34b10cd9058de97f014029a576

SHA256
99fa49c46a7e1318d2cb90a5b5bf7e42e7175154e444b8551057d20c59e67112

SHA512
e1dce14b147baca75efdda18399671235d36daa7771c2aee9b2e7f21462e05720814672d19ce6ad723f8312b5287352b1ba32bd191ee8206c3c8487d0575f20c

Download Submit
\Users\Admin\AppData\Local\Temp\MINECRAP.EXE

Filesize
284KB

MD5
3290a206453c72234c23673b06f71894

SHA1
3a95854dd5871d4accba73e6fb15c33473956264

SHA256
519604f1b5e17d8eb15468620e89d0765a13ff3062634340ecfde233df6c0de8

SHA512
1a6a056bb6f15c4c57c938509512bcb72c6b427de6124cd2f60c3c79f681f3c3053e095429338a5a33b781b888f463beb7a2ee4efad177595e34a6809e67d5c4

Download Submit
memory/1884-2-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1884-4-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1884-27-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2836-29-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2836-18-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2836-28-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2836-31-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2836-33-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2836-35-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2836-37-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2836-38-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2836-40-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2900-12-0x0000000002210000-0x00000000022DA000-memory.dmp

Filesize
808KB

Download
memory/2900-16-0x0000000002210000-0x00000000022DA000-memory.dmp

Filesize
808KB

Download
memory/2900-1-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing