darkcomet | 56d44f1bc684d5b24308fdcf2cc9e25adbe7a96f170900e978f2120a6f10f826

General

Target

JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe
Size

929KB
MD5

55b2a24013188c8edd410d3feef91291
SHA1

4b61c2e4ceb1bec720865285343d6dbdf31191fe
SHA256

56d44f1bc684d5b24308fdcf2cc9e25adbe7a96f170900e978f2120a6f10f826
SHA512

fec50faedf68bbe02a33c4bc8a4abef50b0fbb8d9ecd0c15f2695e48234b2cbaa382782c322d5778c7840c20a7f927439ef5c1fedbe29924f436fec8c647800b
SSDEEP

24576:k15XqaF/hrSj2yydT2SLsUmVzMA5o8KnZ1PMQ3B:kfjjArK6xzMo/KnrPMQR

Score

10^/10

darkcomet mini absolute discovery rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Mini Absolute

C2

kallysky.no-ip.biz:100

Mutex

DCMIN_MUTEX-Y9S6G37

Attributes

gencode
0KU1aR0S8e4r
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	mnirh.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mnirh.vbs	JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe

Executes dropped EXE 4 IoCs

pid	Process
4952	mnirh.exe
5056	mnirh.exe
4132	FB_BC89.tmp.exe
764	FB_BDD3.tmp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4952 set thread context of 5056	4952	mnirh.exe	83

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4144-0-0x0000000000400000-0x00000000005A1000-memory.dmp	upx
behavioral2/memory/4144-2-0x0000000000400000-0x00000000005A1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-8.dat	upx
behavioral2/memory/4144-11-0x0000000000400000-0x00000000005A1000-memory.dmp	upx
behavioral2/memory/4952-12-0x0000000000400000-0x00000000005A1000-memory.dmp	upx
behavioral2/memory/4952-13-0x0000000000400000-0x00000000005A1000-memory.dmp	upx
behavioral2/memory/4952-14-0x0000000000400000-0x00000000005A1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-25.dat	upx
behavioral2/memory/4132-35-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4132-42-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4132-43-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4132-44-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4132-45-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4132-46-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4132-47-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4132-48-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4132-49-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4132-50-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4132-51-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4132-52-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4132-53-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4132-54-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4132-55-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4132-56-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mnirh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mnirh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB_BC89.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB_BDD3.tmp.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4132	FB_BC89.tmp.exe
Token: SeSecurityPrivilege	4132	FB_BC89.tmp.exe
Token: SeTakeOwnershipPrivilege	4132	FB_BC89.tmp.exe
Token: SeLoadDriverPrivilege	4132	FB_BC89.tmp.exe
Token: SeSystemProfilePrivilege	4132	FB_BC89.tmp.exe
Token: SeSystemtimePrivilege	4132	FB_BC89.tmp.exe
Token: SeProfSingleProcessPrivilege	4132	FB_BC89.tmp.exe
Token: SeIncBasePriorityPrivilege	4132	FB_BC89.tmp.exe
Token: SeCreatePagefilePrivilege	4132	FB_BC89.tmp.exe
Token: SeBackupPrivilege	4132	FB_BC89.tmp.exe
Token: SeRestorePrivilege	4132	FB_BC89.tmp.exe
Token: SeShutdownPrivilege	4132	FB_BC89.tmp.exe
Token: SeDebugPrivilege	4132	FB_BC89.tmp.exe
Token: SeSystemEnvironmentPrivilege	4132	FB_BC89.tmp.exe
Token: SeChangeNotifyPrivilege	4132	FB_BC89.tmp.exe
Token: SeRemoteShutdownPrivilege	4132	FB_BC89.tmp.exe
Token: SeUndockPrivilege	4132	FB_BC89.tmp.exe
Token: SeManageVolumePrivilege	4132	FB_BC89.tmp.exe
Token: SeImpersonatePrivilege	4132	FB_BC89.tmp.exe
Token: SeCreateGlobalPrivilege	4132	FB_BC89.tmp.exe
Token: 33	4132	FB_BC89.tmp.exe
Token: 34	4132	FB_BC89.tmp.exe
Token: 35	4132	FB_BC89.tmp.exe
Token: 36	4132	FB_BC89.tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4132	FB_BC89.tmp.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 4952	4144	JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe	82
PID 4144 wrote to memory of 4952	4144	JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe	82
PID 4144 wrote to memory of 4952	4144	JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe	82
PID 4952 wrote to memory of 5056	4952	mnirh.exe	83
PID 4952 wrote to memory of 5056	4952	mnirh.exe	83
PID 4952 wrote to memory of 5056	4952	mnirh.exe	83
PID 4952 wrote to memory of 5056	4952	mnirh.exe	83
PID 4952 wrote to memory of 5056	4952	mnirh.exe	83
PID 4952 wrote to memory of 5056	4952	mnirh.exe	83
PID 4952 wrote to memory of 5056	4952	mnirh.exe	83
PID 4952 wrote to memory of 5056	4952	mnirh.exe	83
PID 4952 wrote to memory of 5056	4952	mnirh.exe	83
PID 5056 wrote to memory of 4132	5056	mnirh.exe	84
PID 5056 wrote to memory of 4132	5056	mnirh.exe	84
PID 5056 wrote to memory of 4132	5056	mnirh.exe	84
PID 5056 wrote to memory of 764	5056	mnirh.exe	85
PID 5056 wrote to memory of 764	5056	mnirh.exe	85
PID 5056 wrote to memory of 764	5056	mnirh.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Users\Admin\AppData\Roaming\mnirh\mnirh.exe
  "C:\Users\Admin\AppData\Roaming\mnirh\mnirh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Users\Admin\AppData\Roaming\mnirh\mnirh.exe
    "C:\Users\Admin\AppData\Roaming\mnirh\mnirh.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\FB_BC89.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_BC89.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\FB_BDD3.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_BDD3.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FB_BC89.tmp.exe

Filesize
232KB

MD5
9893e6b5c05fe1235064e40c1ee45a3a

SHA1
fcdac4f8f899d34dbeae55dc23cbff4e332c87d8

SHA256
ed29717345c12eec41322173b1b0fe198ae3eb94eacd2b5055fc3613ef7a37ae

SHA512
ced3414101a47f3ba438c9943f42855f2eed360493ff30afbfedfdf22f97c2f1005a7d86fa9a65adb12ee28f514d27702739bf399786c2365d298aff11d980b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BDD3.tmp.exe

Filesize
138KB

MD5
8325311ef585133d81164f7d0ae895db

SHA1
babd91d840a0ff704f9b9aca66f2537cb3569a1d

SHA256
f2a5085b2d81c0f41ab980f3be0631f2bb05622df085308dc3bcadb1ed7d69f5

SHA512
e97dc85a4b9d0fd871411d7e8808cbb29461ffb3951e7edec10ece98a0c1948d82cc35e26a8a56b64e7e4769cc0b3ec5f6983e8f27d7e234d49e85f0c2715287

Download Submit
C:\Users\Admin\AppData\Roaming\mnirh\mnirh.exe

Filesize
929KB

MD5
55b2a24013188c8edd410d3feef91291

SHA1
4b61c2e4ceb1bec720865285343d6dbdf31191fe

SHA256
56d44f1bc684d5b24308fdcf2cc9e25adbe7a96f170900e978f2120a6f10f826

SHA512
fec50faedf68bbe02a33c4bc8a4abef50b0fbb8d9ecd0c15f2695e48234b2cbaa382782c322d5778c7840c20a7f927439ef5c1fedbe29924f436fec8c647800b

Download Submit
memory/4132-47-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4132-48-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4132-56-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4132-55-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4132-54-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4132-53-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4132-52-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4132-51-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4132-50-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4132-49-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4132-46-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4132-35-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4132-45-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4132-42-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4132-43-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4132-44-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4144-1-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/4144-3-0x0000000000491000-0x0000000000496000-memory.dmp

Filesize
20KB

Download
memory/4144-0-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/4144-2-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/4144-11-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/4952-14-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/4952-13-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/4952-12-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/5056-21-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5056-17-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5056-18-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5056-15-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing