darkcomet | e79a2e9a7c18dd17e15ebbf30cfd9d445b6fd81c55b53b2ad1eea96b64bdfc80

General

Target

JaffaCakes118_608219cba6663346e66932c65ab3ea10.exe
Size

360KB
MD5

608219cba6663346e66932c65ab3ea10
SHA1

f340a899c50dc4a73b289ed83bf332341e9999db
SHA256

e79a2e9a7c18dd17e15ebbf30cfd9d445b6fd81c55b53b2ad1eea96b64bdfc80
SHA512

16d9052af7a10032c4d4717c319633948ff5d43b552edf8558a8eecd1ccbd2779717e8568351b6d2b01180d8af8df174fc80035b8b5839fa0152c68ecf6da823
SSDEEP

6144:yEQgDCz8aHlgiFMD1AjP4eIBYkDnmC5q+jHbMpHTcHInL80HO:y8gPTjSM+jIpHTcc

Score

10^/10

darkcomet new16 discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

NEW16

C2

95.211.195.1:50045

94.242.252.66:50045

Mutex

DC_MUTEX-WD09Q5C

Attributes

gencode
N3qG1nSVu7yX
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 3 IoCs

pid	Process
2308	fbccc.exe
2752	fbccc.exe
2640	dX1RQ5Qb5B.exe

Loads dropped DLL 4 IoCs

pid	Process
3016	JaffaCakes118_608219cba6663346e66932c65ab3ea10.exe
3016	JaffaCakes118_608219cba6663346e66932c65ab3ea10.exe
2308	fbccc.exe
2308	fbccc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\fbccc.exe = "C:\\Users\\Admin\\AppData\\Local\\fbccc.exe"	fbccc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 2752	2308	fbccc.exe	32

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2752-28-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2752-27-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2752-26-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2752-20-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2752-18-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2752-16-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2752-30-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2752-29-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_608219cba6663346e66932c65ab3ea10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbccc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbccc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2752	fbccc.exe
Token: SeSecurityPrivilege	2752	fbccc.exe
Token: SeTakeOwnershipPrivilege	2752	fbccc.exe
Token: SeLoadDriverPrivilege	2752	fbccc.exe
Token: SeSystemProfilePrivilege	2752	fbccc.exe
Token: SeSystemtimePrivilege	2752	fbccc.exe
Token: SeProfSingleProcessPrivilege	2752	fbccc.exe
Token: SeIncBasePriorityPrivilege	2752	fbccc.exe
Token: SeCreatePagefilePrivilege	2752	fbccc.exe
Token: SeBackupPrivilege	2752	fbccc.exe
Token: SeRestorePrivilege	2752	fbccc.exe
Token: SeShutdownPrivilege	2752	fbccc.exe
Token: SeDebugPrivilege	2752	fbccc.exe
Token: SeSystemEnvironmentPrivilege	2752	fbccc.exe
Token: SeChangeNotifyPrivilege	2752	fbccc.exe
Token: SeRemoteShutdownPrivilege	2752	fbccc.exe
Token: SeUndockPrivilege	2752	fbccc.exe
Token: SeManageVolumePrivilege	2752	fbccc.exe
Token: SeImpersonatePrivilege	2752	fbccc.exe
Token: SeCreateGlobalPrivilege	2752	fbccc.exe
Token: 33	2752	fbccc.exe
Token: 34	2752	fbccc.exe
Token: 35	2752	fbccc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2752	fbccc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2308	3016	JaffaCakes118_608219cba6663346e66932c65ab3ea10.exe	31
PID 3016 wrote to memory of 2308	3016	JaffaCakes118_608219cba6663346e66932c65ab3ea10.exe	31
PID 3016 wrote to memory of 2308	3016	JaffaCakes118_608219cba6663346e66932c65ab3ea10.exe	31
PID 3016 wrote to memory of 2308	3016	JaffaCakes118_608219cba6663346e66932c65ab3ea10.exe	31
PID 2308 wrote to memory of 2752	2308	fbccc.exe	32
PID 2308 wrote to memory of 2752	2308	fbccc.exe	32
PID 2308 wrote to memory of 2752	2308	fbccc.exe	32
PID 2308 wrote to memory of 2752	2308	fbccc.exe	32
PID 2308 wrote to memory of 2752	2308	fbccc.exe	32
PID 2308 wrote to memory of 2752	2308	fbccc.exe	32
PID 2308 wrote to memory of 2752	2308	fbccc.exe	32
PID 2308 wrote to memory of 2752	2308	fbccc.exe	32
PID 2308 wrote to memory of 2640	2308	fbccc.exe	33
PID 2308 wrote to memory of 2640	2308	fbccc.exe	33
PID 2308 wrote to memory of 2640	2308	fbccc.exe	33
PID 2308 wrote to memory of 2640	2308	fbccc.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_608219cba6663346e66932c65ab3ea10.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_608219cba6663346e66932c65ab3ea10.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\fbccc.exe
  "C:\Users\Admin\AppData\Local\fbccc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\fbccc.exe
    C:\Users\Admin\AppData\Local\fbccc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2752
- - C:\Users\Admin\AppData\Local\Temp\dX1RQ5Qb5B.exe
    "C:\Users\Admin\AppData\Local\Temp\dX1RQ5Qb5B.exe"
    3⤵
    - Executes dropped EXE
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dX1RQ5Qb5B.exe

Filesize
36KB

MD5
572ca7769f52652282eaee2bada9e2bf

SHA1
6f6ac1b055051bfc798939db053d99c0d7faa130

SHA256
042409cc3e3e8570679289c6ef6b87e6a4109286d5a864934cf9e7b32bd99075

SHA512
9e8829a5776d3f11d06fd5239ecee950f21f3dced0d49bdc0b234cb1a510dfbc3c331bd61181d76a5e529006ad1597652d9c3a8c7f376ef254fe3e51f4754998

Download Submit
\Users\Admin\AppData\Local\fbccc.exe

Filesize
360KB

MD5
608219cba6663346e66932c65ab3ea10

SHA1
f340a899c50dc4a73b289ed83bf332341e9999db

SHA256
e79a2e9a7c18dd17e15ebbf30cfd9d445b6fd81c55b53b2ad1eea96b64bdfc80

SHA512
16d9052af7a10032c4d4717c319633948ff5d43b552edf8558a8eecd1ccbd2779717e8568351b6d2b01180d8af8df174fc80035b8b5839fa0152c68ecf6da823

Download Submit
memory/2308-13-0x0000000000010000-0x0000000000073000-memory.dmp

Filesize
396KB

Download
memory/2308-39-0x0000000000010000-0x0000000000073000-memory.dmp

Filesize
396KB

Download
memory/2308-12-0x0000000000010000-0x0000000000073000-memory.dmp

Filesize
396KB

Download
memory/2640-46-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/2640-47-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/2640-45-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/2640-44-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/2640-43-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/2640-42-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/2640-41-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/2640-40-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/2640-48-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/2752-28-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2752-29-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2752-30-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2752-15-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2752-16-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2752-18-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2752-20-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2752-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2752-26-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2752-27-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3016-0-0x0000000000010000-0x0000000000073000-memory.dmp

Filesize
396KB

Download
memory/3016-11-0x0000000000010000-0x0000000000073000-memory.dmp

Filesize
396KB

Download
memory/3016-1-0x0000000000010000-0x0000000000073000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads