darkcomet | 9018cde236258a5fa5b4be5a8a56d483a403b9324c779f98a9fb3898bc6ea1f8

General

Target

JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe
Size

326KB
MD5

62b5b1e2ce552524d16787ac662426c7
SHA1

7ca9e8938473837bd293e64d5c0980eb34a552c9
SHA256

9018cde236258a5fa5b4be5a8a56d483a403b9324c779f98a9fb3898bc6ea1f8
SHA512

a50f6e283f969315ba8ccf538ddf15583e09c7a25f09ecb40da631db36fc47fa3de6906c4713903013962766354b103a9ec9afdac53aa010ddc1d04aa1b69221
SSDEEP

6144:SDVak0cSWDokL405WHaIEEGb6UqCDeCV88zqLhTfKXroSFK:S5xoz0RIje6UqU8D9TfKboSFK

Score

10^/10

darkcomet discovery persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe

Executes dropped EXE 3 IoCs

pid	Process
116	flashp.exe
436	flashp.exe
720	flashp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ds = "C:\\Users\\Admin\\AppData\\Roaming\\fs\\flashp.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 116 set thread context of 436	116	flashp.exe	87
PID 116 set thread context of 720	116	flashp.exe	88

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4088-0-0x0000000000400000-0x0000000000578000-memory.dmp	upx
behavioral2/files/0x000a000000023b69-11.dat	upx
behavioral2/memory/116-19-0x0000000000400000-0x0000000000578000-memory.dmp	upx
behavioral2/memory/4088-23-0x0000000000400000-0x0000000000578000-memory.dmp	upx
behavioral2/memory/436-24-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-40-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-39-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-33-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-27-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/116-43-0x0000000000400000-0x0000000000578000-memory.dmp	upx
behavioral2/memory/436-44-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-45-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-46-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-51-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-49-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-52-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-54-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-56-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-58-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-60-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-62-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-64-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-66-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-68-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-70-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-72-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-74-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/436-76-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flashp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flashp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flashp.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	720	flashp.exe
Token: SeIncreaseQuotaPrivilege	436	flashp.exe
Token: SeSecurityPrivilege	436	flashp.exe
Token: SeTakeOwnershipPrivilege	436	flashp.exe
Token: SeLoadDriverPrivilege	436	flashp.exe
Token: SeSystemProfilePrivilege	436	flashp.exe
Token: SeSystemtimePrivilege	436	flashp.exe
Token: SeProfSingleProcessPrivilege	436	flashp.exe
Token: SeIncBasePriorityPrivilege	436	flashp.exe
Token: SeCreatePagefilePrivilege	436	flashp.exe
Token: SeBackupPrivilege	436	flashp.exe
Token: SeRestorePrivilege	436	flashp.exe
Token: SeShutdownPrivilege	436	flashp.exe
Token: SeDebugPrivilege	436	flashp.exe
Token: SeSystemEnvironmentPrivilege	436	flashp.exe
Token: SeChangeNotifyPrivilege	436	flashp.exe
Token: SeRemoteShutdownPrivilege	436	flashp.exe
Token: SeUndockPrivilege	436	flashp.exe
Token: SeManageVolumePrivilege	436	flashp.exe
Token: SeImpersonatePrivilege	436	flashp.exe
Token: SeCreateGlobalPrivilege	436	flashp.exe
Token: 33	436	flashp.exe
Token: 34	436	flashp.exe
Token: 35	436	flashp.exe
Token: 36	436	flashp.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4088	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe
116	flashp.exe
720	flashp.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 452	4088	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	82
PID 4088 wrote to memory of 452	4088	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	82
PID 4088 wrote to memory of 452	4088	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	82
PID 452 wrote to memory of 1640	452	cmd.exe	85
PID 452 wrote to memory of 1640	452	cmd.exe	85
PID 452 wrote to memory of 1640	452	cmd.exe	85
PID 4088 wrote to memory of 116	4088	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	86
PID 4088 wrote to memory of 116	4088	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	86
PID 4088 wrote to memory of 116	4088	JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe	86
PID 116 wrote to memory of 436	116	flashp.exe	87
PID 116 wrote to memory of 436	116	flashp.exe	87
PID 116 wrote to memory of 436	116	flashp.exe	87
PID 116 wrote to memory of 436	116	flashp.exe	87
PID 116 wrote to memory of 436	116	flashp.exe	87
PID 116 wrote to memory of 436	116	flashp.exe	87
PID 116 wrote to memory of 436	116	flashp.exe	87
PID 116 wrote to memory of 436	116	flashp.exe	87
PID 116 wrote to memory of 720	116	flashp.exe	88
PID 116 wrote to memory of 720	116	flashp.exe	88
PID 116 wrote to memory of 720	116	flashp.exe	88
PID 116 wrote to memory of 720	116	flashp.exe	88
PID 116 wrote to memory of 720	116	flashp.exe	88
PID 116 wrote to memory of 720	116	flashp.exe	88
PID 116 wrote to memory of 720	116	flashp.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240636421.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ds" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\fs\flashp.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1640
- C:\Users\Admin\AppData\Roaming\fs\flashp.exe
  "C:\Users\Admin\AppData\Roaming\fs\flashp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Users\Admin\AppData\Roaming\fs\flashp.exe
    C:\Users\Admin\AppData\Roaming\fs\flashp.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:436
- - C:\Users\Admin\AppData\Roaming\fs\flashp.exe
    C:\Users\Admin\AppData\Roaming\fs\flashp.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240636421.bat

Filesize
131B

MD5
84912171051fbf66f6ed7554cbbb3ee9

SHA1
2aa96b932c6c2cfa6bc258b7b8f6f03a1385684a

SHA256
044ed6fcfbde2d33eb821338bafb5cbbf7b1e7c07059165d314dcaff8c0a5a78

SHA512
1219b17147a6c67a1d4892751a6a537415873c197b4e427341db08cf59a8d7447251eb8a35a8c6873267910c329d7e8ee2cd30a49ecd642819a2a297bb93ab6c

Download Submit
C:\Users\Admin\AppData\Roaming\fs\flashp.exe

Filesize
326KB

MD5
62b5b1e2ce552524d16787ac662426c7

SHA1
7ca9e8938473837bd293e64d5c0980eb34a552c9

SHA256
9018cde236258a5fa5b4be5a8a56d483a403b9324c779f98a9fb3898bc6ea1f8

SHA512
a50f6e283f969315ba8ccf538ddf15583e09c7a25f09ecb40da631db36fc47fa3de6906c4713903013962766354b103a9ec9afdac53aa010ddc1d04aa1b69221

Download Submit
memory/116-43-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/116-19-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/436-58-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-27-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-76-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-74-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-72-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-70-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-40-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-39-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-33-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-24-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-68-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-60-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-66-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-44-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-45-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-46-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-64-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-62-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-51-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-49-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-52-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-54-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/436-56-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/720-31-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/720-48-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/720-47-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/720-28-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/720-34-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/720-36-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/720-37-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/720-32-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4088-0-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/4088-23-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads