darkcomet | 227aad47efdb70e05e55129fc1f755f57ef5bccd62ef29371a91979313b9ccdc

General

Target

JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Size

756KB
MD5

644b895cc3bc1c8db5d638534b657960
SHA1

7d69bf123b503dd00fb5f6ba352f553fdc5154a0
SHA256

227aad47efdb70e05e55129fc1f755f57ef5bccd62ef29371a91979313b9ccdc
SHA512

5ac45d8d980e22bce9f25e7b708de34c677712c3fe49fa2fd118cf0263449e02061b30986bae0083870be6538c173e1ffc81ab87769504e49ffc5e22807529b9
SSDEEP

12288:u9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/huFIIhIIo:6Z1xuVVjfFoynPaVBUR8f+kN10EB3

Score

10^/10

darkcomet guest16 discovery evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-9AZJ7BF

Attributes

gencode
J9uBSGkV1jEC
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe

Disables Task Manager via registry modification
evasion

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeSecurityPrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeTakeOwnershipPrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeLoadDriverPrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeSystemProfilePrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeSystemtimePrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeProfSingleProcessPrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeIncBasePriorityPrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeCreatePagefilePrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeBackupPrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeRestorePrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeShutdownPrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeDebugPrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeSystemEnvironmentPrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeChangeNotifyPrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeRemoteShutdownPrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeUndockPrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeManageVolumePrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeImpersonatePrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: SeCreateGlobalPrivilege	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: 33	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: 34	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: 35	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Token: 36	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82
PID 4512 wrote to memory of 1460	4512	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe	82

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe"
1⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4512
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1460

Network

DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response

127.0.0.1:1604

JaffaCakes118_644b895cc3bc1c8db5d638534b657960.exe

8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

3

T1562

Disable or Modify System Firewall

1

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1460-1-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/4512-0-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/4512-2-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.