darkcomet | 5d271089ff6c13203578bfadb766ab8e5fdba62286b0b5e2e49c8afec3a0a57b

General

Target

JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe
Size

752KB
MD5

65d0e2f6e383e4707c0a1fff936cff20
SHA1

b7b626d4cf6019affe1bdc2a0a34bb36db501a09
SHA256

5d271089ff6c13203578bfadb766ab8e5fdba62286b0b5e2e49c8afec3a0a57b
SHA512

44786b30bb295b05ffb9faaa30672e3f0c8bd79b63c41c12129e39ce1018c34ac1e270c6f3a11196bc485a3283d8efbb7442ea1bcd55f2855931135c2e8c1978
SSDEEP

12288:XJKzhtpGxWkF1czht1G0WBLw3KLNzZBJQoZqdugoQzkxE9c3j9HHxp1+:XJKzMZuzht1G0WxVthZMlorEa3j9n

Score

10^/10

darkcomet bt real discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

BT Real

C2

prokwen.no-ip.org:100

darkcometx.no-ip.biz:100

127.0.0.1:100

Mutex

DC_MUTEX-4RGBBVE

Attributes

gencode
pdn1D7zQzeYg
install
false
offline_keylogger
true
password
6439330
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Firewall = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe"	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4804 set thread context of 1616	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1616	cvtres.exe
Token: SeSecurityPrivilege	1616	cvtres.exe
Token: SeTakeOwnershipPrivilege	1616	cvtres.exe
Token: SeLoadDriverPrivilege	1616	cvtres.exe
Token: SeSystemProfilePrivilege	1616	cvtres.exe
Token: SeSystemtimePrivilege	1616	cvtres.exe
Token: SeProfSingleProcessPrivilege	1616	cvtres.exe
Token: SeIncBasePriorityPrivilege	1616	cvtres.exe
Token: SeCreatePagefilePrivilege	1616	cvtres.exe
Token: SeBackupPrivilege	1616	cvtres.exe
Token: SeRestorePrivilege	1616	cvtres.exe
Token: SeShutdownPrivilege	1616	cvtres.exe
Token: SeDebugPrivilege	1616	cvtres.exe
Token: SeSystemEnvironmentPrivilege	1616	cvtres.exe
Token: SeChangeNotifyPrivilege	1616	cvtres.exe
Token: SeRemoteShutdownPrivilege	1616	cvtres.exe
Token: SeUndockPrivilege	1616	cvtres.exe
Token: SeManageVolumePrivilege	1616	cvtres.exe
Token: SeImpersonatePrivilege	1616	cvtres.exe
Token: SeCreateGlobalPrivilege	1616	cvtres.exe
Token: 33	1616	cvtres.exe
Token: 34	1616	cvtres.exe
Token: 35	1616	cvtres.exe
Token: 36	1616	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1616	cvtres.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4780	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	85
PID 4804 wrote to memory of 4780	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	85
PID 4804 wrote to memory of 4780	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	85
PID 4804 wrote to memory of 1616	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	87
PID 4804 wrote to memory of 1616	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	87
PID 4804 wrote to memory of 1616	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	87
PID 4804 wrote to memory of 1616	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	87
PID 4804 wrote to memory of 1616	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	87
PID 4804 wrote to memory of 1616	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	87
PID 4804 wrote to memory of 1616	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	87
PID 4804 wrote to memory of 1616	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	87
PID 4804 wrote to memory of 1616	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	87
PID 4804 wrote to memory of 1616	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	87
PID 4804 wrote to memory of 1616	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	87
PID 4804 wrote to memory of 1616	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	87
PID 4804 wrote to memory of 1616	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	87
PID 4804 wrote to memory of 1616	4804	JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_65d0e2f6e383e4707c0a1fff936cff20.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hacked.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4780
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hacked.bat

Filesize
17KB

MD5
9c105b62c7da5d1a5880a9ac962ce599

SHA1
9e83b25d4846883c47411ada6c89230fb647d645

SHA256
6d1d1a4ba484d37f4e5201cdc93eae9a2cdb49424951eda5c404e28683acd265

SHA512
873a3c6a8f010f724b17cb4a211014bc4bf9b3ff147a4f6ba297a02e29f76bba7a5f25980f6841f8b37fa853fa49e8a83066b0dd907933178cb6d300ff933c8c

Download Submit
memory/1616-25-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-31-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-17-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-7-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-9-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-11-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-18-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-30-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-14-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-15-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-16-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-6-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-29-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-26-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-20-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-21-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-22-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-23-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-24-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-28-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-19-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1616-27-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4804-0-0x00000000750F2000-0x00000000750F3000-memory.dmp

Filesize
4KB

Download
memory/4804-2-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4804-1-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4804-10-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads