darkcomet | aea28dc9008d1cb019826bcda9ed2397d3c8a345d9c78d4ab104ff6263326df3

General

Target

JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Size

821KB
MD5

6e9e68a42adc84e29d47c5f9555ce060
SHA1

a576dc8081fd3780f237b909b38278e134f3c030
SHA256

aea28dc9008d1cb019826bcda9ed2397d3c8a345d9c78d4ab104ff6263326df3
SHA512

d79c1fae29bf4d18d2c5d542a0d0b0a6c4b5a59dae0f017c0ae8c8aeaae97642c3b51069fea7582208372f0c8a0fe26ed01d8fe042140205664fae6d5ad0cc9d
SSDEEP

24576:F3nbWmJVJFwSddIXvfhqbiaxvRxq9tNY:BamdZdcBYw

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\explorer.exe"	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe

Executes dropped EXE 1 IoCs

pid	Process
1496	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YolundaMT2 = "C:\\Windows\\system32\\explorer.exe"	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\explorer.exe	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
File opened for modification	C:\Windows\SysWOW64\	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
976	PING.EXE
3048	PING.EXE
4276	PING.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
4276	PING.EXE
976	PING.EXE
3048	PING.EXE

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeSecurityPrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeTakeOwnershipPrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeLoadDriverPrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeSystemProfilePrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeSystemtimePrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeProfSingleProcessPrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeIncBasePriorityPrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeCreatePagefilePrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeBackupPrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeRestorePrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeShutdownPrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeDebugPrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeSystemEnvironmentPrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeChangeNotifyPrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeRemoteShutdownPrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeUndockPrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeManageVolumePrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeImpersonatePrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: SeCreateGlobalPrivilege	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: 33	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: 34	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: 35	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
Token: 36	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 1968	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe	82
PID 1568 wrote to memory of 1968	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe	82
PID 1568 wrote to memory of 1968	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe	82
PID 1568 wrote to memory of 4764	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe	84
PID 1568 wrote to memory of 4764	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe	84
PID 1568 wrote to memory of 4764	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe	84
PID 1568 wrote to memory of 1732	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe	86
PID 1568 wrote to memory of 1732	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe	86
PID 1568 wrote to memory of 1732	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe	86
PID 1968 wrote to memory of 4276	1968	cmd.exe	88
PID 1968 wrote to memory of 4276	1968	cmd.exe	88
PID 1968 wrote to memory of 4276	1968	cmd.exe	88
PID 4764 wrote to memory of 976	4764	cmd.exe	89
PID 4764 wrote to memory of 976	4764	cmd.exe	89
PID 4764 wrote to memory of 976	4764	cmd.exe	89
PID 1732 wrote to memory of 3048	1732	cmd.exe	90
PID 1732 wrote to memory of 3048	1732	cmd.exe	90
PID 1732 wrote to memory of 3048	1732	cmd.exe	90
PID 1568 wrote to memory of 1496	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe	91
PID 1568 wrote to memory of 1496	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe	91
PID 1568 wrote to memory of 1496	1568	JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e9e68a42adc84e29d47c5f9555ce060.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3048
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\system32\explorer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
113B

MD5
89d4969afb8bb6b8effdea956e2b3ae4

SHA1
a6c4fede4f49da939ebb5e08b88b12f9a18ddf12

SHA256
1a7a99a9b42169c068a7875dc08b2903f00aba109eb2d91359048773c5fd00aa

SHA512
b10e90b326580d11c388665b3827b09b4cc0c79f02080e37e0bde4a5caa22216227553613b46a4e95dc8765705a534e74e6d490d4a812290c0289232a959140b

Download Submit
C:\Windows\SysWOW64\explorer.exe

Filesize
4.2MB

MD5
0155e85852fde62a441cbaf485e023be

SHA1
59482d4b1c0f061426ef71bff8506230faa00701

SHA256
e0689419d3d7879a229ecf3e74639e4e9ba0669ed4574f47b108097593fc9fbc

SHA512
f1a43adb7b0203dc5ad4613da9645070c4da0d15d8788b50644cb80420d4a38151488aa3888da39a6cb17ef6d3f5ebc5fe08ac948dca1fd0c852dceecd3bafff

Download Submit
memory/1568-0-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1568-14-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads