darkcomet | a82e7c14e811a755ed8bf5cd459a8a0adb5cd2227fffe5146a21cefcb4273490

General

Target

JaffaCakes118_6e8083a447807f812eff9bd74248e709.exe
Size

389KB
MD5

6e8083a447807f812eff9bd74248e709
SHA1

5c078e4855436f790493a0bdf98afea63316c90a
SHA256

a82e7c14e811a755ed8bf5cd459a8a0adb5cd2227fffe5146a21cefcb4273490
SHA512

a969a74baa02d8439d14a871a9ab92b90ef0d418ceb7ffdf00f2de6fbeffef4f251115bfebfa91d7f1aaedc50f514c04f75cc512080c1f00c8807469a964e6fd
SSDEEP

6144:oHHMbpVcZL5Jh2v8zNfvUi74eieyfGSGQNgpw:oH2qZwv8nbaunG

Score

10^/10

darkcomet s.d.r discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

s.D.r

C2

nowa.zapto.org:1604

Mutex

DCMIN_MUTEX-1VEC57V

Attributes

gencode
ay9yoZhjsnY7
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JaffaCakes118_6e8083a447807f812eff9bd74248e709.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.exe	msconfig.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.exe	JaffaCakes118_6e8083a447807f812eff9bd74248e709.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.exe	JaffaCakes118_6e8083a447807f812eff9bd74248e709.exe

Executes dropped EXE 1 IoCs

pid	Process
4944	msconfig.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe"	msconfig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe"	msconfig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4944 set thread context of 4060	4944	msconfig.exe	84

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4060-19-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-21-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-25-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-26-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-27-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-31-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-32-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-28-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-34-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-35-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-36-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-37-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-38-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-39-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-40-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-41-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-42-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-43-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-44-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-45-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-46-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-47-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-48-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-49-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4060-50-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	msconfig.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	msconfig.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6e8083a447807f812eff9bd74248e709.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msconfig.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4944	msconfig.exe
4944	msconfig.exe
4944	msconfig.exe
4944	msconfig.exe
4944	msconfig.exe
4944	msconfig.exe
4944	msconfig.exe
4944	msconfig.exe
4944	msconfig.exe
4944	msconfig.exe
4944	msconfig.exe
4944	msconfig.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4944	msconfig.exe
Token: SeIncreaseQuotaPrivilege	4060	cvtres.exe
Token: SeSecurityPrivilege	4060	cvtres.exe
Token: SeTakeOwnershipPrivilege	4060	cvtres.exe
Token: SeLoadDriverPrivilege	4060	cvtres.exe
Token: SeSystemProfilePrivilege	4060	cvtres.exe
Token: SeSystemtimePrivilege	4060	cvtres.exe
Token: SeProfSingleProcessPrivilege	4060	cvtres.exe
Token: SeIncBasePriorityPrivilege	4060	cvtres.exe
Token: SeCreatePagefilePrivilege	4060	cvtres.exe
Token: SeBackupPrivilege	4060	cvtres.exe
Token: SeRestorePrivilege	4060	cvtres.exe
Token: SeShutdownPrivilege	4060	cvtres.exe
Token: SeDebugPrivilege	4060	cvtres.exe
Token: SeSystemEnvironmentPrivilege	4060	cvtres.exe
Token: SeChangeNotifyPrivilege	4060	cvtres.exe
Token: SeRemoteShutdownPrivilege	4060	cvtres.exe
Token: SeUndockPrivilege	4060	cvtres.exe
Token: SeManageVolumePrivilege	4060	cvtres.exe
Token: SeImpersonatePrivilege	4060	cvtres.exe
Token: SeCreateGlobalPrivilege	4060	cvtres.exe
Token: 33	4060	cvtres.exe
Token: 34	4060	cvtres.exe
Token: 35	4060	cvtres.exe
Token: 36	4060	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4060	cvtres.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 4944	2668	JaffaCakes118_6e8083a447807f812eff9bd74248e709.exe	83
PID 2668 wrote to memory of 4944	2668	JaffaCakes118_6e8083a447807f812eff9bd74248e709.exe	83
PID 2668 wrote to memory of 4944	2668	JaffaCakes118_6e8083a447807f812eff9bd74248e709.exe	83
PID 4944 wrote to memory of 4060	4944	msconfig.exe	84
PID 4944 wrote to memory of 4060	4944	msconfig.exe	84
PID 4944 wrote to memory of 4060	4944	msconfig.exe	84
PID 4944 wrote to memory of 4060	4944	msconfig.exe	84
PID 4944 wrote to memory of 4060	4944	msconfig.exe	84
PID 4944 wrote to memory of 4060	4944	msconfig.exe	84
PID 4944 wrote to memory of 4060	4944	msconfig.exe	84
PID 4944 wrote to memory of 4060	4944	msconfig.exe	84

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e8083a447807f812eff9bd74248e709.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e8083a447807f812eff9bd74248e709.exe"
1⤵
- Checks computer location settings
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.exe

Filesize
389KB

MD5
6e8083a447807f812eff9bd74248e709

SHA1
5c078e4855436f790493a0bdf98afea63316c90a

SHA256
a82e7c14e811a755ed8bf5cd459a8a0adb5cd2227fffe5146a21cefcb4273490

SHA512
a969a74baa02d8439d14a871a9ab92b90ef0d418ceb7ffdf00f2de6fbeffef4f251115bfebfa91d7f1aaedc50f514c04f75cc512080c1f00c8807469a964e6fd

Download Submit
memory/2668-16-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/2668-1-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/2668-2-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/2668-0-0x0000000074FB2000-0x0000000074FB3000-memory.dmp

Filesize
4KB

Download
memory/4060-34-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-36-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-19-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-21-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-25-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-26-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-27-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-31-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-50-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-32-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-28-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-49-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-35-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-48-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-37-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-38-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-39-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-40-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-41-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-42-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-43-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-44-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-45-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-46-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4060-47-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4944-17-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/4944-14-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/4944-33-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads