darkcomet | 54dc3229416589043ea0d5a86c3aee3361effca3ca8fbbf0cae2161243d08326

General

Target

JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe
Size

1.6MB
MD5

a7ba1f4ba105a03dcc36657405e3bbbe
SHA1

1443c1276bf9f814b411d16f89fa3858908df830
SHA256

54dc3229416589043ea0d5a86c3aee3361effca3ca8fbbf0cae2161243d08326
SHA512

54c588bae54f948392d7caa3cc216cbf9c842cb591517e49e54f8ca64098b080766357dbad90bb41a0c987af493758834fca0bac3443fd892fb2eb6f51ed6cde
SSDEEP

24576:UOjsAei64moCmy9MNA1V4UOLMZ8DkcKg9X3CkF1w8T1+J86F/uq3Mo6ZYoatE:UJNWC/OALYG1co2W8T1+J86F/Fgr

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	test.exe

Executes dropped EXE 1 IoCs

pid	Process
888	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	test.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	test.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	test.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	test.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	test.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	888	test.exe
Token: SeSecurityPrivilege	888	test.exe
Token: SeTakeOwnershipPrivilege	888	test.exe
Token: SeLoadDriverPrivilege	888	test.exe
Token: SeSystemProfilePrivilege	888	test.exe
Token: SeSystemtimePrivilege	888	test.exe
Token: SeProfSingleProcessPrivilege	888	test.exe
Token: SeIncBasePriorityPrivilege	888	test.exe
Token: SeCreatePagefilePrivilege	888	test.exe
Token: SeBackupPrivilege	888	test.exe
Token: SeRestorePrivilege	888	test.exe
Token: SeShutdownPrivilege	888	test.exe
Token: SeDebugPrivilege	888	test.exe
Token: SeSystemEnvironmentPrivilege	888	test.exe
Token: SeChangeNotifyPrivilege	888	test.exe
Token: SeRemoteShutdownPrivilege	888	test.exe
Token: SeUndockPrivilege	888	test.exe
Token: SeManageVolumePrivilege	888	test.exe
Token: SeImpersonatePrivilege	888	test.exe
Token: SeCreateGlobalPrivilege	888	test.exe
Token: 33	888	test.exe
Token: 34	888	test.exe
Token: 35	888	test.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
888	test.exe
2156	java.exe
2156	java.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 888	1956	JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe	30
PID 1956 wrote to memory of 888	1956	JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe	30
PID 1956 wrote to memory of 888	1956	JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe	30
PID 1956 wrote to memory of 888	1956	JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe	30
PID 1956 wrote to memory of 2092	1956	JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe	31
PID 1956 wrote to memory of 2092	1956	JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe	31
PID 1956 wrote to memory of 2092	1956	JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe	31
PID 2092 wrote to memory of 2156	2092	javaw.exe	32
PID 2092 wrote to memory of 2156	2092	javaw.exe	32
PID 2092 wrote to memory of 2156	2092	javaw.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\test.exe
  "C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:888
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\MyCraft.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Program Files\Java\jre7\bin\java.exe
    java -Xmx1024m -Xms1024m -Dsun.java2d.noddraw=true -Dsun.java2d.d3d=false -Dsun.java2d.opengl=false -Dsun.java2d.pmoffscreen=false -classpath /C:/Users/Admin/AppData/Local/Temp/MyCraft.jar org.frustra.myclaunch.MyCraftLauncher
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MyCraft.jar

Filesize
596KB

MD5
7a8df1b32bde284dd82df292bbde9876

SHA1
f806eaea3afec63468895231f79c4f976608ef9c

SHA256
77fefa714a4f94e709353f22d9c935e0f999c50cc6b8bf754539e72d4aefd489

SHA512
f41dc65ec81dc93c0116949c613ca67c0be68c3dc0419b75cf9c7375aa2b98bd472c0acff86ee44309efa9c9e8bb30cbcc9ffea99d0ee7bcfe35b19cc9c8c788

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
658KB

MD5
4221a81ba51f34c6a7ecbc444c1ed9ba

SHA1
746a74c20615e16c71520f7e6a1bf1e4b6b72cdb

SHA256
77dba0b4e832682329b572c9f8948fc8f5c503166fb30df0c799a0454954699f

SHA512
e746c1e0af7ba88e25e4b0a73f2b820e1bb27360df30b9d8bbe2e82c18f180d3a9db1b6bec3dd00d3ab4597032b8ef24d902b1b1d372ca03d107f3a6bc2ffb6f

Download Submit
memory/888-45-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/888-56-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/888-53-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/888-13-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/888-51-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/888-49-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/888-47-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/888-41-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/888-42-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/1956-11-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/1956-0-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

Filesize
4KB

Download
memory/1956-1-0x0000000001100000-0x00000000012AA000-memory.dmp

Filesize
1.7MB

Download
memory/2092-43-0x0000000002540000-0x00000000027B0000-memory.dmp

Filesize
2.4MB

Download
memory/2092-39-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2092-15-0x0000000002540000-0x00000000027B0000-memory.dmp

Filesize
2.4MB

Download
memory/2156-40-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads