darkcomet | 54dc3229416589043ea0d5a86c3aee3361effca3ca8fbbf0cae2161243d08326

General

Target

JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe
Size

1.6MB
MD5

a7ba1f4ba105a03dcc36657405e3bbbe
SHA1

1443c1276bf9f814b411d16f89fa3858908df830
SHA256

54dc3229416589043ea0d5a86c3aee3361effca3ca8fbbf0cae2161243d08326
SHA512

54c588bae54f948392d7caa3cc216cbf9c842cb591517e49e54f8ca64098b080766357dbad90bb41a0c987af493758834fca0bac3443fd892fb2eb6f51ed6cde
SSDEEP

24576:UOjsAei64moCmy9MNA1V4UOLMZ8DkcKg9X3CkF1w8T1+J86F/uq3Mo6ZYoatE:UJNWC/OALYG1co2W8T1+J86F/Fgr

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	test.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe

Executes dropped EXE 1 IoCs

pid	Process
964	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	test.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	test.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	test.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	test.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	test.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	964	test.exe
Token: SeSecurityPrivilege	964	test.exe
Token: SeTakeOwnershipPrivilege	964	test.exe
Token: SeLoadDriverPrivilege	964	test.exe
Token: SeSystemProfilePrivilege	964	test.exe
Token: SeSystemtimePrivilege	964	test.exe
Token: SeProfSingleProcessPrivilege	964	test.exe
Token: SeIncBasePriorityPrivilege	964	test.exe
Token: SeCreatePagefilePrivilege	964	test.exe
Token: SeBackupPrivilege	964	test.exe
Token: SeRestorePrivilege	964	test.exe
Token: SeShutdownPrivilege	964	test.exe
Token: SeDebugPrivilege	964	test.exe
Token: SeSystemEnvironmentPrivilege	964	test.exe
Token: SeChangeNotifyPrivilege	964	test.exe
Token: SeRemoteShutdownPrivilege	964	test.exe
Token: SeUndockPrivilege	964	test.exe
Token: SeManageVolumePrivilege	964	test.exe
Token: SeImpersonatePrivilege	964	test.exe
Token: SeCreateGlobalPrivilege	964	test.exe
Token: 33	964	test.exe
Token: 34	964	test.exe
Token: 35	964	test.exe
Token: 36	964	test.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
964	test.exe
5100	javaw.exe
5100	javaw.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 964	4792	JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe	82
PID 4792 wrote to memory of 964	4792	JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe	82
PID 4792 wrote to memory of 964	4792	JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe	82
PID 4792 wrote to memory of 5100	4792	JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe	83
PID 4792 wrote to memory of 5100	4792	JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a7ba1f4ba105a03dcc36657405e3bbbe.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\AppData\Local\Temp\test.exe
  "C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:964
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\MyCraft.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

5

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MyCraft.jar

Filesize
596KB

MD5
7a8df1b32bde284dd82df292bbde9876

SHA1
f806eaea3afec63468895231f79c4f976608ef9c

SHA256
77fefa714a4f94e709353f22d9c935e0f999c50cc6b8bf754539e72d4aefd489

SHA512
f41dc65ec81dc93c0116949c613ca67c0be68c3dc0419b75cf9c7375aa2b98bd472c0acff86ee44309efa9c9e8bb30cbcc9ffea99d0ee7bcfe35b19cc9c8c788

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
658KB

MD5
4221a81ba51f34c6a7ecbc444c1ed9ba

SHA1
746a74c20615e16c71520f7e6a1bf1e4b6b72cdb

SHA256
77dba0b4e832682329b572c9f8948fc8f5c503166fb30df0c799a0454954699f

SHA512
e746c1e0af7ba88e25e4b0a73f2b820e1bb27360df30b9d8bbe2e82c18f180d3a9db1b6bec3dd00d3ab4597032b8ef24d902b1b1d372ca03d107f3a6bc2ffb6f

Download Submit
memory/964-41-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/964-36-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/964-49-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/964-47-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/964-45-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/964-43-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/964-39-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/4792-18-0x00007FF82BE50000-0x00007FF82C911000-memory.dmp

Filesize
10.8MB

Download
memory/4792-0-0x00007FF82BE53000-0x00007FF82BE55000-memory.dmp

Filesize
8KB

Download
memory/4792-10-0x00007FF82BE50000-0x00007FF82C911000-memory.dmp

Filesize
10.8MB

Download
memory/4792-1-0x0000000000750000-0x00000000008FA000-memory.dmp

Filesize
1.7MB

Download
memory/5100-37-0x0000025182B80000-0x0000025182DF0000-memory.dmp

Filesize
2.4MB

Download
memory/5100-34-0x00000251812C0000-0x00000251812C1000-memory.dmp

Filesize
4KB

Download
memory/5100-31-0x00000251812C0000-0x00000251812C1000-memory.dmp

Filesize
4KB

Download
memory/5100-17-0x0000025182B80000-0x0000025182DF0000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads