darkcomet | 26c087a30ff5843dd5cd9fa5f0077cc8550f698f0e63de15637023596dd383ca

General

Target

JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe
Size

1.1MB
MD5

b72e3f8de2208c223f1b3c43bc33c40f
SHA1

60e5fca492812730972e01e15c24554ad07d1712
SHA256

26c087a30ff5843dd5cd9fa5f0077cc8550f698f0e63de15637023596dd383ca
SHA512

a5d23404716c9d0e8cf934465d57eecf36e3a5f3033eb12e4fc13c73d561b54573a7e87c047c599837d605de9f1fb9b4df8837315f1c792c631668557b2e5588
SSDEEP

12288:fkq2lbFpfgjxFRpQqrfd0MzmUOLhnK2higmjQlQHeQ1ag4fobbcAIPJm6Lbagtbf:f8yjtxqLhnphigwQljAb0xjaeFb

Score

10^/10

darkcomet testguest discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

TestGuest

C2

ernesc.no-ip.biz:4662

Mutex

DC_MUTEX-EGAZCCU

Attributes

gencode
NDJLcwT5ytCM
install
false
offline_keylogger
true
password
h8you
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 2 IoCs

pid	Process
2928	test.exe
2780	Cbu0LKaed2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbu0LKaed2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2928	test.exe
Token: SeSecurityPrivilege	2928	test.exe
Token: SeTakeOwnershipPrivilege	2928	test.exe
Token: SeLoadDriverPrivilege	2928	test.exe
Token: SeSystemProfilePrivilege	2928	test.exe
Token: SeSystemtimePrivilege	2928	test.exe
Token: SeProfSingleProcessPrivilege	2928	test.exe
Token: SeIncBasePriorityPrivilege	2928	test.exe
Token: SeCreatePagefilePrivilege	2928	test.exe
Token: SeBackupPrivilege	2928	test.exe
Token: SeRestorePrivilege	2928	test.exe
Token: SeShutdownPrivilege	2928	test.exe
Token: SeDebugPrivilege	2928	test.exe
Token: SeSystemEnvironmentPrivilege	2928	test.exe
Token: SeChangeNotifyPrivilege	2928	test.exe
Token: SeRemoteShutdownPrivilege	2928	test.exe
Token: SeUndockPrivilege	2928	test.exe
Token: SeManageVolumePrivilege	2928	test.exe
Token: SeImpersonatePrivilege	2928	test.exe
Token: SeCreateGlobalPrivilege	2928	test.exe
Token: 33	2928	test.exe
Token: 34	2928	test.exe
Token: 35	2928	test.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2780	Cbu0LKaed2.exe
2928	test.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2928	2124	JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe	30
PID 2124 wrote to memory of 2928	2124	JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe	30
PID 2124 wrote to memory of 2928	2124	JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe	30
PID 2124 wrote to memory of 2928	2124	JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe	30
PID 2124 wrote to memory of 2780	2124	JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe	31
PID 2124 wrote to memory of 2780	2124	JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe	31
PID 2124 wrote to memory of 2780	2124	JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe	31
PID 2124 wrote to memory of 2780	2124	JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\test.exe
  "C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2928
- C:\Users\Admin\AppData\Local\Temp\Cbu0LKaed2.exe
  "C:\Users\Admin\AppData\Local\Temp\Cbu0LKaed2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cbu0LKaed2.exe

Filesize
116KB

MD5
b91f5313b805288e436bdad4afd15574

SHA1
6e878dea806a05322a6b523d4a2cba52d5446a34

SHA256
069f607b3668329354a660f8e770514f485f02a0a7f157073cd8af5316de46f0

SHA512
c51eba941ce3aec4a362b97940e4b1528d047a0d2937e50ca0101a28f3b82a5336b09e524a9fd7509ef156ee143da15b25128a00428f0b019de5502262a46eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
690KB

MD5
8a366a4debf63551bdbbc4cac5a5658d

SHA1
1006fd750fc633f42aba9ba3d3c5cd4f0d117b78

SHA256
f58a05a8af6129d96092fb1bf6dd3037a333a573325ccbfd5ab69b37b13d5e6e

SHA512
d856ddf53b44b8bbe39cc922c8d93b95fc3a25ce9dce2c7fa9127d3f21c3b788ab0b10602533cc3f2dc38bf028bebf4ea1952538cfd77cba2452081a99b42baf

Download Submit
memory/2124-22-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2124-1-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2124-2-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2124-3-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2124-0-0x000007FEF64CE000-0x000007FEF64CF000-memory.dmp

Filesize
4KB

Download
memory/2928-25-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2928-29-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2928-24-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2928-20-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2928-26-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2928-27-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2928-28-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2928-23-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2928-30-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2928-31-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2928-32-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2928-33-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2928-34-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2928-35-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2928-36-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing