darkcomet | 26c087a30ff5843dd5cd9fa5f0077cc8550f698f0e63de15637023596dd383ca

General

Target

JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe
Size

1.1MB
MD5

b72e3f8de2208c223f1b3c43bc33c40f
SHA1

60e5fca492812730972e01e15c24554ad07d1712
SHA256

26c087a30ff5843dd5cd9fa5f0077cc8550f698f0e63de15637023596dd383ca
SHA512

a5d23404716c9d0e8cf934465d57eecf36e3a5f3033eb12e4fc13c73d561b54573a7e87c047c599837d605de9f1fb9b4df8837315f1c792c631668557b2e5588
SSDEEP

12288:fkq2lbFpfgjxFRpQqrfd0MzmUOLhnK2higmjQlQHeQ1ag4fobbcAIPJm6Lbagtbf:f8yjtxqLhnphigwQljAb0xjaeFb

Score

10^/10

darkcomet testguest discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

TestGuest

C2

ernesc.no-ip.biz:4662

Mutex

DC_MUTEX-EGAZCCU

Attributes

gencode
NDJLcwT5ytCM
install
false
offline_keylogger
true
password
h8you
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe

Executes dropped EXE 2 IoCs

pid	Process
3596	test.exe
2184	Cbu0LKaed2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbu0LKaed2.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3596	test.exe
Token: SeSecurityPrivilege	3596	test.exe
Token: SeTakeOwnershipPrivilege	3596	test.exe
Token: SeLoadDriverPrivilege	3596	test.exe
Token: SeSystemProfilePrivilege	3596	test.exe
Token: SeSystemtimePrivilege	3596	test.exe
Token: SeProfSingleProcessPrivilege	3596	test.exe
Token: SeIncBasePriorityPrivilege	3596	test.exe
Token: SeCreatePagefilePrivilege	3596	test.exe
Token: SeBackupPrivilege	3596	test.exe
Token: SeRestorePrivilege	3596	test.exe
Token: SeShutdownPrivilege	3596	test.exe
Token: SeDebugPrivilege	3596	test.exe
Token: SeSystemEnvironmentPrivilege	3596	test.exe
Token: SeChangeNotifyPrivilege	3596	test.exe
Token: SeRemoteShutdownPrivilege	3596	test.exe
Token: SeUndockPrivilege	3596	test.exe
Token: SeManageVolumePrivilege	3596	test.exe
Token: SeImpersonatePrivilege	3596	test.exe
Token: SeCreateGlobalPrivilege	3596	test.exe
Token: 33	3596	test.exe
Token: 34	3596	test.exe
Token: 35	3596	test.exe
Token: 36	3596	test.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2184	Cbu0LKaed2.exe
3596	test.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 3596	1596	JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe	82
PID 1596 wrote to memory of 3596	1596	JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe	82
PID 1596 wrote to memory of 3596	1596	JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe	82
PID 1596 wrote to memory of 2184	1596	JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe	83
PID 1596 wrote to memory of 2184	1596	JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe	83
PID 1596 wrote to memory of 2184	1596	JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b72e3f8de2208c223f1b3c43bc33c40f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\test.exe
  "C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3596
- C:\Users\Admin\AppData\Local\Temp\Cbu0LKaed2.exe
  "C:\Users\Admin\AppData\Local\Temp\Cbu0LKaed2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cbu0LKaed2.exe

Filesize
116KB

MD5
b91f5313b805288e436bdad4afd15574

SHA1
6e878dea806a05322a6b523d4a2cba52d5446a34

SHA256
069f607b3668329354a660f8e770514f485f02a0a7f157073cd8af5316de46f0

SHA512
c51eba941ce3aec4a362b97940e4b1528d047a0d2937e50ca0101a28f3b82a5336b09e524a9fd7509ef156ee143da15b25128a00428f0b019de5502262a46eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
690KB

MD5
8a366a4debf63551bdbbc4cac5a5658d

SHA1
1006fd750fc633f42aba9ba3d3c5cd4f0d117b78

SHA256
f58a05a8af6129d96092fb1bf6dd3037a333a573325ccbfd5ab69b37b13d5e6e

SHA512
d856ddf53b44b8bbe39cc922c8d93b95fc3a25ce9dce2c7fa9127d3f21c3b788ab0b10602533cc3f2dc38bf028bebf4ea1952538cfd77cba2452081a99b42baf

Download Submit
memory/1596-35-0x00007FF81A400000-0x00007FF81ADA1000-memory.dmp

Filesize
9.6MB

Download
memory/1596-0-0x00007FF81A6B5000-0x00007FF81A6B6000-memory.dmp

Filesize
4KB

Download
memory/1596-4-0x000000001C990000-0x000000001CA2C000-memory.dmp

Filesize
624KB

Download
memory/1596-5-0x00007FF81A400000-0x00007FF81ADA1000-memory.dmp

Filesize
9.6MB

Download
memory/1596-6-0x00000000016B0000-0x00000000016B8000-memory.dmp

Filesize
32KB

Download
memory/1596-7-0x000000001CA80000-0x000000001CACC000-memory.dmp

Filesize
304KB

Download
memory/1596-8-0x00007FF81A400000-0x00007FF81ADA1000-memory.dmp

Filesize
9.6MB

Download
memory/1596-2-0x00007FF81A400000-0x00007FF81ADA1000-memory.dmp

Filesize
9.6MB

Download
memory/1596-1-0x000000001BE10000-0x000000001BEB6000-memory.dmp

Filesize
664KB

Download
memory/1596-3-0x000000001C420000-0x000000001C8EE000-memory.dmp

Filesize
4.8MB

Download
memory/3596-46-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3596-42-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3596-33-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/3596-39-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3596-37-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3596-40-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3596-41-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3596-36-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3596-43-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3596-44-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3596-45-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3596-38-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3596-47-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3596-48-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3596-49-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing