darkcomet | 10291c9688d1b2c6b06cd10c5ef4e7a8e8d19e5b445d0f7cacae8a920b5a1bfe

General

Target

JaffaCakes118_b83040da3f1807b70073995b76f404fb.exe
Size

1.1MB
MD5

b83040da3f1807b70073995b76f404fb
SHA1

9b1710d570ad771bd0a193f046133757765ab2f6
SHA256

10291c9688d1b2c6b06cd10c5ef4e7a8e8d19e5b445d0f7cacae8a920b5a1bfe
SHA512

7f6f9762556e752c96e0a0b27644f03e57c5a535da1cd78a4db9d794d0be5ae711f3f61138f46f42a20a39faa7977e77f45351a672db11946cbffe3638db71b5
SSDEEP

12288:AVPFrG3e4v9x8ar3sIBR9ewSOHFMpdYNOQX7Tuz1UJSac:4keE9War3sIBR9eEl40OAl1c

Score

10^/10

darkcomet altri x discovery rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Altri x

C2

jani1991.no-ip.org:1604

Mutex

DC_MUTEX-0RF6295

Attributes

gencode
v1BAksQG+Lzi
install
false
offline_keylogger
true
password
jani1991bmw31991
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 1 IoCs

pid	Process
2916	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2388	JaffaCakes118_b83040da3f1807b70073995b76f404fb.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	JaffaCakes118_b83040da3f1807b70073995b76f404fb.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2388 set thread context of 2916	2388	JaffaCakes118_b83040da3f1807b70073995b76f404fb.exe	30
PID 2916 set thread context of 2732	2916	svchost.exe	31

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2916-17-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral1/memory/2916-19-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral1/memory/2916-23-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral1/memory/2916-22-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral1/memory/2916-21-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral1/memory/2916-28-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral1/memory/2916-20-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral1/memory/2916-11-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral1/memory/2916-13-0x0000000000400000-0x00000000004F9000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b83040da3f1807b70073995b76f404fb.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2916	svchost.exe
Token: SeSecurityPrivilege	2916	svchost.exe
Token: SeTakeOwnershipPrivilege	2916	svchost.exe
Token: SeLoadDriverPrivilege	2916	svchost.exe
Token: SeSystemProfilePrivilege	2916	svchost.exe
Token: SeSystemtimePrivilege	2916	svchost.exe
Token: SeProfSingleProcessPrivilege	2916	svchost.exe
Token: SeIncBasePriorityPrivilege	2916	svchost.exe
Token: SeCreatePagefilePrivilege	2916	svchost.exe
Token: SeBackupPrivilege	2916	svchost.exe
Token: SeRestorePrivilege	2916	svchost.exe
Token: SeShutdownPrivilege	2916	svchost.exe
Token: SeDebugPrivilege	2916	svchost.exe
Token: SeSystemEnvironmentPrivilege	2916	svchost.exe
Token: SeChangeNotifyPrivilege	2916	svchost.exe
Token: SeRemoteShutdownPrivilege	2916	svchost.exe
Token: SeUndockPrivilege	2916	svchost.exe
Token: SeManageVolumePrivilege	2916	svchost.exe
Token: SeImpersonatePrivilege	2916	svchost.exe
Token: SeCreateGlobalPrivilege	2916	svchost.exe
Token: 33	2916	svchost.exe
Token: 34	2916	svchost.exe
Token: 35	2916	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2916	2388	JaffaCakes118_b83040da3f1807b70073995b76f404fb.exe	30
PID 2388 wrote to memory of 2916	2388	JaffaCakes118_b83040da3f1807b70073995b76f404fb.exe	30
PID 2388 wrote to memory of 2916	2388	JaffaCakes118_b83040da3f1807b70073995b76f404fb.exe	30
PID 2388 wrote to memory of 2916	2388	JaffaCakes118_b83040da3f1807b70073995b76f404fb.exe	30
PID 2388 wrote to memory of 2916	2388	JaffaCakes118_b83040da3f1807b70073995b76f404fb.exe	30
PID 2388 wrote to memory of 2916	2388	JaffaCakes118_b83040da3f1807b70073995b76f404fb.exe	30
PID 2388 wrote to memory of 2916	2388	JaffaCakes118_b83040da3f1807b70073995b76f404fb.exe	30
PID 2388 wrote to memory of 2916	2388	JaffaCakes118_b83040da3f1807b70073995b76f404fb.exe	30
PID 2916 wrote to memory of 2732	2916	svchost.exe	31
PID 2916 wrote to memory of 2732	2916	svchost.exe	31
PID 2916 wrote to memory of 2732	2916	svchost.exe	31
PID 2916 wrote to memory of 2732	2916	svchost.exe	31
PID 2916 wrote to memory of 2732	2916	svchost.exe	31
PID 2916 wrote to memory of 2732	2916	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b83040da3f1807b70073995b76f404fb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b83040da3f1807b70073995b76f404fb.exe"
1⤵
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/2388-1-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/2388-2-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/2388-3-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/2388-0-0x0000000074011000-0x0000000074012000-memory.dmp

Filesize
4KB

Download
memory/2388-32-0x0000000002010000-0x0000000002050000-memory.dmp

Filesize
256KB

Download
memory/2388-31-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/2388-30-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/2388-29-0x0000000002010000-0x0000000002050000-memory.dmp

Filesize
256KB

Download
memory/2732-25-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2916-17-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2916-28-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2916-20-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2916-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2916-11-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2916-9-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2916-13-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2916-21-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2916-22-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2916-23-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2916-19-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads