darkcomet | 23af7f64e1144b357de5f6fcc4424592dd188ab1a6b8d55dee57cfc53e72c14d

General

Target

JaffaCakes118_b8b7fae705d458b74618156e93bc104a.exe
Size

895KB
MD5

b8b7fae705d458b74618156e93bc104a
SHA1

e09fe0f8e491decabb38b4912597f5ec813e0eee
SHA256

23af7f64e1144b357de5f6fcc4424592dd188ab1a6b8d55dee57cfc53e72c14d
SHA512

37af34ccb5a610de3e6a3d3e53cf497332c94315bd52baff14ab3f2fa614d5bfc0a73b7a9c57fed5b399e2003c929c1f6d44baa7638cb95613813b49e86facce
SSDEEP

24576:+0NLb30W+Jab44G8tBwkNQ5CjSvu5jVe4vS:fL/+JAK1

Score

10^/10

darkcomet guest16 discovery rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

pingu4host.no-ip.info:1604

Mutex

dsfgdfgTEX-0D5GL27

Attributes

gencode
GJCX9mzH1vsX
install
false
offline_keylogger
true
password
$change%$
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	PHJVCBC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b8b7fae705d458b74618156e93bc104a.exe

Executes dropped EXE 3 IoCs

pid	Process
1544	PHJVCBC.exe
220	Stage2.exe
1136	Stage1.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000e000000023a76-10.dat	upx
behavioral2/memory/1544-18-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x000400000001da39-25.dat	upx
behavioral2/memory/220-32-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/220-36-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/files/0x000600000001da3c-37.dat	upx
behavioral2/memory/1136-39-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/1544-40-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1136-42-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/1136-43-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/1136-45-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/1136-47-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/1136-49-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/1136-51-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/1136-55-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/1136-57-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/1136-59-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/1136-61-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/1136-63-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/1136-65-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/1136-67-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/1136-69-0x0000000000400000-0x00000000004E8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PHJVCBC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stage2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stage1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b8b7fae705d458b74618156e93bc104a.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1136	Stage1.exe
Token: SeSecurityPrivilege	1136	Stage1.exe
Token: SeTakeOwnershipPrivilege	1136	Stage1.exe
Token: SeLoadDriverPrivilege	1136	Stage1.exe
Token: SeSystemProfilePrivilege	1136	Stage1.exe
Token: SeSystemtimePrivilege	1136	Stage1.exe
Token: SeProfSingleProcessPrivilege	1136	Stage1.exe
Token: SeIncBasePriorityPrivilege	1136	Stage1.exe
Token: SeCreatePagefilePrivilege	1136	Stage1.exe
Token: SeBackupPrivilege	1136	Stage1.exe
Token: SeRestorePrivilege	1136	Stage1.exe
Token: SeShutdownPrivilege	1136	Stage1.exe
Token: SeDebugPrivilege	1136	Stage1.exe
Token: SeSystemEnvironmentPrivilege	1136	Stage1.exe
Token: SeChangeNotifyPrivilege	1136	Stage1.exe
Token: SeRemoteShutdownPrivilege	1136	Stage1.exe
Token: SeUndockPrivilege	1136	Stage1.exe
Token: SeManageVolumePrivilege	1136	Stage1.exe
Token: SeImpersonatePrivilege	1136	Stage1.exe
Token: SeCreateGlobalPrivilege	1136	Stage1.exe
Token: 33	1136	Stage1.exe
Token: 34	1136	Stage1.exe
Token: 35	1136	Stage1.exe
Token: 36	1136	Stage1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1136	Stage1.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 1544	2840	JaffaCakes118_b8b7fae705d458b74618156e93bc104a.exe	87
PID 2840 wrote to memory of 1544	2840	JaffaCakes118_b8b7fae705d458b74618156e93bc104a.exe	87
PID 2840 wrote to memory of 1544	2840	JaffaCakes118_b8b7fae705d458b74618156e93bc104a.exe	87
PID 1544 wrote to memory of 220	1544	PHJVCBC.exe	88
PID 1544 wrote to memory of 220	1544	PHJVCBC.exe	88
PID 1544 wrote to memory of 220	1544	PHJVCBC.exe	88
PID 1544 wrote to memory of 1136	1544	PHJVCBC.exe	90
PID 1544 wrote to memory of 1136	1544	PHJVCBC.exe	90
PID 1544 wrote to memory of 1136	1544	PHJVCBC.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b8b7fae705d458b74618156e93bc104a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b8b7fae705d458b74618156e93bc104a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\PHJVCBC.exe
  "C:\Users\Admin\AppData\Local\Temp\PHJVCBC.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\Stage2.exe
    "C:\Users\Admin\AppData\Local\Temp\Stage2.exe" x -y -oC:\Users\Admin\AppData\Local\Temp -pxnq8rPMxVI87ciGwWJHxRTy3iauHcIirteOOELv3B5vkS9kJoHBUAahY1dWxj8yA
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\Stage1.exe
    "C:\Users\Admin\AppData\Local\Temp\Stage1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PHJVCBC.exe

Filesize
419KB

MD5
96e4408b2e0621c0e8ee2dc428e96ff1

SHA1
850aae5ca83be2f0f76ee158569b2973dd108811

SHA256
2f938184d2678b23d0196350a23f626a6a34bed29e083b4b71d5245c3ec172c7

SHA512
c6b2ee0c25898b86d2cfa474e74af2b64db21961d0ad9aa65ba0ffafebcbf6bbadb35766e9713efaec98e1d9da9388c053b46a95fe20fc766cf3c743233fa7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stage1.exe

Filesize
349KB

MD5
8746f383c2cb6bd8b9e49303c496bd89

SHA1
9fe51a9ae66e2d50c44c1b6545d8b3e2c59112aa

SHA256
60074faa78052c9dda709df346b9666c24c4108904a2b3bdaec3d85958d0f8fc

SHA512
dd9064e8860222461eb584a2befc8d7fbfb3082cd1ee2b88287ea2c2b7f12b0e8e14fb8567e851c9f9deb35d42319382521e15cab23baedbc20e43a828f39a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stage2.exe

Filesize
372KB

MD5
d1fb3da78ffcb03d4314d9bdd21430c9

SHA1
bc01a5b2e98168d24ebc8bafa246f566d9b1221c

SHA256
3d88913012c8c8da56205eacfbaa686a8e37fc778575a3fc913486d146506e7f

SHA512
239dd3e33535585e5963c660bf6edc849d8c5cb2e5906eeb58aa5ea82ffb040e7a79e0e4cb3f59bb70bdf35b1382b9c70b59eb7c3fe694dc8812761552211697

Download Submit
memory/220-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/220-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1136-42-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1136-61-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1136-69-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1136-67-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1136-65-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1136-39-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1136-63-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1136-59-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1136-43-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1136-45-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1136-47-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1136-49-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1136-51-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1136-55-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1136-57-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1544-40-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1544-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2840-0-0x0000000074EB2000-0x0000000074EB3000-memory.dmp

Filesize
4KB

Download
memory/2840-20-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/2840-1-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/2840-2-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing