darkcomet | 16a3594451a28ecd761dac457bd0c69e64da7cc757c7738a20f8b038f81884fc

General

Target

JaffaCakes118_bad08d05cda85012139b65ae76b480d9.exe
Size

541KB
MD5

bad08d05cda85012139b65ae76b480d9
SHA1

8afc8334c4ab0622e7dd7d5b6d5f5fccd6d098e9
SHA256

16a3594451a28ecd761dac457bd0c69e64da7cc757c7738a20f8b038f81884fc
SHA512

d264ff0797f883f15dd9fe6da0a2e4ca9ba561aa6d4cc5c1bc9d87de44b972e80b73976221555b1eb5eefbf1ac218c42d30e578df480655366a61a3ecfabfd88
SSDEEP

12288:XMmiZtBK5o8aJOveyr5hP5N7iwRMbnWdnI:XTizB0R2KP5N7iwR39I

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

tf25.zapto.org:1604

Mutex

DC_MUTEX-GWP842Q

Attributes

gencode
z/vWloEgu2ap
install
false
offline_keylogger
true
password
dropplace
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Facebook brake 2.0.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 1 IoCs

flow	pid	Process
41	2216	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation	JaffaCakes118_bad08d05cda85012139b65ae76b480d9.exe

Executes dropped EXE 2 IoCs

pid	Process
4884	Facebook brake 2.0.exe
4388	dll45.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner99 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\runner38.exe\""	Facebook brake 2.0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4884 set thread context of 4388	4884	Facebook brake 2.0.exe	88

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LimeWire\Shared\Steam-Hack.exe	Facebook brake 2.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2924	4388	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Facebook brake 2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bad08d05cda85012139b65ae76b480d9.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1856	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 4884	636	JaffaCakes118_bad08d05cda85012139b65ae76b480d9.exe	86
PID 636 wrote to memory of 4884	636	JaffaCakes118_bad08d05cda85012139b65ae76b480d9.exe	86
PID 636 wrote to memory of 4884	636	JaffaCakes118_bad08d05cda85012139b65ae76b480d9.exe	86
PID 4884 wrote to memory of 4388	4884	Facebook brake 2.0.exe	88
PID 4884 wrote to memory of 4388	4884	Facebook brake 2.0.exe	88
PID 4884 wrote to memory of 4388	4884	Facebook brake 2.0.exe	88
PID 4884 wrote to memory of 4388	4884	Facebook brake 2.0.exe	88
PID 4884 wrote to memory of 4388	4884	Facebook brake 2.0.exe	88
PID 4884 wrote to memory of 4388	4884	Facebook brake 2.0.exe	88
PID 4884 wrote to memory of 4388	4884	Facebook brake 2.0.exe	88
PID 4884 wrote to memory of 4388	4884	Facebook brake 2.0.exe	88
PID 4884 wrote to memory of 4388	4884	Facebook brake 2.0.exe	88
PID 4884 wrote to memory of 4388	4884	Facebook brake 2.0.exe	88
PID 4884 wrote to memory of 4388	4884	Facebook brake 2.0.exe	88
PID 4884 wrote to memory of 4388	4884	Facebook brake 2.0.exe	88
PID 4884 wrote to memory of 4388	4884	Facebook brake 2.0.exe	88
PID 4884 wrote to memory of 4388	4884	Facebook brake 2.0.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bad08d05cda85012139b65ae76b480d9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bad08d05cda85012139b65ae76b480d9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:636
- C:\Users\Admin\AppData\Local\Temp\Facebook brake 2.0.exe
  "C:\Users\Admin\AppData\Local\Temp\Facebook brake 2.0.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\dll45.exe
    C:\Users\Admin\AppData\Local\Temp\dll45.exe
    3⤵
    - Executes dropped EXE
    PID:4388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 12
      4⤵
      Program crash
      PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4388 -ip 4388
1⤵
PID:1020

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjhCM0Q0MDMtMkFBQS00NEQ2LTgwODgtMTMwMEJGRTc3MEM4fSIgdXNlcmlkPSJ7MzE0Mjc1NTAtNDdCMi00M0E3LUE0MDgtRkU3NDgyODA5MjFBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RUJGNDIyOTUtRDA1Ni00MDQ5LUFGNDAtRUZEQ0NDRUFDNDNBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTA3Mzk3ODY3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Facebook brake 2.0.exe

Filesize
932KB

MD5
57f6910d11c63081b44344ba5fd4471d

SHA1
6365bad183948a0c1e57c550fb83125f84108113

SHA256
f3d84c8cbb75c6b172986f26ee6ae92cc02e7453762f34a06880f1495eee6213

SHA512
a203b035ccfdcc9b71c65f4d0b6e7caf53e8668fd4914513f36a1af75d0c61cea0137484e902086dba0ecc3e7713bc926e4aa0ffbbb1f52fc8c9a15eb34d6f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll45.exe

Filesize
7KB

MD5
d79efb472a22ad75d501317b21e66b5e

SHA1
24512f54884d3dda2d803457bbd3dcd513356196

SHA256
7255b1d1f001b9d9a5177e1f8063bcc824effe3570e6c19508babe12bb73c7d6

SHA512
7c5a2f516a727ddeb05f9a7c6565375debb05709ac9b95212fc748cba37a2ab81b7d727636141096e4511679ce140b07b37fdf36cfb47d8d1c8accdd24163ae5

Download Submit
memory/4388-16-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/4884-11-0x0000000073BB2000-0x0000000073BB3000-memory.dmp

Filesize
4KB

Download
memory/4884-12-0x0000000073BB0000-0x0000000074161000-memory.dmp

Filesize
5.7MB

Download
memory/4884-13-0x0000000073BB0000-0x0000000074161000-memory.dmp

Filesize
5.7MB

Download
memory/4884-22-0x0000000073BB0000-0x0000000074161000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads