darkcomet | 6dbc41a48a41c991800d78eb2bd7231512830620880febda4a17e75c4f438a56

General

Target

JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Size

930KB
MD5

c52d6bfcb18b48ce0976886fc1c60967
SHA1

da6575713f50dae6e3ea4fac5aaf0d983c351171
SHA256

6dbc41a48a41c991800d78eb2bd7231512830620880febda4a17e75c4f438a56
SHA512

dc764e1d42bf9a74b5ac14be8ba01c1dfcf013456b2d403bf0e3616a440a5f124fde0909f207eeb02de3ebdad5e65425fb7f86ac204c6e3090ceb8973a19e0e0
SSDEEP

24576:KZ1xuVVjfFoynPaVBUR8f+kN10EBxYAGrW:aQDgok30bAz

Score

10^/10

darkcomet guest16 discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

jesusiscool.no-ip.biz:1604

Mutex

DC_MUTEX-2MFKDUD

Attributes

gencode
hR4kwDNMtXyi
install
false
offline_keylogger
true
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 1 IoCs

pid	Process
2540	BIT.EXE

Loads dropped DLL 2 IoCs

pid	Process
2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BIT.EXE

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeSecurityPrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeTakeOwnershipPrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeLoadDriverPrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeSystemProfilePrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeSystemtimePrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeProfSingleProcessPrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeIncBasePriorityPrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeCreatePagefilePrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeBackupPrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeRestorePrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeShutdownPrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeDebugPrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeSystemEnvironmentPrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeChangeNotifyPrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeRemoteShutdownPrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeUndockPrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeManageVolumePrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeImpersonatePrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeCreateGlobalPrivilege	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: 33	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: 34	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
Token: 35	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
1708	javaw.exe
1708	javaw.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2540	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe	30
PID 2100 wrote to memory of 2540	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe	30
PID 2100 wrote to memory of 2540	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe	30
PID 2100 wrote to memory of 2540	2100	JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe	30
PID 2540 wrote to memory of 1708	2540	BIT.EXE	31
PID 2540 wrote to memory of 1708	2540	BIT.EXE	31
PID 2540 wrote to memory of 1708	2540	BIT.EXE	31
PID 2540 wrote to memory of 1708	2540	BIT.EXE	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c52d6bfcb18b48ce0976886fc1c60967.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\BIT.EXE
  "C:\Users\Admin\AppData\Local\Temp\BIT.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -Xms512m -Xmx1024m -jar "C:\Users\Admin\AppData\Local\Temp\BIT.EXE"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\BIT.EXE

Filesize
272KB

MD5
f3af9e6be544b4a28b2abff08292cde6

SHA1
ce72c12d42135bf9951570f54f8c97d2cd9ea297

SHA256
96ff47ed3a6ee136f5ba1e14ae20f1cc95c20747db444e4b6ed66ef3fe7d7679

SHA512
d84aea057738519472cec5128e1efb32cf18f49ba18942ac46ceecf62ce86a803f95151bc3f9e9860484a27beeaf08c076a6838c2279af40cd1307a93c7be85b

Download Submit
memory/1708-46-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/1708-47-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/1708-14-0x00000000026A0000-0x0000000002910000-memory.dmp

Filesize
2.4MB

Download
memory/1708-26-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/1708-25-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/1708-37-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1708-44-0x00000000026A0000-0x0000000002910000-memory.dmp

Filesize
2.4MB

Download
memory/2100-49-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2100-52-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2100-45-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2100-48-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2100-0-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2100-50-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2100-51-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2100-61-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2100-54-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2100-55-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2100-56-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2100-57-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2100-58-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2100-59-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2100-60-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2540-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing