darkcomet | 74a2da8d3576ca4a987fa614fac3fd11c46f93b7194c2ab9c323d64b2fed29ae

General

Target

JaffaCakes118_eb96880c4199d7db8d42a39b64978983.exe
Size

414KB
MD5

eb96880c4199d7db8d42a39b64978983
SHA1

44973d46007abb46d4c3b59de11230cc65d35451
SHA256

74a2da8d3576ca4a987fa614fac3fd11c46f93b7194c2ab9c323d64b2fed29ae
SHA512

a9009a160cc63720602e3997d94d7c278f2373aff0796ff81312de42a680e4d86f0d3cf4590cde7e46ea09194ddefedc315b3de81ff74549e9a24302599ed884
SSDEEP

6144:WInhFaPHkxxhebwH8CH0HMXHhDMktjZ9hA15/nX9oP9c+UPnG3v/kGa2PPPPPPPN:WSQPo3ei8CXGa9O5/Ic+UU/

Score

10^/10

darkcomet victims discovery rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Victims

C2

184.77.150.121:1604

Mutex

DC_MUTEX-ULL6L39

Attributes

gencode
n-ix#1usu2B3
install
false
offline_keylogger
true
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 1 IoCs

pid	Process
2084	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1724	JaffaCakes118_eb96880c4199d7db8d42a39b64978983.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1724 set thread context of 2084	1724	JaffaCakes118_eb96880c4199d7db8d42a39b64978983.exe	30

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-15-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2084-16-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2084-13-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2084-10-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2084-9-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2084-22-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2084-24-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2084-23-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2084-28-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2084-27-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2084-26-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2084-29-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2084-32-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_eb96880c4199d7db8d42a39b64978983.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	JaffaCakes118_eb96880c4199d7db8d42a39b64978983.exe
Token: SeIncreaseQuotaPrivilege	2084	svchost.exe
Token: SeSecurityPrivilege	2084	svchost.exe
Token: SeTakeOwnershipPrivilege	2084	svchost.exe
Token: SeLoadDriverPrivilege	2084	svchost.exe
Token: SeSystemProfilePrivilege	2084	svchost.exe
Token: SeSystemtimePrivilege	2084	svchost.exe
Token: SeProfSingleProcessPrivilege	2084	svchost.exe
Token: SeIncBasePriorityPrivilege	2084	svchost.exe
Token: SeCreatePagefilePrivilege	2084	svchost.exe
Token: SeBackupPrivilege	2084	svchost.exe
Token: SeRestorePrivilege	2084	svchost.exe
Token: SeShutdownPrivilege	2084	svchost.exe
Token: SeDebugPrivilege	2084	svchost.exe
Token: SeSystemEnvironmentPrivilege	2084	svchost.exe
Token: SeChangeNotifyPrivilege	2084	svchost.exe
Token: SeRemoteShutdownPrivilege	2084	svchost.exe
Token: SeUndockPrivilege	2084	svchost.exe
Token: SeManageVolumePrivilege	2084	svchost.exe
Token: SeImpersonatePrivilege	2084	svchost.exe
Token: SeCreateGlobalPrivilege	2084	svchost.exe
Token: 33	2084	svchost.exe
Token: 34	2084	svchost.exe
Token: 35	2084	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2084	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2084	1724	JaffaCakes118_eb96880c4199d7db8d42a39b64978983.exe	30
PID 1724 wrote to memory of 2084	1724	JaffaCakes118_eb96880c4199d7db8d42a39b64978983.exe	30
PID 1724 wrote to memory of 2084	1724	JaffaCakes118_eb96880c4199d7db8d42a39b64978983.exe	30
PID 1724 wrote to memory of 2084	1724	JaffaCakes118_eb96880c4199d7db8d42a39b64978983.exe	30
PID 1724 wrote to memory of 2084	1724	JaffaCakes118_eb96880c4199d7db8d42a39b64978983.exe	30
PID 1724 wrote to memory of 2084	1724	JaffaCakes118_eb96880c4199d7db8d42a39b64978983.exe	30
PID 1724 wrote to memory of 2084	1724	JaffaCakes118_eb96880c4199d7db8d42a39b64978983.exe	30
PID 1724 wrote to memory of 2084	1724	JaffaCakes118_eb96880c4199d7db8d42a39b64978983.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb96880c4199d7db8d42a39b64978983.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb96880c4199d7db8d42a39b64978983.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/1724-0-0x0000000074B91000-0x0000000074B92000-memory.dmp

Filesize
4KB

Download
memory/1724-1-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-2-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-21-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2084-9-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2084-22-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2084-13-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2084-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2084-10-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2084-15-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2084-8-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2084-16-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2084-24-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2084-25-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2084-23-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2084-28-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2084-27-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2084-26-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2084-29-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2084-32-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing