darkcomet | 0664a9ba60ad6c321e661734db809b2260a306def2b53eba9c6f0b178fdbd110

General

Target

JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe
Size

1.6MB
MD5

23d32d31de62b9b83320fb0a3f6df6b6
SHA1

f590b0d018d80bf75212f2c816876d9cc22c9445
SHA256

0664a9ba60ad6c321e661734db809b2260a306def2b53eba9c6f0b178fdbd110
SHA512

ee9a93e909638c3e02d2f9d400962e0c5908242faf8fb66977847f959e3064b60a6a1202918f704fb16248ec6cc1db738b73ca9ad3aeab49f41b872346aec512
SSDEEP

24576:c7I1CObop4dRTa5hqY+pTdFinK64NAqGteyj:cc1zo/5hqYz4NAqGteE

Score

10^/10

darkcomet victim discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

Victim

C2

loris1234.zapto.org:3345

Mutex

DC_MUTEX-15WL27C

Attributes

InstallPath
system32\svhost64.exe
gencode
b4SbGmRJXP%U
install
true
offline_keylogger
true
persistence
false
reg_key
svhost

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\system32\\svhost64.exe"	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
3004	svhost64.exe

Loads dropped DLL 1 IoCs

pid	Process
2804	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DirectX Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\lPiRQQcM5mBU.exe"	JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Windows\\system32\\system32\\svhost64.exe"	vbc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system32\svhost64.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\system32\svhost64.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\system32\	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2792 set thread context of 2804	2792	JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2804	vbc.exe
Token: SeSecurityPrivilege	2804	vbc.exe
Token: SeTakeOwnershipPrivilege	2804	vbc.exe
Token: SeLoadDriverPrivilege	2804	vbc.exe
Token: SeSystemProfilePrivilege	2804	vbc.exe
Token: SeSystemtimePrivilege	2804	vbc.exe
Token: SeProfSingleProcessPrivilege	2804	vbc.exe
Token: SeIncBasePriorityPrivilege	2804	vbc.exe
Token: SeCreatePagefilePrivilege	2804	vbc.exe
Token: SeBackupPrivilege	2804	vbc.exe
Token: SeRestorePrivilege	2804	vbc.exe
Token: SeShutdownPrivilege	2804	vbc.exe
Token: SeDebugPrivilege	2804	vbc.exe
Token: SeSystemEnvironmentPrivilege	2804	vbc.exe
Token: SeChangeNotifyPrivilege	2804	vbc.exe
Token: SeRemoteShutdownPrivilege	2804	vbc.exe
Token: SeUndockPrivilege	2804	vbc.exe
Token: SeManageVolumePrivilege	2804	vbc.exe
Token: SeImpersonatePrivilege	2804	vbc.exe
Token: SeCreateGlobalPrivilege	2804	vbc.exe
Token: 33	2804	vbc.exe
Token: 34	2804	vbc.exe
Token: 35	2804	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2804	2792	JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe	29
PID 2792 wrote to memory of 2804	2792	JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe	29
PID 2792 wrote to memory of 2804	2792	JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe	29
PID 2792 wrote to memory of 2804	2792	JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe	29
PID 2792 wrote to memory of 2804	2792	JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe	29
PID 2792 wrote to memory of 2804	2792	JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe	29
PID 2792 wrote to memory of 2804	2792	JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe	29
PID 2792 wrote to memory of 2804	2792	JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe	29
PID 2792 wrote to memory of 2804	2792	JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe	29
PID 2792 wrote to memory of 2804	2792	JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe	29
PID 2792 wrote to memory of 2804	2792	JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe	29
PID 2792 wrote to memory of 2804	2792	JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe	29
PID 2792 wrote to memory of 2804	2792	JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe	29
PID 2804 wrote to memory of 3004	2804	vbc.exe	30
PID 2804 wrote to memory of 3004	2804	vbc.exe	30
PID 2804 wrote to memory of 3004	2804	vbc.exe	30
PID 2804 wrote to memory of 3004	2804	vbc.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23d32d31de62b9b83320fb0a3f6df6b6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\system32\svhost64.exe
    "C:\Windows\system32\system32\svhost64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\system32\svhost64.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/2792-22-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-1-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-4-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-0-0x00000000745E1000-0x00000000745E2000-memory.dmp

Filesize
4KB

Download
memory/2804-14-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2804-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-20-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2804-16-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2804-23-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2804-12-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2804-10-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2804-21-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2804-9-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2804-25-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2804-24-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2804-7-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2804-11-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2804-5-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2804-35-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads