darkcomet | 9e2c30c43202b34750a786441451ee0daa6b01dbcf6092e4987daf32fdf61088

General

Target

JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe
Size

902KB
MD5

8f54fb212d78920e037e2955bf6b454b
SHA1

10901b97e5388b53a5d0f611f21760730d0207d5
SHA256

9e2c30c43202b34750a786441451ee0daa6b01dbcf6092e4987daf32fdf61088
SHA512

be857da48c0de4f1ff29be364b75e161a6c3c8cf4bcdaac635a57429bf75f5affab27b456c269781cbd2cb559440b9e7eb6f546d09626858d18555586b4a96c8
SSDEEP

12288:qzEJ/nmBx/rEp5PNoGVhUSwmcCfv+F/RoouiGsR+a:2Snsrw1TV2pCO/RxuZha

Score

10^/10

darkcomet squeal discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

squeal

C2

myronsqueal.no-ip.biz:1610

Mutex

DC_MUTEX-CQWEFBJ

Attributes

gencode
2jkoKMSjkGrH
install
false
offline_keylogger
true
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe

Executes dropped EXE 2 IoCs

pid	Process
2852	vbc.exe
2860	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe

Loads dropped DLL 3 IoCs

pid	Process
1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe
1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe
1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1996 set thread context of 2852	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2852	vbc.exe
Token: SeSecurityPrivilege	2852	vbc.exe
Token: SeTakeOwnershipPrivilege	2852	vbc.exe
Token: SeLoadDriverPrivilege	2852	vbc.exe
Token: SeSystemProfilePrivilege	2852	vbc.exe
Token: SeSystemtimePrivilege	2852	vbc.exe
Token: SeProfSingleProcessPrivilege	2852	vbc.exe
Token: SeIncBasePriorityPrivilege	2852	vbc.exe
Token: SeCreatePagefilePrivilege	2852	vbc.exe
Token: SeBackupPrivilege	2852	vbc.exe
Token: SeRestorePrivilege	2852	vbc.exe
Token: SeShutdownPrivilege	2852	vbc.exe
Token: SeDebugPrivilege	2852	vbc.exe
Token: SeSystemEnvironmentPrivilege	2852	vbc.exe
Token: SeChangeNotifyPrivilege	2852	vbc.exe
Token: SeRemoteShutdownPrivilege	2852	vbc.exe
Token: SeUndockPrivilege	2852	vbc.exe
Token: SeManageVolumePrivilege	2852	vbc.exe
Token: SeImpersonatePrivilege	2852	vbc.exe
Token: SeCreateGlobalPrivilege	2852	vbc.exe
Token: 33	2852	vbc.exe
Token: 34	2852	vbc.exe
Token: 35	2852	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2852	vbc.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2852	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	29
PID 1996 wrote to memory of 2852	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	29
PID 1996 wrote to memory of 2852	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	29
PID 1996 wrote to memory of 2852	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	29
PID 1996 wrote to memory of 2852	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	29
PID 1996 wrote to memory of 2852	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	29
PID 1996 wrote to memory of 2852	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	29
PID 1996 wrote to memory of 2852	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	29
PID 1996 wrote to memory of 2852	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	29
PID 1996 wrote to memory of 2852	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	29
PID 1996 wrote to memory of 2852	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	29
PID 1996 wrote to memory of 2852	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	29
PID 1996 wrote to memory of 2852	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	29
PID 1996 wrote to memory of 2884	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	30
PID 1996 wrote to memory of 2884	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	30
PID 1996 wrote to memory of 2884	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	30
PID 1996 wrote to memory of 2884	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	30
PID 2884 wrote to memory of 3048	2884	vbc.exe	32
PID 2884 wrote to memory of 3048	2884	vbc.exe	32
PID 2884 wrote to memory of 3048	2884	vbc.exe	32
PID 2884 wrote to memory of 3048	2884	vbc.exe	32
PID 1996 wrote to memory of 2860	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	33
PID 1996 wrote to memory of 2860	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	33
PID 1996 wrote to memory of 2860	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	33
PID 1996 wrote to memory of 2860	1996	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\plugtemp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\\plugtemp\vbc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u-b3bqax.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ADC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7ADB.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3048
- C:\Users\Admin\AppData\Roaming\JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe
  "C:\Users\Admin\AppData\Roaming\JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7ADC.tmp

Filesize
1KB

MD5
ea876be9ddb9979e33e547cd02b80163

SHA1
02d70381c594be6ec05e0897895e7b3bcda57974

SHA256
c1079e1a2a45ce85e6a434e98238bb063b40827c89de2801d449f2976c4d9b43

SHA512
e933c7b4e6328e4e7f3dc8df84f53a4e803b76f1c59753f69ca7e69750101f9c7aafb928fb95418a4e93b42c576bb77c0d2421d57d8a2432ea93c68607ab3224

Download Submit
C:\Users\Admin\AppData\Local\Temp\u-b3bqax.0.vb

Filesize
338B

MD5
80e101703238d5b7001f997e3c9d1600

SHA1
7b51bc16b1b3045d45bbe1065f34f53e0a2a5845

SHA256
54621975248f58d5d1230dac98cc55e768a9d0e7c696e8836200fcb44213c60c

SHA512
bd7a2ebc6bed8fd27e514b60a486d3518da589cbe22a5970c0ee8d33785b1dc58916b28e2c6a0a62386c3cda40dab99b6fc99ed9766b084337be1d5da1abc12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u-b3bqax.cmdline

Filesize
235B

MD5
024f6f85a3b9dd4f32fbebea837b4676

SHA1
17d39c08d4169247c8117e7dc080c76ecf390265

SHA256
0939b5731974cde74a154575fffaa530cf4325b9deb27dd7a0de6626e038be52

SHA512
5bc2f996d5aa4b33d85fc2b82950217dbdd6ab2980a74a1d5eba6ecb9fb562625edb400e30840274ecb0246970f4e81ffb5aa5c6f0cf86e07ceb07a20bb90405

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7ADB.tmp

Filesize
804B

MD5
784d8e0338a82ceea694340022a2019b

SHA1
cee7f494f9775545526949df7fff0b96f87b0624

SHA256
69c9417b53d11bffeff04c93cbe2b80d33d5fbc875ea168dd54a5c633367cd88

SHA512
d3906e9fd49fcdbf4f7613ba3dca568f42c076ed5ac3b33131e57cb07f5d38f8f7ee43115c543879dd84f3439e5ffd661cd386c04b2d331b2dc0a2f6466d6cc2

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe

Filesize
902KB

MD5
8f54fb212d78920e037e2955bf6b454b

SHA1
10901b97e5388b53a5d0f611f21760730d0207d5

SHA256
9e2c30c43202b34750a786441451ee0daa6b01dbcf6092e4987daf32fdf61088

SHA512
be857da48c0de4f1ff29be364b75e161a6c3c8cf4bcdaac635a57429bf75f5affab27b456c269781cbd2cb559440b9e7eb6f546d09626858d18555586b4a96c8

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe

Filesize
6KB

MD5
c8f361faf5f8bcb413ccffb89da2f07a

SHA1
4eba40e68e5cee3bff4f9adfe23062138c297185

SHA256
70394bebbde50472c18d8c76dc527d984d02eba24553c2166c51583a0019a0b0

SHA512
7bd6b28e2afbeca45e5b31d499ba9cd027af159186eb52b242822c8f8e45634500e29d09f63319705a2ff6434e95ff503132f12c11e34b6e7a44b1a62e9ad83d

Download Submit
\Users\Admin\AppData\Local\Temp\plugtemp\vbc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1996-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-0-0x00000000747D1000-0x00000000747D2000-memory.dmp

Filesize
4KB

Download
memory/1996-49-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2852-53-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-23-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-9-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-8-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-24-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-25-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2852-27-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-26-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-11-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-63-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-12-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-13-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-15-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2852-21-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-10-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-50-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-51-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-52-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-17-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-54-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-55-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-56-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-57-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-58-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-59-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-60-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-61-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2852-62-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2884-33-0x00000000002C0000-0x0000000000300000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads