darkcomet | 9e2c30c43202b34750a786441451ee0daa6b01dbcf6092e4987daf32fdf61088

General

Target

JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe
Size

902KB
MD5

8f54fb212d78920e037e2955bf6b454b
SHA1

10901b97e5388b53a5d0f611f21760730d0207d5
SHA256

9e2c30c43202b34750a786441451ee0daa6b01dbcf6092e4987daf32fdf61088
SHA512

be857da48c0de4f1ff29be364b75e161a6c3c8cf4bcdaac635a57429bf75f5affab27b456c269781cbd2cb559440b9e7eb6f546d09626858d18555586b4a96c8
SSDEEP

12288:qzEJ/nmBx/rEp5PNoGVhUSwmcCfv+F/RoouiGsR+a:2Snsrw1TV2pCO/RxuZha

Score

10^/10

darkcomet squeal discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

squeal

C2

myronsqueal.no-ip.biz:1610

Mutex

DC_MUTEX-CQWEFBJ

Attributes

gencode
2jkoKMSjkGrH
install
false
offline_keylogger
true
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe

Executes dropped EXE 2 IoCs

pid	Process
1860	vbc.exe
1156	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5916 set thread context of 1860	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1860	vbc.exe
Token: SeSecurityPrivilege	1860	vbc.exe
Token: SeTakeOwnershipPrivilege	1860	vbc.exe
Token: SeLoadDriverPrivilege	1860	vbc.exe
Token: SeSystemProfilePrivilege	1860	vbc.exe
Token: SeSystemtimePrivilege	1860	vbc.exe
Token: SeProfSingleProcessPrivilege	1860	vbc.exe
Token: SeIncBasePriorityPrivilege	1860	vbc.exe
Token: SeCreatePagefilePrivilege	1860	vbc.exe
Token: SeBackupPrivilege	1860	vbc.exe
Token: SeRestorePrivilege	1860	vbc.exe
Token: SeShutdownPrivilege	1860	vbc.exe
Token: SeDebugPrivilege	1860	vbc.exe
Token: SeSystemEnvironmentPrivilege	1860	vbc.exe
Token: SeChangeNotifyPrivilege	1860	vbc.exe
Token: SeRemoteShutdownPrivilege	1860	vbc.exe
Token: SeUndockPrivilege	1860	vbc.exe
Token: SeManageVolumePrivilege	1860	vbc.exe
Token: SeImpersonatePrivilege	1860	vbc.exe
Token: SeCreateGlobalPrivilege	1860	vbc.exe
Token: 33	1860	vbc.exe
Token: 34	1860	vbc.exe
Token: 35	1860	vbc.exe
Token: 36	1860	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1860	vbc.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 5916 wrote to memory of 1860	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	92
PID 5916 wrote to memory of 1860	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	92
PID 5916 wrote to memory of 1860	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	92
PID 5916 wrote to memory of 1860	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	92
PID 5916 wrote to memory of 1860	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	92
PID 5916 wrote to memory of 1860	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	92
PID 5916 wrote to memory of 1860	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	92
PID 5916 wrote to memory of 1860	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	92
PID 5916 wrote to memory of 1860	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	92
PID 5916 wrote to memory of 1860	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	92
PID 5916 wrote to memory of 1860	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	92
PID 5916 wrote to memory of 1860	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	92
PID 5916 wrote to memory of 1860	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	92
PID 5916 wrote to memory of 1860	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	92
PID 5916 wrote to memory of 4804	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	93
PID 5916 wrote to memory of 4804	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	93
PID 5916 wrote to memory of 4804	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	93
PID 4804 wrote to memory of 4444	4804	vbc.exe	95
PID 4804 wrote to memory of 4444	4804	vbc.exe	95
PID 4804 wrote to memory of 4444	4804	vbc.exe	95
PID 5916 wrote to memory of 1156	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	96
PID 5916 wrote to memory of 1156	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	96
PID 5916 wrote to memory of 1156	5916	JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe	96

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5916
- C:\Users\Admin\AppData\Local\Temp\plugtemp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\\plugtemp\vbc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1860
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f-zvo-ke.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7166A181E5D4D15802AD1494CAD573D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4444
- C:\Users\Admin\AppData\Roaming\JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe
  "C:\Users\Admin\AppData\Roaming\JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8A10.tmp

Filesize
1KB

MD5
e3e1c43dbbe75a62df1f9869f2bb82a4

SHA1
9942e8172021e9ed8fe01eeaeb7da7321d38b4b0

SHA256
161862388b3a06a0620062d4b6cf7b239e4388195b9ce5fae4b591a8e8ff10db

SHA512
137eebc18e24a0a9f642c5008ed4ac84e63ef6930667be279125c40efe14c899c120b2b48049b80284927ecb597e895f979017382760c49a425fdecb36332e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f-zvo-ke.0.vb

Filesize
338B

MD5
80e101703238d5b7001f997e3c9d1600

SHA1
7b51bc16b1b3045d45bbe1065f34f53e0a2a5845

SHA256
54621975248f58d5d1230dac98cc55e768a9d0e7c696e8836200fcb44213c60c

SHA512
bd7a2ebc6bed8fd27e514b60a486d3518da589cbe22a5970c0ee8d33785b1dc58916b28e2c6a0a62386c3cda40dab99b6fc99ed9766b084337be1d5da1abc12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f-zvo-ke.cmdline

Filesize
235B

MD5
6512727f4b44ac17e636089aeb93b20b

SHA1
68698ac045d3fe4a02cb8e71b648f0cc55b4932f

SHA256
1ffe30e4ba02c52df7ee2b80e49407543eb5dfd2be698977b1151ad463c1cd53

SHA512
e1e52d5e8aa384d19ed23358d2c0d4e5cb15ade1b7ffcacc7152ee5ae474cb6fa39a1b8488f3f747adabb66b4e69c6b6f784aaea83dd33c0cd269ddc754214c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugtemp\vbc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7166A181E5D4D15802AD1494CAD573D.TMP

Filesize
804B

MD5
784d8e0338a82ceea694340022a2019b

SHA1
cee7f494f9775545526949df7fff0b96f87b0624

SHA256
69c9417b53d11bffeff04c93cbe2b80d33d5fbc875ea168dd54a5c633367cd88

SHA512
d3906e9fd49fcdbf4f7613ba3dca568f42c076ed5ac3b33131e57cb07f5d38f8f7ee43115c543879dd84f3439e5ffd661cd386c04b2d331b2dc0a2f6466d6cc2

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_8f54fb212d78920e037e2955bf6b454b.exe

Filesize
902KB

MD5
8f54fb212d78920e037e2955bf6b454b

SHA1
10901b97e5388b53a5d0f611f21760730d0207d5

SHA256
9e2c30c43202b34750a786441451ee0daa6b01dbcf6092e4987daf32fdf61088

SHA512
be857da48c0de4f1ff29be364b75e161a6c3c8cf4bcdaac635a57429bf75f5affab27b456c269781cbd2cb559440b9e7eb6f546d09626858d18555586b4a96c8

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_8f54fb212d78920e037e2955bf6b454b1.exe

Filesize
6KB

MD5
ca17ad2ed58135e30c845b3a2a1d0f8f

SHA1
feb3bd6d3001ab5c0630c102584a021f999161c7

SHA256
de52aefd0b70cce549182fc920974d178ef3800cafe5e53a7700ff14c1221fb4

SHA512
98d65ede99b35da99cdaff3810a9c0e69d073586c27fc79dd5d28e292fa7c6e096b9ef599728623830823c54e8d773c1725f33ff4ade0e110332a4faab61455a

Download Submit
memory/1860-14-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-39-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-15-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-13-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1860-12-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-51-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-10-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-9-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-6-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-50-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-49-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-48-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-38-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-47-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-40-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-41-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-42-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-43-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-44-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-45-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1860-46-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4804-21-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/5916-0-0x0000000074FF2000-0x0000000074FF3000-memory.dmp

Filesize
4KB

Download
memory/5916-37-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/5916-1-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/5916-2-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing