darkcomet | 7037f9ea42263f85da3ccd54e16a95a3417a3db1da692672163735b6cad0a2d3

General

Target

JaffaCakes118_b8ce1d14c5983543caf2def9c78b5bad.exe
Size

1.4MB
MD5

b8ce1d14c5983543caf2def9c78b5bad
SHA1

7365a3e3decd53671e6bccb7a663bcadb22023ed
SHA256

7037f9ea42263f85da3ccd54e16a95a3417a3db1da692672163735b6cad0a2d3
SHA512

e5d1b708d5103abe68c05751670aa8356b5c9bc9a0d82a447f73f534f56e7188f90a1066e6aee31e65cd16754b14abbab9fc4a3e2e51da83905c3b9c7e029125
SSDEEP

24576:2VHgzHgUNbkqy/hmOT3nbWmJVJFwSddIXvfhqbiaxvRxq9X:wHgzHgUNghpamdZdcBYW

Score

10^/10

darkcomet guest16 discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

folces.no-ip.biz:1604

Mutex

DC_MUTEX-F54S21D

Attributes

gencode
sv8f9ZKX677A
install
false
offline_keylogger
true
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b8ce1d14c5983543caf2def9c78b5bad.exe

Executes dropped EXE 1 IoCs

pid	Process
3368	adsdaqeqw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b8ce1d14c5983543caf2def9c78b5bad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adsdaqeqw.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3368	adsdaqeqw.exe
Token: SeSecurityPrivilege	3368	adsdaqeqw.exe
Token: SeTakeOwnershipPrivilege	3368	adsdaqeqw.exe
Token: SeLoadDriverPrivilege	3368	adsdaqeqw.exe
Token: SeSystemProfilePrivilege	3368	adsdaqeqw.exe
Token: SeSystemtimePrivilege	3368	adsdaqeqw.exe
Token: SeProfSingleProcessPrivilege	3368	adsdaqeqw.exe
Token: SeIncBasePriorityPrivilege	3368	adsdaqeqw.exe
Token: SeCreatePagefilePrivilege	3368	adsdaqeqw.exe
Token: SeBackupPrivilege	3368	adsdaqeqw.exe
Token: SeRestorePrivilege	3368	adsdaqeqw.exe
Token: SeShutdownPrivilege	3368	adsdaqeqw.exe
Token: SeDebugPrivilege	3368	adsdaqeqw.exe
Token: SeSystemEnvironmentPrivilege	3368	adsdaqeqw.exe
Token: SeChangeNotifyPrivilege	3368	adsdaqeqw.exe
Token: SeRemoteShutdownPrivilege	3368	adsdaqeqw.exe
Token: SeUndockPrivilege	3368	adsdaqeqw.exe
Token: SeManageVolumePrivilege	3368	adsdaqeqw.exe
Token: SeImpersonatePrivilege	3368	adsdaqeqw.exe
Token: SeCreateGlobalPrivilege	3368	adsdaqeqw.exe
Token: 33	3368	adsdaqeqw.exe
Token: 34	3368	adsdaqeqw.exe
Token: 35	3368	adsdaqeqw.exe
Token: 36	3368	adsdaqeqw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
632	JaffaCakes118_b8ce1d14c5983543caf2def9c78b5bad.exe
3368	adsdaqeqw.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 3368	632	JaffaCakes118_b8ce1d14c5983543caf2def9c78b5bad.exe	87
PID 632 wrote to memory of 3368	632	JaffaCakes118_b8ce1d14c5983543caf2def9c78b5bad.exe	87
PID 632 wrote to memory of 3368	632	JaffaCakes118_b8ce1d14c5983543caf2def9c78b5bad.exe	87
PID 3368 wrote to memory of 4956	3368	adsdaqeqw.exe	95
PID 3368 wrote to memory of 4956	3368	adsdaqeqw.exe	95
PID 3368 wrote to memory of 4956	3368	adsdaqeqw.exe	95
PID 3368 wrote to memory of 5076	3368	adsdaqeqw.exe	96
PID 3368 wrote to memory of 5076	3368	adsdaqeqw.exe	96

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b8ce1d14c5983543caf2def9c78b5bad.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b8ce1d14c5983543caf2def9c78b5bad.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\adsdaqeqw.exe
  "C:\Users\Admin\AppData\Local\Temp\adsdaqeqw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4956
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:5076

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adsdaqeqw.exe

Filesize
820KB

MD5
0f7677b8ce7e81ce31423735db5a978d

SHA1
6d3c4d3e2513bccc7cd7e7e25a69a6e79725f923

SHA256
37b13596a549e49ada7696bfa2053b507b7fe7151028973a32bc0a0e099e7dd7

SHA512
4fafc7a34b2ce0c508e9fdc7bb95e083f70b308511569a30f48e1e6e13d366a93a48c2fed6ff50e4d10812e84e11f549032ce1c9942b3e73ac08200862773089

Download Submit
memory/3368-13-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3368-15-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3368-14-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3368-16-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3368-17-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3368-18-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3368-19-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3368-20-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3368-21-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3368-22-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3368-23-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3368-24-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3368-25-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3368-26-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3368-27-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3368-28-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing