darkcomet | ddf83a8699f5db890b48d3b29b43fc6d39f32307cd091cad965e24011d49f01a

General

Target

JaffaCakes118_bd13e46b816b8e46527a64a35b32882f.exe
Size

2.4MB
MD5

bd13e46b816b8e46527a64a35b32882f
SHA1

3e85ff50d2059b2ff2292fe2a0d1eceab0e71fcd
SHA256

ddf83a8699f5db890b48d3b29b43fc6d39f32307cd091cad965e24011d49f01a
SHA512

2ce91782f7137655567a4c9262795d6b659ae505cb5d054d9d32df0920c0607376ba15871205a4b364d64f5443226277d654ffb93ba5353005b59e0246f2b2d0
SSDEEP

24576:JM3rm7OeLqMWwmQZ9sgAZioPaWW7Ak1Op+gqYV10:JMPeLqVCU7pqb

Score

10^/10

darkcomet guest16 discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

109.201.165.20:1604

Mutex

DC_MUTEX-QX9XR2U

Attributes

gencode
q-B9XY.uACb2
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	YusVD.exe.exe

Executes dropped EXE 1 IoCs

pid	Process
2720	YusVD.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YusVD.exe.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	YusVD.exe.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	YusVD.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	YusVD.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	YusVD.exe.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	YusVD.exe.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2720	YusVD.exe.exe
Token: SeSecurityPrivilege	2720	YusVD.exe.exe
Token: SeTakeOwnershipPrivilege	2720	YusVD.exe.exe
Token: SeLoadDriverPrivilege	2720	YusVD.exe.exe
Token: SeSystemProfilePrivilege	2720	YusVD.exe.exe
Token: SeSystemtimePrivilege	2720	YusVD.exe.exe
Token: SeProfSingleProcessPrivilege	2720	YusVD.exe.exe
Token: SeIncBasePriorityPrivilege	2720	YusVD.exe.exe
Token: SeCreatePagefilePrivilege	2720	YusVD.exe.exe
Token: SeBackupPrivilege	2720	YusVD.exe.exe
Token: SeRestorePrivilege	2720	YusVD.exe.exe
Token: SeShutdownPrivilege	2720	YusVD.exe.exe
Token: SeDebugPrivilege	2720	YusVD.exe.exe
Token: SeSystemEnvironmentPrivilege	2720	YusVD.exe.exe
Token: SeChangeNotifyPrivilege	2720	YusVD.exe.exe
Token: SeRemoteShutdownPrivilege	2720	YusVD.exe.exe
Token: SeUndockPrivilege	2720	YusVD.exe.exe
Token: SeManageVolumePrivilege	2720	YusVD.exe.exe
Token: SeImpersonatePrivilege	2720	YusVD.exe.exe
Token: SeCreateGlobalPrivilege	2720	YusVD.exe.exe
Token: 33	2720	YusVD.exe.exe
Token: 34	2720	YusVD.exe.exe
Token: 35	2720	YusVD.exe.exe
Token: 36	2720	YusVD.exe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 2720	1132	JaffaCakes118_bd13e46b816b8e46527a64a35b32882f.exe	78
PID 1132 wrote to memory of 2720	1132	JaffaCakes118_bd13e46b816b8e46527a64a35b32882f.exe	78
PID 1132 wrote to memory of 2720	1132	JaffaCakes118_bd13e46b816b8e46527a64a35b32882f.exe	78

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd13e46b816b8e46527a64a35b32882f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd13e46b816b8e46527a64a35b32882f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\YusVD.exe.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\YusVD.exe.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\TF2 LAUNCHER.EXE
    "C:\Users\Admin\AppData\Local\Temp\TF2 LAUNCHER.EXE"
    3⤵
    PID:3612

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TF2 LAUNCHER.EXE

Filesize
188KB

MD5
cc5eaf22407f08c99e179b44a70eb476

SHA1
026430ab40c09fe9981a27f9761c62dbd18d5c89

SHA256
733c3d64ad6f31612f74703e3955829c5d0fe8b9be1e6f1c10b5c94e474f82ea

SHA512
db2e01d204d091674f3e463f13ae3f311eba60b82e9d2e8e17ed798539a66996df9ff857a6b5062b934ddbd623d76dac5075a399a6c45528449867815fe28fda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\YusVD.exe.exe

Filesize
901KB

MD5
31e20b958da9ae4b32150e20eea434ef

SHA1
22437440df649d201222e24a098f94bdd1971954

SHA256
9ea3a8020fb5612a4fa6db45154f109786afe2fd8a929298b7cd6cdb23ec1eac

SHA512
90e47c318a18175a41d72da87a0e09429cbfe98709d2efe32194943457bb49fa9807e283bdbc2646393ca3d33b1418761484640d19a0b94a80ff9104c19b07e7

Download Submit
memory/1132-1-0x00007FFEF8F70000-0x00007FFEF9911000-memory.dmp

Filesize
9.6MB

Download
memory/1132-2-0x000000001BEE0000-0x000000001BF86000-memory.dmp

Filesize
664KB

Download
memory/1132-4-0x00007FFEF8F70000-0x00007FFEF9911000-memory.dmp

Filesize
9.6MB

Download
memory/1132-13-0x00007FFEF8F70000-0x00007FFEF9911000-memory.dmp

Filesize
9.6MB

Download
memory/1132-0-0x00007FFEF9225000-0x00007FFEF9226000-memory.dmp

Filesize
4KB

Download
memory/2720-36-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2720-31-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2720-32-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2720-34-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2720-14-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2720-38-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2720-40-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2720-42-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2720-45-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3612-26-0x0000000000F50000-0x0000000000F60000-memory.dmp

Filesize
64KB

Download
memory/3612-27-0x000000001BC10000-0x000000001C0DE000-memory.dmp

Filesize
4.8MB

Download
memory/3612-28-0x000000001B600000-0x000000001B69C000-memory.dmp

Filesize
624KB

Download
memory/3612-29-0x0000000000EB0000-0x0000000000EB8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads