darkcomet | e2640f3dd84067bb41f2e7da1c7271b9694b896e98a6020d167326260602cea2

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 09:00

Target

f9f6310d89cc57d7429b123c838beb65_JaffaCakes118.exe
Size

696KB
MD5

f9f6310d89cc57d7429b123c838beb65
SHA1

40671d539c16fa39d7f4843d7379ac7aae968ac4
SHA256

e2640f3dd84067bb41f2e7da1c7271b9694b896e98a6020d167326260602cea2
SHA512

0927e6251cfc3fab40ceaa2a7974f44d6cb410e9f0d7a02339fc971e6ac8f8317406e34deec9e8046a22be974541469314c3217c8d8bb45884aa53767f4fca56
SSDEEP

12288:0RDu8FEhfT0cPBOdt4KOFxQxduHSR3xdaRRPTZn5HPDeuOrOUl+66nBuOPy/3qxT:hZYDO6QHY3ctNcbOA+66nBLPy/6

Score

10^/10

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 1 IoCs

Processes:

bla.exe

pid	Process
2116	bla.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f9f6310d89cc57d7429b123c838beb65_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	1760	f9f6310d89cc57d7429b123c838beb65_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f9f6310d89cc57d7429b123c838beb65_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1760 wrote to memory of 2116	1760	f9f6310d89cc57d7429b123c838beb65_JaffaCakes118.exe	28
PID 1760 wrote to memory of 2116	1760	f9f6310d89cc57d7429b123c838beb65_JaffaCakes118.exe	28
PID 1760 wrote to memory of 2116	1760	f9f6310d89cc57d7429b123c838beb65_JaffaCakes118.exe	28
PID 1760 wrote to memory of 2116	1760	f9f6310d89cc57d7429b123c838beb65_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\f9f6310d89cc57d7429b123c838beb65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9f6310d89cc57d7429b123c838beb65_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\bla.exe
  C:\Users\Admin\AppData\Local\Temp\bla.exe
  2⤵
  - Executes dropped EXE
  PID:2116

C:\Users\Admin\AppData\Local\Temp\bla.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/1760-0-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/1760-2-0x0000000000670000-0x0000000000724000-memory.dmp

Filesize
720KB

Download
memory/1760-7-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmp

Filesize
9.6MB

Download
memory/1760-6-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmp

Filesize
9.6MB

Download
memory/1760-8-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmp

Filesize
9.6MB

Download