darkcomet | ef9c6d7b0bc00a929df36270d65002fcdfdd234fc5fc220c7fdf9d23a14a2a43

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 03:20

Target

fbd00ae632c571ccb70fddb7879fd191_JaffaCakes118.exe
Size

684KB
MD5

fbd00ae632c571ccb70fddb7879fd191
SHA1

65dae1b2b58bdd65fff041ac5ed0c877b9614ea6
SHA256

ef9c6d7b0bc00a929df36270d65002fcdfdd234fc5fc220c7fdf9d23a14a2a43
SHA512

4e1a99da7fa1689f678bdbc45cf3dd5b3daafb7c1761f41af769cdae4bb889eee74de398e1a2479b4becc09a239eed9ae1e01bcb35ac4137bcc4b69df05575f5
SSDEEP

12288:7W6dg0huGaQG+aMOWnTJ8KioqUX4HcDhU4hICNTCUXG9Wpzx:i6dg0hpaQG3wn9DpDot4QUXGA

Score

10^/10

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid	Process
2724	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fbd00ae632c571ccb70fddb7879fd191_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	2176	fbd00ae632c571ccb70fddb7879fd191_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fbd00ae632c571ccb70fddb7879fd191_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2176 wrote to memory of 2724	2176	fbd00ae632c571ccb70fddb7879fd191_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2724	2176	fbd00ae632c571ccb70fddb7879fd191_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2724	2176	fbd00ae632c571ccb70fddb7879fd191_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2724	2176	fbd00ae632c571ccb70fddb7879fd191_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\fbd00ae632c571ccb70fddb7879fd191_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbd00ae632c571ccb70fddb7879fd191_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2724

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/2176-0-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/2176-3-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/2176-2-0x000000001AEB0000-0x000000001AF63000-memory.dmp

Filesize
716KB

Download
memory/2176-7-0x0000000002080000-0x0000000002100000-memory.dmp

Filesize
512KB

Download
memory/2176-8-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download