darkcomet | 16b8d72b51b7518ab8660f7ebaf9163ce6495c1e383f6a07fe2d36ec21486668

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Size

658KB
MD5

5c98db14eae2051a75db884bc62938c0
SHA1

771310c416fba4ab0ffa135bebec6c04ea3a2e5e
SHA256

16b8d72b51b7518ab8660f7ebaf9163ce6495c1e383f6a07fe2d36ec21486668
SHA512

ea75ed405bba523babf68685ad02cd932e4bbcb9e2944c21aeb1883bfe67e1717203d60fbf3eccecdd9e26c1900999bfcbdfa127d20306d1bd44e1490008a5d3
SSDEEP

12288:O9HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyFV:aiBIGkbxqEcjsWiDxguehC2SS

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

127.0.0.1:25565

92.246.89.145:25565

92.246.89.145:5555

92.246.89.145:8888

127.0.0.1:8888

127.0.0.1:5555

Mutex

DC_MUTEX-UBCQNRK

Attributes

gencode
QP5sRdeDQuBd
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeSecurityPrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeBackupPrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeRestorePrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeShutdownPrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeDebugPrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeUndockPrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: 33	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: 34	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: 35	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
Token: 36	3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe

pid process

3940 5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe

pid	process
3940	5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c98db14eae2051a75db884bc62938c0_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3940-0-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3940-1-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download