darkcomet | 763bd57d8dec6366174644ca1e92f974f895c3c995900068b1b1e013c00c2bec

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ca08682ca6d9a60cdb68190196b644e_JaffaCakes118.exe
Size

1.5MB
MD5

7ca08682ca6d9a60cdb68190196b644e
SHA1

224ef3c5376281b7aed832cfe0a07b3d88e94634
SHA256

763bd57d8dec6366174644ca1e92f974f895c3c995900068b1b1e013c00c2bec
SHA512

43fac1261f7a3008435fb17c1fdc85a45d263907a433c3feec8690e41da2dac316a18e04f4b349b37eee5b7c072f29dd115d786ef41b3380584b682da5aecee1
SSDEEP

24576:GiEYxyUt70b7sTJb0HxP7kOw17mjIpn2KwJfV97:1V00p0RP75o6jUnxcfH7

Score

10^/10

darkcomet hacked rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

hacked

sulumanco.duckdns.org:4000

Mutex

DCMIN_MUTEX-5JGPC4U

Attributes

gencode
PSXl8AA8UgHs
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

file.exe

pid process

1360 file.exe

pid	process
1360	file.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\file.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

file.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1360	file.exe
Token: SeSecurityPrivilege	1360	file.exe
Token: SeTakeOwnershipPrivilege	1360	file.exe
Token: SeLoadDriverPrivilege	1360	file.exe
Token: SeSystemProfilePrivilege	1360	file.exe
Token: SeSystemtimePrivilege	1360	file.exe
Token: SeProfSingleProcessPrivilege	1360	file.exe
Token: SeIncBasePriorityPrivilege	1360	file.exe
Token: SeCreatePagefilePrivilege	1360	file.exe
Token: SeBackupPrivilege	1360	file.exe
Token: SeRestorePrivilege	1360	file.exe
Token: SeShutdownPrivilege	1360	file.exe
Token: SeDebugPrivilege	1360	file.exe
Token: SeSystemEnvironmentPrivilege	1360	file.exe
Token: SeChangeNotifyPrivilege	1360	file.exe
Token: SeRemoteShutdownPrivilege	1360	file.exe
Token: SeUndockPrivilege	1360	file.exe
Token: SeManageVolumePrivilege	1360	file.exe
Token: SeImpersonatePrivilege	1360	file.exe
Token: SeCreateGlobalPrivilege	1360	file.exe
Token: 33	1360	file.exe
Token: 34	1360	file.exe
Token: 35	1360	file.exe
Token: 36	1360	file.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7ca08682ca6d9a60cdb68190196b644e_JaffaCakes118.exe

description	pid	process	target process
PID 4296 wrote to memory of 1360	4296	7ca08682ca6d9a60cdb68190196b644e_JaffaCakes118.exe	file.exe
PID 4296 wrote to memory of 1360	4296	7ca08682ca6d9a60cdb68190196b644e_JaffaCakes118.exe	file.exe
PID 4296 wrote to memory of 1360	4296	7ca08682ca6d9a60cdb68190196b644e_JaffaCakes118.exe	file.exe

C:\Users\Admin\AppData\Local\Temp\7ca08682ca6d9a60cdb68190196b644e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7ca08682ca6d9a60cdb68190196b644e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4296

C:\Users\Admin\AppData\Local\Temp\file.exe
file.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:3104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autF9F0.tmp
Filesize
729KB

MD5
6282456314baaedd946a479297670cda

SHA1
2f52b46aaeece5cc905d6cfeb58efe1586d37af0

SHA256
e89d885b13a6f07c583e6e3c99085332aacc4ab308d886a05ab2029d6ce01609

SHA512
442dad83f03a30a7e1f1f7c696c6b313e10caa90ec16daf0d78041386726b248680d4dd16a249279e4bdc14c92f269b6587482b982630eb0bdf4fd9bd9132b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe
Filesize
1.6MB

MD5
e3603e6b91428087eb12338246595774

SHA1
81a184ffb1dbd62a7ecf555ab53d820be7bda8af

SHA256
5c583a1d407073f8db55e5facd87a7cfb476b8ec1df2b04d516320c749be985d

SHA512
16e3a3db42b93b227f7815d5b6a6e06df43556fb0262f993d9e3126803f4f1ce8af7b982c4c805136208a5a2352ed79c70bf8c412194e6e73ccc0caa11814b10

Download Submit
memory/1360-16-0x0000000003A40000-0x0000000003AF9000-memory.dmp

Filesize
740KB

Download
memory/1360-13-0x0000000003A40000-0x0000000003AF9000-memory.dmp

Filesize
740KB

Download
memory/1360-14-0x0000000003A40000-0x0000000003AF9000-memory.dmp

Filesize
740KB

Download
memory/1360-15-0x0000000003A40000-0x0000000003AF9000-memory.dmp

Filesize
740KB

Download
memory/1360-12-0x0000000003A40000-0x0000000003AF9000-memory.dmp

Filesize
740KB

Download
memory/1360-17-0x0000000003A40000-0x0000000003AF9000-memory.dmp

Filesize
740KB

Download
memory/1360-19-0x0000000003F40000-0x0000000003F41000-memory.dmp

Filesize
4KB

Download
memory/1360-18-0x0000000003D40000-0x0000000003DF2000-memory.dmp

Filesize
712KB

Download
memory/1360-21-0x0000000003D40000-0x0000000003DF2000-memory.dmp

Filesize
712KB

Download
memory/1360-20-0x0000000003D40000-0x0000000003DF2000-memory.dmp

Filesize
712KB

Download
memory/1360-22-0x0000000003D40000-0x0000000003DF2000-memory.dmp

Filesize
712KB

Download
memory/1360-23-0x0000000003F40000-0x0000000003F41000-memory.dmp

Filesize
4KB

Download