Malware Analysis Report

2024-08-06 18:59

Sample ID 240614-3dbxhathkk
Target abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118
SHA256 29f573a76f83f58123f118c876d60e0f2eb1bce10c3b6710facadae699a7354f
Tags
kurban darkcomet rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29f573a76f83f58123f118c876d60e0f2eb1bce10c3b6710facadae699a7354f

Threat Level: Known bad

The file abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

kurban darkcomet rat trojan

Darkcomet family

Darkcomet

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 23:23

Signatures

Darkcomet family

darkcomet

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 23:23

Reported

2024-06-14 23:25

Platform

win7-20240221-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

Network

N/A

Files

memory/1728-0-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1728-2-0x0000000001E60000-0x0000000001E62000-memory.dmp

memory/2576-3-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2576-4-0x0000000000290000-0x0000000000291000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SCREENSHOT_1.PNG

MD5 ebfbe4c39eb034f5728f7e622a23471a
SHA1 1029933c161030d9e5d4f11571a165f25f9c3053
SHA256 90a3e8292c7d87635e9ef7739d0bf664d0e3411e4c850878342490e1fecb0689
SHA512 086206aba1c45507f0528dbf5e4dcb3618de5df5c29b35bfad73d216a4dcd3b66ffa1c0c83ba1f815a6209edd0c3731c3818f259b6f126a79c6b50955633a93d

memory/1728-6-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1728-7-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1728-8-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/2576-10-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1728-9-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1728-11-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1728-12-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1728-13-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1728-14-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1728-15-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1728-16-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1728-17-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1728-18-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1728-19-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1728-20-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1728-21-0x0000000000400000-0x00000000004E3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 23:23

Reported

2024-06-14 23:26

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\abf871e6ae6935d48b6c4d15a93a692e_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

memory/1972-0-0x0000000002140000-0x0000000002141000-memory.dmp

memory/1972-2-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1972-3-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1972-4-0x0000000002140000-0x0000000002141000-memory.dmp

memory/1972-5-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1972-6-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1972-7-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1972-8-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1972-9-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1972-10-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1972-11-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1972-12-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1972-13-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1972-14-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1972-15-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1972-16-0x0000000000400000-0x00000000004E3000-memory.dmp