Analysis Overview

score

10^/10

SHA256

59d9a67f2849501d91c422fef3ce4e924c61e023850f6d728291f7cfbb7f42bc

Threat Level: Known bad

The file 014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet rat trojan

Darkcomet family

Darkcomet

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 23:54

Signatures

Darkcomet family

darkcomet

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 23:54

Reported

2024-06-19 23:57

Platform

win7-20231129-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeIncreaseQuotaPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeChangeNotifyPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeImpersonatePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeCreateGlobalPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: 34	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: 35	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe"

Network

Country	Destination	Domain	Proto
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp

Files

memory/3040-0-0x0000000000270000-0x0000000000271000-memory.dmp

memory/3040-1-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/3040-2-0x0000000000400000-0x00000000004CC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 23:54

Reported

2024-06-19 23:57

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeIncreaseQuotaPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeChangeNotifyPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeImpersonatePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: SeCreateGlobalPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: 34	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: 35	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A
Token: 36	N/A	C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	13.86.106.20.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	23.159.190.20.in-addr.arpa	udp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
US	8.8.8.8:53	232.168.11.51.in-addr.arpa	udp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
N/A	127.0.0.1:983		tcp
US	8.8.8.8:53	206.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	92.12.20.2.in-addr.arpa	udp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
US	8.8.8.8:53	97.90.14.23.in-addr.arpa	udp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
US	8.8.8.8:53	19.24.18.2.in-addr.arpa	udp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp
N/A	127.0.0.1:983		tcp

Files

memory/2568-0-0x0000000002290000-0x0000000002291000-memory.dmp

memory/2568-1-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2568-3-0x0000000002290000-0x0000000002291000-memory.dmp

memory/2568-4-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2568-8-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2568-10-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2568-11-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2568-12-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2568-15-0x0000000000400000-0x00000000004CC000-memory.dmp

Sample ID	240619-3x5c6axfmc
Target	014948daac3fa8780ce2ac6f125f0a03_JaffaCakes118
SHA256	59d9a67f2849501d91c422fef3ce4e924c61e023850f6d728291f7cfbb7f42bc
Tags	darkcomet rat trojan

Malware Analysis Report

2024-08-06 19:01

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files