darkcomet | 8e495904d0aae1983e572cade1c6341c60bc3ade25d9f2fdf8d5ceffcf77da0a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Size

649KB
MD5

01e4112b2edad92a58f11c2c06c95848
SHA1

8651e3344e8586c641c72180471f789af1cb10b0
SHA256

8e495904d0aae1983e572cade1c6341c60bc3ade25d9f2fdf8d5ceffcf77da0a
SHA512

8f2a0d7c1afab26169a72c2ff204795d4ede8a6f44d65a0db002e3f220010eb8afa5e7aa5858da2ad15fa761dfdfb56650f60e5cbfa244454b95b0b4fb970b65
SSDEEP

12288:bk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/++:Q0QRWoJEfg0oChGdJQbjPbNW5tYeP+GX

Score

10^/10

darkcomet guest16 evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

blackra1n.no-ip.biz:1604

Mutex

DC_MUTEX-X8TCKK6

Attributes

gencode
6s8NnbbuLZai
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4816	attrib.exe
3392	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 212 set thread context of 4048	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeSecurityPrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeSystemtimePrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeBackupPrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeRestorePrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeShutdownPrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeDebugPrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeUndockPrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeManageVolumePrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeImpersonatePrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: 33	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: 34	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: 35	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: 36	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4048	iexplore.exe
Token: SeSecurityPrivilege	4048	iexplore.exe
Token: SeTakeOwnershipPrivilege	4048	iexplore.exe
Token: SeLoadDriverPrivilege	4048	iexplore.exe
Token: SeSystemProfilePrivilege	4048	iexplore.exe
Token: SeSystemtimePrivilege	4048	iexplore.exe
Token: SeProfSingleProcessPrivilege	4048	iexplore.exe
Token: SeIncBasePriorityPrivilege	4048	iexplore.exe
Token: SeCreatePagefilePrivilege	4048	iexplore.exe
Token: SeBackupPrivilege	4048	iexplore.exe
Token: SeRestorePrivilege	4048	iexplore.exe
Token: SeShutdownPrivilege	4048	iexplore.exe
Token: SeDebugPrivilege	4048	iexplore.exe
Token: SeSystemEnvironmentPrivilege	4048	iexplore.exe
Token: SeChangeNotifyPrivilege	4048	iexplore.exe
Token: SeRemoteShutdownPrivilege	4048	iexplore.exe
Token: SeUndockPrivilege	4048	iexplore.exe
Token: SeManageVolumePrivilege	4048	iexplore.exe
Token: SeImpersonatePrivilege	4048	iexplore.exe
Token: SeCreateGlobalPrivilege	4048	iexplore.exe
Token: 33	4048	iexplore.exe
Token: 34	4048	iexplore.exe
Token: 35	4048	iexplore.exe
Token: 36	4048	iexplore.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 4012	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe	84
PID 212 wrote to memory of 4012	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe	84
PID 212 wrote to memory of 4012	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe	84
PID 212 wrote to memory of 3916	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe	85
PID 212 wrote to memory of 3916	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe	85
PID 212 wrote to memory of 3916	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe	85
PID 212 wrote to memory of 4048	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe	87
PID 212 wrote to memory of 4048	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe	87
PID 212 wrote to memory of 4048	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe	87
PID 212 wrote to memory of 4048	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe	87
PID 212 wrote to memory of 4048	212	01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe	87
PID 4012 wrote to memory of 4816	4012	cmd.exe	89
PID 4012 wrote to memory of 4816	4012	cmd.exe	89
PID 4012 wrote to memory of 4816	4012	cmd.exe	89
PID 3916 wrote to memory of 3392	3916	cmd.exe	90
PID 3916 wrote to memory of 3392	3916	cmd.exe	90
PID 3916 wrote to memory of 3392	3916	cmd.exe	90

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4816	attrib.exe
3392	attrib.exe

C:\Users\Admin\AppData\Local\Temp\01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\01e4112b2edad92a58f11c2c06c95848_JaffaCakes118.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3392
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-0-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/212-2-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4048-1-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads