darkcomet | ed1e1d2f4fd555005e3d9f9785f0ff3b528c4b4712032ba935262ebbc6a6cf24

General

Target

08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Size

1024KB
MD5

08dd2c70484ca6b67cefc8985ecfa7ff
SHA1

7459475b8b29d431e828b790ac0ed60160789fe0
SHA256

ed1e1d2f4fd555005e3d9f9785f0ff3b528c4b4712032ba935262ebbc6a6cf24
SHA512

9a83511d767cf207f176fdff49c514e8884aca6d9dfa92f04e3f4c3ad533daccb44c7d50c1ca10f4fd5f0f60b50368a925fc9fe8e8fa617608501bd0854ea00b
SSDEEP

12288:89VIfiW0EW5C58W8OFf9L7l3/At6+0mPjP:8S25ZR8fTvAt6WT

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeSecurityPrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeBackupPrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeRestorePrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeShutdownPrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeDebugPrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeUndockPrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: 33	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: 34	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: 35	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe

pid process

2580 08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe

pid	process
2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe

description	pid	process	target process
PID 2580 wrote to memory of 1972	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe	iexplore.exe
PID 2580 wrote to memory of 1972	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe	iexplore.exe
PID 2580 wrote to memory of 1972	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe	iexplore.exe
PID 2580 wrote to memory of 1972	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe	iexplore.exe
PID 2580 wrote to memory of 2452	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe	explorer.exe
PID 2580 wrote to memory of 2452	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe	explorer.exe
PID 2580 wrote to memory of 2452	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe	explorer.exe
PID 2580 wrote to memory of 2452	2580	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:1972

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:2452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2580-0-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-1-0x000000000048C000-0x000000000048E000-memory.dmp

Filesize
8KB

Download
memory/2580-2-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-3-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-4-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-5-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-6-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-7-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-8-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-9-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-10-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-11-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-12-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-13-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-14-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-15-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-16-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-17-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-18-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2580-19-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing