darkcomet | ed1e1d2f4fd555005e3d9f9785f0ff3b528c4b4712032ba935262ebbc6a6cf24

General

Target

08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Size

1024KB
MD5

08dd2c70484ca6b67cefc8985ecfa7ff
SHA1

7459475b8b29d431e828b790ac0ed60160789fe0
SHA256

ed1e1d2f4fd555005e3d9f9785f0ff3b528c4b4712032ba935262ebbc6a6cf24
SHA512

9a83511d767cf207f176fdff49c514e8884aca6d9dfa92f04e3f4c3ad533daccb44c7d50c1ca10f4fd5f0f60b50368a925fc9fe8e8fa617608501bd0854ea00b
SSDEEP

12288:89VIfiW0EW5C58W8OFf9L7l3/At6+0mPjP:8S25ZR8fTvAt6WT

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Suspicious use of SetThreadContext 1 IoCs

Processes:

08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe

description pid process target process

PID 4768 set thread context of 4664 4768 08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe iexplore.exe

description	pid	process	target process
PID 4768 set thread context of 4664	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeSecurityPrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeBackupPrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeRestorePrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeShutdownPrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeDebugPrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeUndockPrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: 33	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: 34	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: 35	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: 36	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4664	iexplore.exe
Token: SeSecurityPrivilege	4664	iexplore.exe
Token: SeTakeOwnershipPrivilege	4664	iexplore.exe
Token: SeLoadDriverPrivilege	4664	iexplore.exe
Token: SeSystemProfilePrivilege	4664	iexplore.exe
Token: SeSystemtimePrivilege	4664	iexplore.exe
Token: SeProfSingleProcessPrivilege	4664	iexplore.exe
Token: SeIncBasePriorityPrivilege	4664	iexplore.exe
Token: SeCreatePagefilePrivilege	4664	iexplore.exe
Token: SeBackupPrivilege	4664	iexplore.exe
Token: SeRestorePrivilege	4664	iexplore.exe
Token: SeShutdownPrivilege	4664	iexplore.exe
Token: SeDebugPrivilege	4664	iexplore.exe
Token: SeSystemEnvironmentPrivilege	4664	iexplore.exe
Token: SeChangeNotifyPrivilege	4664	iexplore.exe
Token: SeRemoteShutdownPrivilege	4664	iexplore.exe
Token: SeUndockPrivilege	4664	iexplore.exe
Token: SeManageVolumePrivilege	4664	iexplore.exe
Token: SeImpersonatePrivilege	4664	iexplore.exe
Token: SeCreateGlobalPrivilege	4664	iexplore.exe
Token: 33	4664	iexplore.exe
Token: 34	4664	iexplore.exe
Token: 35	4664	iexplore.exe
Token: 36	4664	iexplore.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe

description	pid	process	target process
PID 4768 wrote to memory of 4664	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe	iexplore.exe
PID 4768 wrote to memory of 4664	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe	iexplore.exe
PID 4768 wrote to memory of 4664	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe	iexplore.exe
PID 4768 wrote to memory of 4664	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe	iexplore.exe
PID 4768 wrote to memory of 4664	4768	08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08dd2c70484ca6b67cefc8985ecfa7ff_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3944 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:3780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4768-0-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4768-1-0x000000000048C000-0x000000000048E000-memory.dmp

Filesize
8KB

Download
memory/4768-2-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4768-3-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4768-6-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing