darkcomet | ff93148d8c664fa2779cb233c16f3988f62521209f1889f0fb869b5c48096b70

General

Target

1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Size

674KB
MD5

1c20bb6cec6ede067e2aacc792757c31
SHA1

a94bfab56e8239be381bd8f1577caa62927b5fa9
SHA256

ff93148d8c664fa2779cb233c16f3988f62521209f1889f0fb869b5c48096b70
SHA512

d5826d9a787e8e8f1eec8f9f0cfaff145120a8b421f304be8885ce3d6714e97cc8531b5509d6eb0015e10c8ebf9b1f64582a7f74bc513176bd6c82d5034efa2b
SSDEEP

12288:Ek0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+8:10QRWoJEfg0oChGdJQbjPbNW5tYeP+GR

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

mo-68.no-ip.info:1604

Mutex

DC_MUTEX-2SM0DL6

Attributes

gencode
SxoqZ9pbswT0
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Suspicious use of SetThreadContext 1 IoCs

Processes:

1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe

description pid process target process

PID 2100 set thread context of 1972 2100 1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe iexplore.exe

description	pid	process	target process
PID 2100 set thread context of 1972	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeSecurityPrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeBackupPrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeRestorePrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeShutdownPrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeDebugPrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeUndockPrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: 33	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: 34	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: 35	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1972	iexplore.exe
Token: SeSecurityPrivilege	1972	iexplore.exe
Token: SeTakeOwnershipPrivilege	1972	iexplore.exe
Token: SeLoadDriverPrivilege	1972	iexplore.exe
Token: SeSystemProfilePrivilege	1972	iexplore.exe
Token: SeSystemtimePrivilege	1972	iexplore.exe
Token: SeProfSingleProcessPrivilege	1972	iexplore.exe
Token: SeIncBasePriorityPrivilege	1972	iexplore.exe
Token: SeCreatePagefilePrivilege	1972	iexplore.exe
Token: SeBackupPrivilege	1972	iexplore.exe
Token: SeRestorePrivilege	1972	iexplore.exe
Token: SeShutdownPrivilege	1972	iexplore.exe
Token: SeDebugPrivilege	1972	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1972	iexplore.exe
Token: SeChangeNotifyPrivilege	1972	iexplore.exe
Token: SeRemoteShutdownPrivilege	1972	iexplore.exe
Token: SeUndockPrivilege	1972	iexplore.exe
Token: SeManageVolumePrivilege	1972	iexplore.exe
Token: SeImpersonatePrivilege	1972	iexplore.exe
Token: SeCreateGlobalPrivilege	1972	iexplore.exe
Token: 33	1972	iexplore.exe
Token: 34	1972	iexplore.exe
Token: 35	1972	iexplore.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe

description	pid	process	target process
PID 2100 wrote to memory of 1972	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe	iexplore.exe
PID 2100 wrote to memory of 1972	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe	iexplore.exe
PID 2100 wrote to memory of 1972	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe	iexplore.exe
PID 2100 wrote to memory of 1972	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe	iexplore.exe
PID 2100 wrote to memory of 1972	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe	iexplore.exe
PID 2100 wrote to memory of 1972	2100	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1972-1-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2100-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2100-2-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing