darkcomet | ff93148d8c664fa2779cb233c16f3988f62521209f1889f0fb869b5c48096b70

General

Target

1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Size

674KB
MD5

1c20bb6cec6ede067e2aacc792757c31
SHA1

a94bfab56e8239be381bd8f1577caa62927b5fa9
SHA256

ff93148d8c664fa2779cb233c16f3988f62521209f1889f0fb869b5c48096b70
SHA512

d5826d9a787e8e8f1eec8f9f0cfaff145120a8b421f304be8885ce3d6714e97cc8531b5509d6eb0015e10c8ebf9b1f64582a7f74bc513176bd6c82d5034efa2b
SSDEEP

12288:Ek0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+8:10QRWoJEfg0oChGdJQbjPbNW5tYeP+GR

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

mo-68.no-ip.info:1604

Mutex

DC_MUTEX-2SM0DL6

Attributes

gencode
SxoqZ9pbswT0
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Suspicious use of SetThreadContext 1 IoCs

Processes:

1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe

description pid process target process

PID 3780 set thread context of 2692 3780 1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe iexplore.exe

description	pid	process	target process
PID 3780 set thread context of 2692	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeSecurityPrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeBackupPrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeRestorePrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeShutdownPrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeDebugPrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeUndockPrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: 33	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: 34	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: 35	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: 36	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2692	iexplore.exe
Token: SeSecurityPrivilege	2692	iexplore.exe
Token: SeTakeOwnershipPrivilege	2692	iexplore.exe
Token: SeLoadDriverPrivilege	2692	iexplore.exe
Token: SeSystemProfilePrivilege	2692	iexplore.exe
Token: SeSystemtimePrivilege	2692	iexplore.exe
Token: SeProfSingleProcessPrivilege	2692	iexplore.exe
Token: SeIncBasePriorityPrivilege	2692	iexplore.exe
Token: SeCreatePagefilePrivilege	2692	iexplore.exe
Token: SeBackupPrivilege	2692	iexplore.exe
Token: SeRestorePrivilege	2692	iexplore.exe
Token: SeShutdownPrivilege	2692	iexplore.exe
Token: SeDebugPrivilege	2692	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2692	iexplore.exe
Token: SeChangeNotifyPrivilege	2692	iexplore.exe
Token: SeRemoteShutdownPrivilege	2692	iexplore.exe
Token: SeUndockPrivilege	2692	iexplore.exe
Token: SeManageVolumePrivilege	2692	iexplore.exe
Token: SeImpersonatePrivilege	2692	iexplore.exe
Token: SeCreateGlobalPrivilege	2692	iexplore.exe
Token: 33	2692	iexplore.exe
Token: 34	2692	iexplore.exe
Token: 35	2692	iexplore.exe
Token: 36	2692	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

2692 iexplore.exe

pid	process
2692	iexplore.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe

description	pid	process	target process
PID 3780 wrote to memory of 2692	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe	iexplore.exe
PID 3780 wrote to memory of 2692	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe	iexplore.exe
PID 3780 wrote to memory of 2692	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe	iexplore.exe
PID 3780 wrote to memory of 2692	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe	iexplore.exe
PID 3780 wrote to memory of 2692	3780	1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c20bb6cec6ede067e2aacc792757c31_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2692-1-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3780-0-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/3780-2-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing