darkcomet | 9de73fa2272d0672a1d303c2fc49680840975230e81bebca99298fd8f46dcc8a

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

239005e9b8a18bad6153e29c0640cd0b_JaffaCakes118.exe
Size

965KB
MD5

239005e9b8a18bad6153e29c0640cd0b
SHA1

9bc4ae68f12cebd6082b6fadb0931db5dfd8ff48
SHA256

9de73fa2272d0672a1d303c2fc49680840975230e81bebca99298fd8f46dcc8a
SHA512

75a8dea24a53a657c706d8532c3f92e2b2ec3af7e267eb2c0b7dffc2630c44c9c5b372bf4f551ce8f1fa430ffaf48966636090f50f8aa382f9041d72d35c270f
SSDEEP

12288:Q2cOTobWl24WN01cTFCZibqd/VJoVE3JMEjRy2riDRmTEXr/WFX/kWs2uq73J4rk:QhTFCiq7JoVa5jRyRmgzt275oX+LR

Score

10^/10

darkcomet guest16_min rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

127.0.0.1:1604

Mutex

DCMIN_MUTEX-2C0GF0Q

Attributes

gencode
FeliwHF7p039
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

lol.exe

pid process

2612 lol.exe
Loads dropped DLL 2 IoCs

Processes:

239005e9b8a18bad6153e29c0640cd0b_JaffaCakes118.exe

pid process

2240 239005e9b8a18bad6153e29c0640cd0b_JaffaCakes118.exe
2240 239005e9b8a18bad6153e29c0640cd0b_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2612	lol.exe

pid	process
2240	239005e9b8a18bad6153e29c0640cd0b_JaffaCakes118.exe
2240	239005e9b8a18bad6153e29c0640cd0b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

lol.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2612	lol.exe
Token: SeSecurityPrivilege	2612	lol.exe
Token: SeTakeOwnershipPrivilege	2612	lol.exe
Token: SeLoadDriverPrivilege	2612	lol.exe
Token: SeSystemProfilePrivilege	2612	lol.exe
Token: SeSystemtimePrivilege	2612	lol.exe
Token: SeProfSingleProcessPrivilege	2612	lol.exe
Token: SeIncBasePriorityPrivilege	2612	lol.exe
Token: SeCreatePagefilePrivilege	2612	lol.exe
Token: SeBackupPrivilege	2612	lol.exe
Token: SeRestorePrivilege	2612	lol.exe
Token: SeShutdownPrivilege	2612	lol.exe
Token: SeDebugPrivilege	2612	lol.exe
Token: SeSystemEnvironmentPrivilege	2612	lol.exe
Token: SeChangeNotifyPrivilege	2612	lol.exe
Token: SeRemoteShutdownPrivilege	2612	lol.exe
Token: SeUndockPrivilege	2612	lol.exe
Token: SeManageVolumePrivilege	2612	lol.exe
Token: SeImpersonatePrivilege	2612	lol.exe
Token: SeCreateGlobalPrivilege	2612	lol.exe
Token: 33	2612	lol.exe
Token: 34	2612	lol.exe
Token: 35	2612	lol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lol.exe

pid process

2612 lol.exe

pid	process
2612	lol.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

239005e9b8a18bad6153e29c0640cd0b_JaffaCakes118.exe

description	pid	process	target process
PID 2240 wrote to memory of 2612	2240	239005e9b8a18bad6153e29c0640cd0b_JaffaCakes118.exe	lol.exe
PID 2240 wrote to memory of 2612	2240	239005e9b8a18bad6153e29c0640cd0b_JaffaCakes118.exe	lol.exe
PID 2240 wrote to memory of 2612	2240	239005e9b8a18bad6153e29c0640cd0b_JaffaCakes118.exe	lol.exe
PID 2240 wrote to memory of 2612	2240	239005e9b8a18bad6153e29c0640cd0b_JaffaCakes118.exe	lol.exe

C:\Users\Admin\AppData\Local\Temp\239005e9b8a18bad6153e29c0640cd0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\239005e9b8a18bad6153e29c0640cd0b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\lol.exe
"C:\Users\Admin\AppData\Local\Temp\lol.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lol.exe
Filesize
659KB

MD5
2def27b950f8175bd96a8d237d4c3f40

SHA1
852b4338e4324712616e6fe0325b749c14156cfb

SHA256
977c382efb1a252481ceb4490fd673b29e988a6e01d22eed09ec6f06ef5039ef

SHA512
c6340e1ae0e9cb009eb283dcaadc0d887fa598acf698cf234c002698b135c9b279606bed37236e58b57d268b65d1bdba6c8ce857361504539899eb855d3daf49

Download Submit
memory/2240-6-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2240-4-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2240-2-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2240-1-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2240-0-0x00000000749E1000-0x00000000749E2000-memory.dmp

Filesize
4KB

Download
memory/2240-17-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-15-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2612-16-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2612-20-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download