darkcomet | 0283d70c21f41fb8f6672130e2a54ed236c4b345bb695ace50d0ff090f49bb46

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 17:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35ae3f6517869526394456b6edb2250e_JaffaCakes118.exe
Size

511KB
MD5

35ae3f6517869526394456b6edb2250e
SHA1

f3450b72567f934c0ae9d327e7b3c81740640765
SHA256

0283d70c21f41fb8f6672130e2a54ed236c4b345bb695ace50d0ff090f49bb46
SHA512

f50a3137f6921f1275d2e6133713fc3a4bdf37b63a2f60f2c68ede3fe8e5cfc206b6e5d2a13b0bdd6fde0d97e67cfe3063eb0fc52af309669090e3f19abc4328
SSDEEP

12288:x7LVlG24SKvf3hhpElL9OdQ3LNOuCkiXhlX9QqJ0Zh5:VVlmvf33vxuCkq5aX9

Score

10^/10

darkcomet guest161 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest161

yahoohack.zapto.org:1605

127.0.0.1:1605

Mutex

DC_MUTEX-N07L5DZ

Attributes

gencode
xhRQdnR4ViZW
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 1 IoCs

pid	Process
3040	str2.exe

Loads dropped DLL 2 IoCs

pid	Process
1236	35ae3f6517869526394456b6edb2250e_JaffaCakes118.exe
1236	35ae3f6517869526394456b6edb2250e_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 2892	3040	str2.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3040	str2.exe
Token: SeSecurityPrivilege	3040	str2.exe
Token: SeTakeOwnershipPrivilege	3040	str2.exe
Token: SeLoadDriverPrivilege	3040	str2.exe
Token: SeSystemProfilePrivilege	3040	str2.exe
Token: SeSystemtimePrivilege	3040	str2.exe
Token: SeProfSingleProcessPrivilege	3040	str2.exe
Token: SeIncBasePriorityPrivilege	3040	str2.exe
Token: SeCreatePagefilePrivilege	3040	str2.exe
Token: SeBackupPrivilege	3040	str2.exe
Token: SeRestorePrivilege	3040	str2.exe
Token: SeShutdownPrivilege	3040	str2.exe
Token: SeDebugPrivilege	3040	str2.exe
Token: SeSystemEnvironmentPrivilege	3040	str2.exe
Token: SeChangeNotifyPrivilege	3040	str2.exe
Token: SeRemoteShutdownPrivilege	3040	str2.exe
Token: SeUndockPrivilege	3040	str2.exe
Token: SeManageVolumePrivilege	3040	str2.exe
Token: SeImpersonatePrivilege	3040	str2.exe
Token: SeCreateGlobalPrivilege	3040	str2.exe
Token: 33	3040	str2.exe
Token: 34	3040	str2.exe
Token: 35	3040	str2.exe
Token: SeIncreaseQuotaPrivilege	2892	iexplore.exe
Token: SeSecurityPrivilege	2892	iexplore.exe
Token: SeTakeOwnershipPrivilege	2892	iexplore.exe
Token: SeLoadDriverPrivilege	2892	iexplore.exe
Token: SeSystemProfilePrivilege	2892	iexplore.exe
Token: SeSystemtimePrivilege	2892	iexplore.exe
Token: SeProfSingleProcessPrivilege	2892	iexplore.exe
Token: SeIncBasePriorityPrivilege	2892	iexplore.exe
Token: SeCreatePagefilePrivilege	2892	iexplore.exe
Token: SeBackupPrivilege	2892	iexplore.exe
Token: SeRestorePrivilege	2892	iexplore.exe
Token: SeShutdownPrivilege	2892	iexplore.exe
Token: SeDebugPrivilege	2892	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2892	iexplore.exe
Token: SeChangeNotifyPrivilege	2892	iexplore.exe
Token: SeRemoteShutdownPrivilege	2892	iexplore.exe
Token: SeUndockPrivilege	2892	iexplore.exe
Token: SeManageVolumePrivilege	2892	iexplore.exe
Token: SeImpersonatePrivilege	2892	iexplore.exe
Token: SeCreateGlobalPrivilege	2892	iexplore.exe
Token: 33	2892	iexplore.exe
Token: 34	2892	iexplore.exe
Token: 35	2892	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2892	iexplore.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 3040	1236	35ae3f6517869526394456b6edb2250e_JaffaCakes118.exe	31
PID 1236 wrote to memory of 3040	1236	35ae3f6517869526394456b6edb2250e_JaffaCakes118.exe	31
PID 1236 wrote to memory of 3040	1236	35ae3f6517869526394456b6edb2250e_JaffaCakes118.exe	31
PID 1236 wrote to memory of 3040	1236	35ae3f6517869526394456b6edb2250e_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2892	3040	str2.exe	32
PID 3040 wrote to memory of 2892	3040	str2.exe	32
PID 3040 wrote to memory of 2892	3040	str2.exe	32
PID 3040 wrote to memory of 2892	3040	str2.exe	32
PID 3040 wrote to memory of 2892	3040	str2.exe	32
PID 3040 wrote to memory of 2892	3040	str2.exe	32

C:\Users\Admin\AppData\Local\Temp\35ae3f6517869526394456b6edb2250e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35ae3f6517869526394456b6edb2250e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Local\Temp\str2.exe
  "C:\Users\Admin\AppData\Local\Temp\str2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\str2.exe

Filesize
681KB

MD5
fe5cb85d0e730645745050632f853405

SHA1
1228f845bc793e327c8f9a2da99d9428c2b84bc1

SHA256
d4e6bdbd49378330729ec6ae39583bac7e963c7fc740e1aee76e4c5f66800085

SHA512
0351b5aeda263cf59bbff192ead690d4934525d0e9292521da619a3e15325dc370716d0fcbc7fab37b6dbadf0c58ccaab7a82ee9f122f353b69d0e077312bfbc

Download Submit
memory/2892-16-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3040-14-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/3040-17-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download