darkcomet | 7a097c0d98ef1eb154add34a8641bda4d9cec751c722cb1af1fae9aaef71cc78

General

Target

5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Size

527KB
MD5

5c2db70f99be448c7ce5eef4004e3b99
SHA1

4fa84d05e3d0764357795ebd5b74a5386a92752f
SHA256

7a097c0d98ef1eb154add34a8641bda4d9cec751c722cb1af1fae9aaef71cc78
SHA512

2f2123020258d28c6b83c32584e26ae505c40fb5b47121c5dd2cc22813b92d84bd7aa7dcc5d9df56fc6928d00e77adc977b1ebe9718968c1f6af7ba1c3d99b7f
SSDEEP

12288:Q9jXIMlSia8JyH8d3zScOC9Y/OiaWVVJL0GGCXNc/5:UjRNauycd3zSA19+Q+u5

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-0SR134T

Attributes

gencode
8QPKGQajuMgz
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeSecurityPrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeBackupPrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeRestorePrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeShutdownPrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeDebugPrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeUndockPrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: 33	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: 34	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: 35	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
Token: 36	4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4964	5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c2db70f99be448c7ce5eef4004e3b99_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4964-1-0x0000000002250000-0x000000000229D000-memory.dmp

Filesize
308KB

Download
memory/4964-0-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/4964-3-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/4964-2-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/4964-7-0x0000000076B90000-0x0000000076B91000-memory.dmp

Filesize
4KB

Download
memory/4964-6-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/4964-5-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/4964-4-0x0000000077522000-0x0000000077523000-memory.dmp

Filesize
4KB

Download
memory/4964-8-0x0000000076B70000-0x0000000076C60000-memory.dmp

Filesize
960KB

Download
memory/4964-9-0x0000000076B70000-0x0000000076C60000-memory.dmp

Filesize
960KB

Download
memory/4964-10-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4964-11-0x0000000076B70000-0x0000000076C60000-memory.dmp

Filesize
960KB

Download
memory/4964-12-0x0000000076B70000-0x0000000076C60000-memory.dmp

Filesize
960KB

Download
memory/4964-13-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4964-14-0x0000000002250000-0x000000000229D000-memory.dmp

Filesize
308KB

Download
memory/4964-15-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/4964-18-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/4964-17-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/4964-16-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/4964-19-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4964-20-0x0000000076B70000-0x0000000076C60000-memory.dmp

Filesize
960KB

Download
memory/4964-21-0x0000000076B70000-0x0000000076C60000-memory.dmp

Filesize
960KB

Download
memory/4964-23-0x0000000076B70000-0x0000000076C60000-memory.dmp

Filesize
960KB

Download
memory/4964-24-0x0000000076B70000-0x0000000076C60000-memory.dmp

Filesize
960KB

Download
memory/4964-25-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4964-26-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4964-27-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4964-30-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4964-31-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4964-35-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing