darkcomet | ea8e4fda194c9b93c80f62c549b342e06c7079d25a73180f0699775e31c7371b

General

Target

678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Size

521KB
MD5

678c941e97351d00c4ad788f517a3005
SHA1

e7f445ad79f4aa13c37e8d7ee3a0ab10c805ac03
SHA256

ea8e4fda194c9b93c80f62c549b342e06c7079d25a73180f0699775e31c7371b
SHA512

97f1cbfb6d92e3b4acb6d6396af4efd4d6dca78ec24dfb5e9eebe73647500477cb6fe37ef115d5e404a64c341602a33073b569710bf2b466781b35d628bd35be
SSDEEP

12288:wAun8MBDxCWo9kvrVHeeC3T2+Asgoi7YxX97ni7c:wAun8MBgWukNC3hhiWNnt

Score

10^/10

darkcomet guest16 rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

ab11.no-ip.biz:1604

Mutex

DC_MUTEX-ENK4SB4

Attributes

gencode
dqVWNGpFujjS
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1960-3-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1960-7-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1960-4-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1960-8-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1960-9-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1960-10-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1960-11-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1960-15-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1232 set thread context of 1960	1232	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	30
PID 1960 set thread context of 2240	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	31
PID 2240 set thread context of 2012	2240	iexplore.exe	32

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeSecurityPrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeBackupPrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeRestorePrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeShutdownPrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeDebugPrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeUndockPrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: 33	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: 34	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
Token: 35	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1232	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
2240	iexplore.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 1960	1232	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	30
PID 1232 wrote to memory of 1960	1232	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	30
PID 1232 wrote to memory of 1960	1232	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	30
PID 1232 wrote to memory of 1960	1232	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	30
PID 1232 wrote to memory of 1960	1232	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	30
PID 1232 wrote to memory of 1960	1232	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	30
PID 1232 wrote to memory of 1960	1232	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	30
PID 1232 wrote to memory of 1960	1232	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	30
PID 1232 wrote to memory of 1960	1232	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2240	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	31
PID 1960 wrote to memory of 2240	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	31
PID 1960 wrote to memory of 2240	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	31
PID 1960 wrote to memory of 2240	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	31
PID 1960 wrote to memory of 2240	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	31
PID 1960 wrote to memory of 2240	1960	678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2012	2240	iexplore.exe	32
PID 2240 wrote to memory of 2012	2240	iexplore.exe	32
PID 2240 wrote to memory of 2012	2240	iexplore.exe	32
PID 2240 wrote to memory of 2012	2240	iexplore.exe	32
PID 2240 wrote to memory of 2012	2240	iexplore.exe	32
PID 2240 wrote to memory of 2012	2240	iexplore.exe	32
PID 2240 wrote to memory of 2012	2240	iexplore.exe	32
PID 2240 wrote to memory of 2012	2240	iexplore.exe	32
PID 2240 wrote to memory of 2012	2240	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\678c941e97351d00c4ad788f517a3005_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:2012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-0-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1232-6-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1960-3-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1960-7-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1960-4-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1960-8-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1960-9-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1960-10-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1960-11-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1960-15-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2240-12-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing