darkcomet | eb7184a82acfe5b4fa69514cabebb4dc6f72f4fa6243c6267c284d98bda667b8

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/10/2024, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe
Size

2.5MB
MD5

5e97b091d9c83a66ecc69e84f9dcb43d
SHA1

f71b7b846bf97b5502e962ba83319dd58ccd7471
SHA256

eb7184a82acfe5b4fa69514cabebb4dc6f72f4fa6243c6267c284d98bda667b8
SHA512

5acb2f6ad617b1ef9eb3362cce390f34976d93eb1291560e45c1e6dc17a87ffc65171dff15d914df6ab44f18dfc5c91bbf85b43a170ded5196668d96924d7a6f
SSDEEP

24576:3doY1DF+ggY1gsMRIdvZ3wjjD4WJ2IRg8Dc1iCxtMPt2yTPILDwVBODr0worP0cO:Gy+gV+RjsWJ6HGPlPnBODgF57zby3Lb

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 1 IoCs

pid	Process
2748	AWHP.exe

Loads dropped DLL 1 IoCs

pid	Process
2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2996 set thread context of 2780	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AWHP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe
2748	AWHP.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2780	iexplore.exe
Token: SeSecurityPrivilege	2780	iexplore.exe
Token: SeTakeOwnershipPrivilege	2780	iexplore.exe
Token: SeLoadDriverPrivilege	2780	iexplore.exe
Token: SeSystemProfilePrivilege	2780	iexplore.exe
Token: SeSystemtimePrivilege	2780	iexplore.exe
Token: SeProfSingleProcessPrivilege	2780	iexplore.exe
Token: SeIncBasePriorityPrivilege	2780	iexplore.exe
Token: SeCreatePagefilePrivilege	2780	iexplore.exe
Token: SeBackupPrivilege	2780	iexplore.exe
Token: SeRestorePrivilege	2780	iexplore.exe
Token: SeShutdownPrivilege	2780	iexplore.exe
Token: SeDebugPrivilege	2780	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2780	iexplore.exe
Token: SeChangeNotifyPrivilege	2780	iexplore.exe
Token: SeRemoteShutdownPrivilege	2780	iexplore.exe
Token: SeUndockPrivilege	2780	iexplore.exe
Token: SeManageVolumePrivilege	2780	iexplore.exe
Token: SeImpersonatePrivilege	2780	iexplore.exe
Token: SeCreateGlobalPrivilege	2780	iexplore.exe
Token: 33	2780	iexplore.exe
Token: 34	2780	iexplore.exe
Token: 35	2780	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2780	iexplore.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2748	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2748	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2748	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2748	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2780	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2780	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2780	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2780	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2780	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2780	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2780	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2780	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2780	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2780	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2780	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2780	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2780	2996	5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e97b091d9c83a66ecc69e84f9dcb43d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\AWHP.exe
  "C:\Users\Admin\AppData\Local\Temp\AWHP.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2748
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AWHP.exe

Filesize
1.1MB

MD5
1983c4b53c2117f538b314c5a4600913

SHA1
6c986a1924e7c27111a008e69461845e19efe777

SHA256
d1c63478dfc897cda19bfa7a9094f33913e39125bdd2c389c78f34b8f2e49879

SHA512
54170981a773dd313026f717e67fbccbd0382e84544d1b4811e845ad94ff7de1b9d9aa5db8dcfec7f169b662a7896ce6410ba0234b4cadda0e2c2b254de75a42

Download Submit
memory/2748-11-0x0000000000940000-0x0000000000A56000-memory.dmp

Filesize
1.1MB

Download
memory/2780-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2996-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2996-1-0x0000000000270000-0x0000000000274000-memory.dmp

Filesize
16KB

Download
memory/2996-10-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download