darkcomet | 4425a0f5f1477aeb078c2804585fbf3b4fcebdf4b04c9cd1d4180360292dd074

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Size

758KB
MD5

dcbb6cc58824f44953cca1d144e82a81
SHA1

2a99a14086d196ca3181a2f9e35a3e7d7573daaa
SHA256

4425a0f5f1477aeb078c2804585fbf3b4fcebdf4b04c9cd1d4180360292dd074
SHA512

78875f13664ab95bb2fbb7ca830e3821eb49cabc7c36d39a648c792be53859066f6c9ddf9735c76096d33c39c2154fd8b28dd21e88852e9c3ebe6820e376e2eb
SSDEEP

12288:BXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Uo:NnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JY

Score

10^/10

darkcomet guest16 discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

41.201.107.142:1604

Mutex

DC_MUTEX-ZTGW4GN

Attributes

gencode
RJwY9vmQBcWc
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeSecurityPrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeBackupPrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeRestorePrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeShutdownPrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeDebugPrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeUndockPrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: 33	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: 34	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
Token: 35	2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2180	dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dcbb6cc58824f44953cca1d144e82a81_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2180-1-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2180-2-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2180-4-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download