darkcomet | c71228dd40c9cca4cf7dbd4d36bd92b3857ce006fbdadba7607457d8d04678e5

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Size

1.4MB
MD5

1593241035013c441a7a4b0facf68d11
SHA1

ebb2690cc893204a574ca94945d76359f88edd8b
SHA256

c71228dd40c9cca4cf7dbd4d36bd92b3857ce006fbdadba7607457d8d04678e5
SHA512

318945ed544a202c4ec8d09bce921ef3c9c9336dee16f633106cbebca7fa53b09dc390fafe024d214f4392eb46a6c08b6d5467876ad31693b110eda20fa2c5fd
SSDEEP

24576:knAw2WWeFcfbP9VPSPMTSPL/rWvzq4JJfpkgX51oiyzZozG7XVNyVbZ:OELbVMTrOq4GgX51py17XnyxZ

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

dr-hacker.no-ip.org:81

Mutex

DC_MUTEX-F54S21D

Attributes

gencode
4mFiu4NvJRJC
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

GAMEZER POINT EDITER.EXEGAMEZER POINT EDITER.EXE

pid process

2644 GAMEZER POINT EDITER.EXE
2692 GAMEZER POINT EDITER.EXE
Loads dropped DLL 2 IoCs

Processes:

1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe

pid process

2176 1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
2176 1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2644	GAMEZER POINT EDITER.EXE
2692	GAMEZER POINT EDITER.EXE

pid	process
2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeSecurityPrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeBackupPrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeRestorePrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeShutdownPrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeDebugPrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeUndockPrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: 33	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: 34	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
Token: 35	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe

pid process

2176 1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe

pid	process
2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe

description	pid	process	target process
PID 2176 wrote to memory of 2644	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe	GAMEZER POINT EDITER.EXE
PID 2176 wrote to memory of 2644	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe	GAMEZER POINT EDITER.EXE
PID 2176 wrote to memory of 2644	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe	GAMEZER POINT EDITER.EXE
PID 2176 wrote to memory of 2644	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe	GAMEZER POINT EDITER.EXE
PID 2176 wrote to memory of 2692	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe	GAMEZER POINT EDITER.EXE
PID 2176 wrote to memory of 2692	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe	GAMEZER POINT EDITER.EXE
PID 2176 wrote to memory of 2692	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe	GAMEZER POINT EDITER.EXE
PID 2176 wrote to memory of 2692	2176	1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe	GAMEZER POINT EDITER.EXE

C:\Users\Admin\AppData\Local\Temp\1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1593241035013c441a7a4b0facf68d11_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\GAMEZER POINT EDITER.EXE
"C:\Users\Admin\AppData\Local\Temp\GAMEZER POINT EDITER.EXE"
2⤵
- Executes dropped EXE
PID:2644

C:\Users\Admin\AppData\Local\Temp\GAMEZER POINT EDITER.EXE
"C:\Users\Admin\AppData\Local\Temp\GAMEZER POINT EDITER.EXE"
2⤵
- Executes dropped EXE
PID:2692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\GAMEZER POINT EDITER.EXE
Filesize
315KB

MD5
cde53926cc3102f8dc248675cadb45f2

SHA1
fd54ace3fc301c53e3772613970247556adfc634

SHA256
8a8536d5a062633abf2b6657347b919e30146cca4be04bd10d141d7dff95dc77

SHA512
06d81e13bda87f4cfe4d3bff538beafa4fe3a2a69d3325f43c6897803a43aa0d784413c86404fe940977a180593c7bfcad6f778650ad4f5d0a283ec894e78de4

Download Submit
memory/2176-25-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2176-44-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2176-5-0x00000000771BF000-0x00000000771C0000-memory.dmp

Filesize
4KB

Download
memory/2176-4-0x00000000771C0000-0x00000000771C1000-memory.dmp

Filesize
4KB

Download
memory/2176-3-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/2176-2-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2176-1-0x0000000001EA0000-0x0000000001ED9000-memory.dmp

Filesize
228KB

Download
memory/2176-0-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download
memory/2176-30-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2176-10-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2176-11-0x0000000001FB0000-0x00000000020B0000-memory.dmp

Filesize
1024KB

Download
memory/2176-13-0x0000000076CA9000-0x0000000076CAA000-memory.dmp

Filesize
4KB

Download
memory/2176-7-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2176-45-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2176-29-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2176-43-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2176-42-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2176-8-0x00000000771C1000-0x00000000771C2000-memory.dmp

Filesize
4KB

Download
memory/2176-9-0x00000000771F8000-0x00000000771F9000-memory.dmp

Filesize
4KB

Download
memory/2176-6-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2176-41-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2176-27-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2176-26-0x0000000001EA0000-0x0000000001ED9000-memory.dmp

Filesize
228KB

Download
memory/2176-31-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2176-40-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2176-28-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/2176-34-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2176-35-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2176-36-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2176-37-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2176-38-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2176-39-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2644-32-0x000007FEF4560000-0x000007FEF4EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2644-33-0x000007FEF481E000-0x000007FEF481F000-memory.dmp

Filesize
4KB

Download
memory/2644-24-0x000007FEF4560000-0x000007FEF4EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2644-21-0x000007FEF4560000-0x000007FEF4EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2644-20-0x000007FEF4560000-0x000007FEF4EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2644-19-0x000007FEF481E000-0x000007FEF481F000-memory.dmp

Filesize
4KB

Download