darkcomet | c5df05b4a83356a1dc89c293cde8fec10f71301367340167937b22a67ff1a60a

Analysis

max time kernel
45s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe
Size

695KB
MD5

1b20905afab7ce3f2418dec93b97ca68
SHA1

5f8c7967f5bb6cab943ebc126274bc8da9abc4b1
SHA256

c5df05b4a83356a1dc89c293cde8fec10f71301367340167937b22a67ff1a60a
SHA512

25824d8f65f1f740eeedc908964db69e027f774b575f6d633f982d1d827a4865f38aa0bc8b4c3c0ed04850743900204a0fc58b83a85cbe0bec377f09e28ffce8
SSDEEP

12288:xXAOJ1yWPeQsCdnhFw/DdsSn7DTI2M7xO8jJGCEoYg9Nq17CDYhtEb:ryW2LmnhFOsaTpM708dGzg9URIYsb

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

hhhhh.exe

pid process

1224 hhhhh.exe

pid	process
1224	hhhhh.exe

Loads dropped DLL 4 IoCs

Processes:

1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe

pid	process
1072	1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe
1072	1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe
1072	1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe
1072	1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exehhhhh.exe

description	pid	process
Token: 33	1072	1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1072	1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe
Token: 33	1072	1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1072	1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe
Token: 33	1072	1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1072	1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1224	hhhhh.exe
Token: SeSecurityPrivilege	1224	hhhhh.exe
Token: SeTakeOwnershipPrivilege	1224	hhhhh.exe
Token: SeLoadDriverPrivilege	1224	hhhhh.exe
Token: SeSystemProfilePrivilege	1224	hhhhh.exe
Token: SeSystemtimePrivilege	1224	hhhhh.exe
Token: SeProfSingleProcessPrivilege	1224	hhhhh.exe
Token: SeIncBasePriorityPrivilege	1224	hhhhh.exe
Token: SeCreatePagefilePrivilege	1224	hhhhh.exe
Token: SeBackupPrivilege	1224	hhhhh.exe
Token: SeRestorePrivilege	1224	hhhhh.exe
Token: SeShutdownPrivilege	1224	hhhhh.exe
Token: SeDebugPrivilege	1224	hhhhh.exe
Token: SeSystemEnvironmentPrivilege	1224	hhhhh.exe
Token: SeChangeNotifyPrivilege	1224	hhhhh.exe
Token: SeRemoteShutdownPrivilege	1224	hhhhh.exe
Token: SeUndockPrivilege	1224	hhhhh.exe
Token: SeManageVolumePrivilege	1224	hhhhh.exe
Token: SeImpersonatePrivilege	1224	hhhhh.exe
Token: SeCreateGlobalPrivilege	1224	hhhhh.exe
Token: 33	1224	hhhhh.exe
Token: 34	1224	hhhhh.exe
Token: 35	1224	hhhhh.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1912 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

hhhhh.exe

pid process

1224 hhhhh.exe

pid	process
1912	DllHost.exe

pid	process
1224	hhhhh.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe

description	pid	process	target process
PID 1072 wrote to memory of 1224	1072	1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe	hhhhh.exe
PID 1072 wrote to memory of 1224	1072	1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe	hhhhh.exe
PID 1072 wrote to memory of 1224	1072	1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe	hhhhh.exe
PID 1072 wrote to memory of 1224	1072	1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe	hhhhh.exe

C:\Users\Admin\AppData\Local\Temp\1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b20905afab7ce3f2418dec93b97ca68_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\lalala\1.0.0.0\2012.03.27T18.55\Virtual\STUBEXE\@DESKTOP@\hhhhh.exe
"C:\Users\Admin\Desktop\hhhhh.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IMGRES.JPG
Filesize
6KB

MD5
150ba2fee08ea1359b03a038f5ba7b5b

SHA1
a9bea1d06b55b0b6739a59cf8dd194f873cdf4de

SHA256
03d2494bf033255f33a0944cec7e183a05bce396a4a70ecf40cc0feeee09f09e

SHA512
58e5644634c656d2ba821ff19f9260f4744db8d47e8e45829a2e08cfb6cf512b581260cf517dcadb04b834d4f2414b82e289e2201a4ceb2919c88c4b306912fb

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\lalala\1.0.0.0\2012.03.27T18.55\Virtual\MODIFIED\@DESKTOP@\hhhhh.exe
Filesize
678KB

MD5
21ddd899bebb63e7278bd22faf14cc8e

SHA1
2fd5b48e83860fc7280c2668235620234f47dbc0

SHA256
cf9dac35e768a7de79b80f31bb811f11d769ae870c8e148493088087d08b3e8f

SHA512
aaa7a5908f7877866a38369de47dc9da4bdb9a0a6519effe377e8ab5f138fdc65e6a28274416b3326a60b4de43b385c128616dc727476423ac367c3a37b52f4b

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\lalala\1.0.0.0\2012.03.27T18.55\Virtual\STUBEXE\@DESKTOP@\hhhhh.exe
Filesize
17KB

MD5
d745f91c57f0044ef93bc7141b66b280

SHA1
344d3b4e00193a9197029996b4a69fb4dcd46d4f

SHA256
906175f44e34e09c85495a3135f60e3e50d1623fab65be9d003298881ecd115b

SHA512
4e86f15ba5e637698df740add3df878de31e8bf37c2b5013031f858514ffce9a7ddbcf3224007a0d3d42140a29eb3e762d398a6b4e99307f089f5c0ce6dfd7d3

Download Submit
memory/1072-30-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-164-0x00000000772C0000-0x00000000772C1000-memory.dmp

Filesize
4KB

Download
memory/1072-7-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-5-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-0-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-23-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-27-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-37-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-50-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-53-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-51-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-41-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-42-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-16-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-34-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-55-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-32-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-3-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-620-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-18-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-39-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-49-0x00000000772C0000-0x00000000772C1000-memory.dmp

Filesize
4KB

Download
memory/1072-48-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-207-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-57-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-59-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-61-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-63-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-65-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-69-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-71-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-67-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-165-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-21-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-8-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-10-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-14-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-26-0x00000000002D0000-0x000000000033C000-memory.dmp

Filesize
432KB

Download
memory/1072-621-0x00000000772C0000-0x00000000772C1000-memory.dmp

Filesize
4KB

Download