darkcomet | a1de09c8da8de9a7c9c82714862048aadcc3871092215a974ad5fbad3abca818

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe
Size

481KB
MD5

1df0c7c729ccdc49e0fc71819412132a
SHA1

ecebd81250c6b16e35d3924a4c39f3c3dd453f90
SHA256

a1de09c8da8de9a7c9c82714862048aadcc3871092215a974ad5fbad3abca818
SHA512

6c568d367881071bfba3cc9139358283e0c172c36574cb7c6106b45865b447f6fa023cf88f1a47356f2c3b01c12c0c8fa67c982515c569664cd386f1dcba0de5
SSDEEP

12288:avqCFCIMdZwuPTkKfVyBltKPsxBVr0Qho:QTCHFkKfcvKPs5oQho

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

127.0.0.1:1604

Mutex

DC_MUTEX-4HXZTX0

Attributes

gencode
k01PruSfoVRz
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Loads dropped DLL 1 IoCs

Processes:

1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe

pid process

2764 1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe

pid	process
2764	1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

Processes:

1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\PSAPI.DLL	1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PSAPI.DLL	1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\unicows.dll	1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\unicows.dll	1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3064 2764 WerFault.exe 1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe

pid	pid_target	process	target process
3064	2764	WerFault.exe	1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe

description	pid	process	target process
PID 2764 wrote to memory of 3064	2764	1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe	WerFault.exe
PID 2764 wrote to memory of 3064	2764	1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe	WerFault.exe
PID 2764 wrote to memory of 3064	2764	1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe	WerFault.exe
PID 2764 wrote to memory of 3064	2764	1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1df0c7c729ccdc49e0fc71819412132a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 276
2⤵
- Program crash
PID:3064

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\unicows.dll
Filesize
240KB

MD5
006401678cfbccbcb97e405e2f83d2fa

SHA1
0976db1b5b9aa69e77fa25c35c8189e3ef851ffc

SHA256
a491c11f667fda3fb3311f6221bca15e4da159df4c12f7a7a0cfbf99f2b7c60b

SHA512
ef24dd6c6781c843a9730622f44d260e8db4fc365726aa918805d336c1f25659cf43df7400efd4307da3cca54c2e9c4f4cfbf3c10d974d37a4033c9624cc8d92

Download Submit
memory/2764-2-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2764-4-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2764-5-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download