darkcomet | 62bc25646fb53fb537e5f7df1a22388ddc86acc54b35702bc33780af37eda5ab

General

Target

0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Size

797KB
MD5

0f08c77d123024756eec3a6643bc5a57
SHA1

0baf67971c671ed44fd75c5218188d6ea251bec0
SHA256

62bc25646fb53fb537e5f7df1a22388ddc86acc54b35702bc33780af37eda5ab
SHA512

9df9189f706d958aaf201cac619671e240a08edb63bf83bbd95a22ec9190a69afee9b0fac42b3803aa5c7d5a7103cc2aac79046a94aaf25b038f59e3e5a05bb0
SSDEEP

12288:bFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0c/qe:53nbWmJVJFwSddIXvfhqbiaxvRFqe

Score

10^/10

darkcomet latentbot evasion rat trojan upx

Malware Config

Extracted

Family

latentbot

C2

hiluxtoyota.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4384	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2652-0-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/2652-6-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeSecurityPrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeBackupPrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeRestorePrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeShutdownPrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeDebugPrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeUndockPrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: 33	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: 34	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: 35	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
Token: 36	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 1140	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe	81
PID 2652 wrote to memory of 1140	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe	81
PID 2652 wrote to memory of 1140	2652	0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe	81
PID 1140 wrote to memory of 4384	1140	cmd.exe	83
PID 1140 wrote to memory of 4384	1140	cmd.exe	83
PID 1140 wrote to memory of 4384	1140	cmd.exe	83

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4384	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\0f08c77d123024756eec3a6643bc5a57_JaffaCakes118.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
101B

MD5
0793a6173c7b65d2c96aef8f79a7adfa

SHA1
f60c8855426e0b8e5e86243b96bd5c605502d143

SHA256
6facb6a5ef438b694764cd8a2b25a931cf8932f88392e464864be487a7cc7468

SHA512
d31ddb211cddaa299fb560b141254668ba4a7396af5ad70af930a3ec0c8c31d61a1333e7bed887c746df8a728f1e3556b17940cadf1d9ca2f12e99f9523c0ff4

Download Submit
memory/2652-0-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2652-1-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2652-6-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads