darkcomet | 6021402cc965e4a5aa9839472755d41b525a30f502a7e7eab53ba6935b185438

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Size

2.9MB
MD5

2087d593169373cd54691f23372cd22c
SHA1

1377c985247c1157ccc77fd831a180d65d376b22
SHA256

6021402cc965e4a5aa9839472755d41b525a30f502a7e7eab53ba6935b185438
SHA512

9b234052d10378e100d10e9262cb05a600b46ce7ab38bae137a30f2de9040d246aa5446133d4f7054266ad32a4dc1ff9e11f1ae04b3177cf810b4986ad4274e5
SSDEEP

49152:ge9MZIvECZNdyOa0LgLqGEyTMQCGhO7qMM2RPME3Ap:gUEAIOa0aFTyqNQxQp

Score

10^/10

darkcomet latentbot persistence rat trojan

Malware Config

Extracted

Family

latentbot

eiterforunkel.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
4212	SPKRYPT.EXE
1472	msdcsc.exe
3964	msdcsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2588 set thread context of 5112	2588	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	88
PID 1472 set thread context of 3964	1472	msdcsc.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeSecurityPrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeSystemtimePrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeBackupPrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeRestorePrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeShutdownPrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeDebugPrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeUndockPrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeManageVolumePrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeImpersonatePrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: 33	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: 34	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: 35	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: 36	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3964	msdcsc.exe
Token: SeSecurityPrivilege	3964	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3964	msdcsc.exe
Token: SeLoadDriverPrivilege	3964	msdcsc.exe
Token: SeSystemProfilePrivilege	3964	msdcsc.exe
Token: SeSystemtimePrivilege	3964	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3964	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3964	msdcsc.exe
Token: SeCreatePagefilePrivilege	3964	msdcsc.exe
Token: SeBackupPrivilege	3964	msdcsc.exe
Token: SeRestorePrivilege	3964	msdcsc.exe
Token: SeShutdownPrivilege	3964	msdcsc.exe
Token: SeDebugPrivilege	3964	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3964	msdcsc.exe
Token: SeChangeNotifyPrivilege	3964	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3964	msdcsc.exe
Token: SeUndockPrivilege	3964	msdcsc.exe
Token: SeManageVolumePrivilege	3964	msdcsc.exe
Token: SeImpersonatePrivilege	3964	msdcsc.exe
Token: SeCreateGlobalPrivilege	3964	msdcsc.exe
Token: 33	3964	msdcsc.exe
Token: 34	3964	msdcsc.exe
Token: 35	3964	msdcsc.exe
Token: 36	3964	msdcsc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2588	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
4212	SPKRYPT.EXE
1472	msdcsc.exe
3964	msdcsc.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 5112	2588	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	88
PID 2588 wrote to memory of 5112	2588	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	88
PID 2588 wrote to memory of 5112	2588	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	88
PID 2588 wrote to memory of 5112	2588	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	88
PID 2588 wrote to memory of 5112	2588	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	88
PID 2588 wrote to memory of 5112	2588	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	88
PID 2588 wrote to memory of 5112	2588	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	88
PID 2588 wrote to memory of 5112	2588	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	88
PID 2588 wrote to memory of 5112	2588	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	88
PID 2588 wrote to memory of 5112	2588	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	88
PID 2588 wrote to memory of 5112	2588	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	88
PID 2588 wrote to memory of 5112	2588	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	88
PID 2588 wrote to memory of 5112	2588	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	88
PID 2588 wrote to memory of 5112	2588	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	88
PID 5112 wrote to memory of 4212	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	89
PID 5112 wrote to memory of 4212	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	89
PID 5112 wrote to memory of 4212	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	89
PID 5112 wrote to memory of 1472	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	90
PID 5112 wrote to memory of 1472	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	90
PID 5112 wrote to memory of 1472	5112	2087d593169373cd54691f23372cd22c_JaffaCakes118.exe	90
PID 1472 wrote to memory of 3964	1472	msdcsc.exe	91
PID 1472 wrote to memory of 3964	1472	msdcsc.exe	91
PID 1472 wrote to memory of 3964	1472	msdcsc.exe	91
PID 1472 wrote to memory of 3964	1472	msdcsc.exe	91
PID 1472 wrote to memory of 3964	1472	msdcsc.exe	91
PID 1472 wrote to memory of 3964	1472	msdcsc.exe	91
PID 1472 wrote to memory of 3964	1472	msdcsc.exe	91
PID 1472 wrote to memory of 3964	1472	msdcsc.exe	91
PID 1472 wrote to memory of 3964	1472	msdcsc.exe	91
PID 1472 wrote to memory of 3964	1472	msdcsc.exe	91
PID 1472 wrote to memory of 3964	1472	msdcsc.exe	91
PID 1472 wrote to memory of 3964	1472	msdcsc.exe	91
PID 1472 wrote to memory of 3964	1472	msdcsc.exe	91
PID 1472 wrote to memory of 3964	1472	msdcsc.exe	91

C:\Users\Admin\AppData\Local\Temp\2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2087d593169373cd54691f23372cd22c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2087d593169373cd54691f23372cd22c_JaffaCakes118.exe
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\SPKRYPT.EXE
    "C:\Users\Admin\AppData\Local\Temp\SPKRYPT.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4212
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4256,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SPKRYPT.EXE

Filesize
2.0MB

MD5
73250b9009eb2d932c417236bf8ec197

SHA1
d6ff104b065f21c9503bd9b40809582b242afd5b

SHA256
2c6a4311e4e5216f81ebd16b7ba0042a20f3591d9e4bdf50221ed0ba9ee0a9f9

SHA512
ae7629bfc227de71ce76d76d1c7681a4fb1b1ccc413618f222db12ef30d6a06b7e56ac10f5d3f1cc34adabcbd7f739297e6a5ee313b6ce120ad5281b83410ab8

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
2.9MB

MD5
2087d593169373cd54691f23372cd22c

SHA1
1377c985247c1157ccc77fd831a180d65d376b22

SHA256
6021402cc965e4a5aa9839472755d41b525a30f502a7e7eab53ba6935b185438

SHA512
9b234052d10378e100d10e9262cb05a600b46ce7ab38bae137a30f2de9040d246aa5446133d4f7054266ad32a4dc1ff9e11f1ae04b3177cf810b4986ad4274e5

Download Submit
memory/3964-100-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-89-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-95-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-94-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-93-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-105-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-87-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-88-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-91-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-101-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-90-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-92-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-106-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-104-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-103-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-96-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-97-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-98-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-99-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3964-102-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/5112-9-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/5112-3-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/5112-4-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/5112-5-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/5112-80-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/5112-2-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads