darkcomet | fcac0eac9cbef7839f39df6277e194488ba939f1e20ee6a3717ec2683260b589

General

Target

299da6ce2146d30d0c48ff0fa3422677_JaffaCakes118.exe
Size

388KB
MD5

299da6ce2146d30d0c48ff0fa3422677
SHA1

eca769f84cffdcd16a1706e4dedf9e5863da3058
SHA256

fcac0eac9cbef7839f39df6277e194488ba939f1e20ee6a3717ec2683260b589
SHA512

10703304a7be9c4aee0301750f395d2390cbd46bf4e2fa83acf4d2d19bacd9f0e07a5c5bf979b14b715efa44b354a3727c30d5f3467d663ac8b36ee9c6450c7e
SSDEEP

12288:7V+mzFI6zrRkDhI7RMY7RhI159Rup4fVV:78G9RdNMIg7yyVV

Score

10^/10

darkcomet latentbot rat trojan

Malware Config

Extracted

Family

latentbot

C2

hoangduybmbm.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	299da6ce2146d30d0c48ff0fa3422677_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1216	sever2.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\__tmp_rar_sfx_access_check_240640921	299da6ce2146d30d0c48ff0fa3422677_JaffaCakes118.exe
File created	C:\Windows\sever2.exe	299da6ce2146d30d0c48ff0fa3422677_JaffaCakes118.exe
File opened for modification	C:\Windows\sever2.exe	299da6ce2146d30d0c48ff0fa3422677_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1216	sever2.exe
Token: SeSecurityPrivilege	1216	sever2.exe
Token: SeTakeOwnershipPrivilege	1216	sever2.exe
Token: SeLoadDriverPrivilege	1216	sever2.exe
Token: SeSystemProfilePrivilege	1216	sever2.exe
Token: SeSystemtimePrivilege	1216	sever2.exe
Token: SeProfSingleProcessPrivilege	1216	sever2.exe
Token: SeIncBasePriorityPrivilege	1216	sever2.exe
Token: SeCreatePagefilePrivilege	1216	sever2.exe
Token: SeBackupPrivilege	1216	sever2.exe
Token: SeRestorePrivilege	1216	sever2.exe
Token: SeShutdownPrivilege	1216	sever2.exe
Token: SeDebugPrivilege	1216	sever2.exe
Token: SeSystemEnvironmentPrivilege	1216	sever2.exe
Token: SeChangeNotifyPrivilege	1216	sever2.exe
Token: SeRemoteShutdownPrivilege	1216	sever2.exe
Token: SeUndockPrivilege	1216	sever2.exe
Token: SeManageVolumePrivilege	1216	sever2.exe
Token: SeImpersonatePrivilege	1216	sever2.exe
Token: SeCreateGlobalPrivilege	1216	sever2.exe
Token: 33	1216	sever2.exe
Token: 34	1216	sever2.exe
Token: 35	1216	sever2.exe
Token: 36	1216	sever2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1216	sever2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 1216	388	299da6ce2146d30d0c48ff0fa3422677_JaffaCakes118.exe	84
PID 388 wrote to memory of 1216	388	299da6ce2146d30d0c48ff0fa3422677_JaffaCakes118.exe	84
PID 388 wrote to memory of 1216	388	299da6ce2146d30d0c48ff0fa3422677_JaffaCakes118.exe	84
PID 1216 wrote to memory of 4484	1216	sever2.exe	86
PID 1216 wrote to memory of 4484	1216	sever2.exe	86
PID 1216 wrote to memory of 4484	1216	sever2.exe	86
PID 1216 wrote to memory of 4272	1216	sever2.exe	87
PID 1216 wrote to memory of 4272	1216	sever2.exe	87

C:\Users\Admin\AppData\Local\Temp\299da6ce2146d30d0c48ff0fa3422677_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\299da6ce2146d30d0c48ff0fa3422677_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\sever2.exe
  "C:\Windows\sever2.exe" /sever2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4484
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\sever2.exe

Filesize
646KB

MD5
132c45e440072a0dad429e11fe6a7286

SHA1
362322eb3a1e8e56af419a654f6495dd424f9c77

SHA256
9ff9ae97b4ca926026ee4dc78c9a23c76d14b8c18fab502b42703d399b00a458

SHA512
57fd00bd820feb618b2f71a16882df5a0013434a98139296874c11d85319246a8d7216a45ae1d110772f4287ada0b9f5df379cfeb8aaeb14b370b8228bc83997

Download Submit
memory/388-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1216-13-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1216-14-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1216-15-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1216-16-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1216-17-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1216-18-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1216-19-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1216-20-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1216-21-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1216-22-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1216-23-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1216-24-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1216-25-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1216-26-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1216-27-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download

Analysis

Sharing