darkcomet | 73293d1e3e067e4d43106853085722f88e0f359ce7ae44e4634406c863666cd8

General

Target

2b8dd53e6f531c98472caa5523af90d3_JaffaCakes118.exe
Size

312KB
MD5

2b8dd53e6f531c98472caa5523af90d3
SHA1

991754dd0a9a11b97d330d26e41883c4aa150c2d
SHA256

73293d1e3e067e4d43106853085722f88e0f359ce7ae44e4634406c863666cd8
SHA512

2b5595572def8eafd56d4f2f99abd3284f976ce4330e0f3dc385a6961e3781de15704a3e16f022fe9abd350af0d6b3e0f2719ed07808c23472843ff709de6abe
SSDEEP

6144:0i4HfmxTKCCHblh5sJPZGCTfs3nBmPWMG5O/bU3LQGpQ7GbRFyJFN:y/AGL5KPIAMnDVc/gbL3b/yR

Score

10^/10

darkcomet latentbot essential666 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Essential666

C2

ztwerfdgdhfjkkl.zapto.org:1607

Mutex

DC_MUTEX-R1W1G2U

Attributes

gencode
dLcTwLSyWqCP
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

C2

ztwerfdgdhfjkkl.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\cmdl32.exe A"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
1576	cmdl32.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2744-13-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2744-14-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2744-15-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2744-16-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2744-17-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2744-19-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2744-20-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2744-21-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1576 set thread context of 2744	1576	cmdl32.exe	89

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4572	1576	WerFault.exe	88
3124	1576	WerFault.exe	88

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2744	cmdl32.exe
Token: SeSecurityPrivilege	2744	cmdl32.exe
Token: SeTakeOwnershipPrivilege	2744	cmdl32.exe
Token: SeLoadDriverPrivilege	2744	cmdl32.exe
Token: SeSystemProfilePrivilege	2744	cmdl32.exe
Token: SeSystemtimePrivilege	2744	cmdl32.exe
Token: SeProfSingleProcessPrivilege	2744	cmdl32.exe
Token: SeIncBasePriorityPrivilege	2744	cmdl32.exe
Token: SeCreatePagefilePrivilege	2744	cmdl32.exe
Token: SeBackupPrivilege	2744	cmdl32.exe
Token: SeRestorePrivilege	2744	cmdl32.exe
Token: SeShutdownPrivilege	2744	cmdl32.exe
Token: SeDebugPrivilege	2744	cmdl32.exe
Token: SeSystemEnvironmentPrivilege	2744	cmdl32.exe
Token: SeChangeNotifyPrivilege	2744	cmdl32.exe
Token: SeRemoteShutdownPrivilege	2744	cmdl32.exe
Token: SeUndockPrivilege	2744	cmdl32.exe
Token: SeManageVolumePrivilege	2744	cmdl32.exe
Token: SeImpersonatePrivilege	2744	cmdl32.exe
Token: SeCreateGlobalPrivilege	2744	cmdl32.exe
Token: 33	2744	cmdl32.exe
Token: 34	2744	cmdl32.exe
Token: 35	2744	cmdl32.exe
Token: 36	2744	cmdl32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1896	2b8dd53e6f531c98472caa5523af90d3_JaffaCakes118.exe
1576	cmdl32.exe
2744	cmdl32.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 4052	1896	2b8dd53e6f531c98472caa5523af90d3_JaffaCakes118.exe	84
PID 1896 wrote to memory of 4052	1896	2b8dd53e6f531c98472caa5523af90d3_JaffaCakes118.exe	84
PID 1896 wrote to memory of 4052	1896	2b8dd53e6f531c98472caa5523af90d3_JaffaCakes118.exe	84
PID 4052 wrote to memory of 1644	4052	cmd.exe	87
PID 4052 wrote to memory of 1644	4052	cmd.exe	87
PID 4052 wrote to memory of 1644	4052	cmd.exe	87
PID 1896 wrote to memory of 1576	1896	2b8dd53e6f531c98472caa5523af90d3_JaffaCakes118.exe	88
PID 1896 wrote to memory of 1576	1896	2b8dd53e6f531c98472caa5523af90d3_JaffaCakes118.exe	88
PID 1896 wrote to memory of 1576	1896	2b8dd53e6f531c98472caa5523af90d3_JaffaCakes118.exe	88
PID 1576 wrote to memory of 2744	1576	cmdl32.exe	89
PID 1576 wrote to memory of 2744	1576	cmdl32.exe	89
PID 1576 wrote to memory of 2744	1576	cmdl32.exe	89
PID 1576 wrote to memory of 2744	1576	cmdl32.exe	89
PID 1576 wrote to memory of 2744	1576	cmdl32.exe	89
PID 1576 wrote to memory of 2744	1576	cmdl32.exe	89
PID 1576 wrote to memory of 2744	1576	cmdl32.exe	89
PID 1576 wrote to memory of 2744	1576	cmdl32.exe	89

C:\Users\Admin\AppData\Local\Temp\2b8dd53e6f531c98472caa5523af90d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b8dd53e6f531c98472caa5523af90d3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\process.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\Winlogon" /v Shell /d "explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmdl32.exe A" /f
    3⤵
    - Modifies WinLogon for persistence
    PID:1644
- C:\Users\Admin\AppData\Local\Temp\cmdl32.exe
  C:\Users\Admin\AppData\Local\Temp\cmdl32.exe A
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\cmdl32.exe
    "C:\Windows\system32\cmdl32.exe "
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 688
    3⤵
    - Program crash
    PID:4572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 716
    3⤵
    - Program crash
    PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1576 -ip 1576
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1576 -ip 1576
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmdl32.exe

Filesize
312KB

MD5
2b8dd53e6f531c98472caa5523af90d3

SHA1
991754dd0a9a11b97d330d26e41883c4aa150c2d

SHA256
73293d1e3e067e4d43106853085722f88e0f359ce7ae44e4634406c863666cd8

SHA512
2b5595572def8eafd56d4f2f99abd3284f976ce4330e0f3dc385a6961e3781de15704a3e16f022fe9abd350af0d6b3e0f2719ed07808c23472843ff709de6abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\process.cmd

Filesize
159B

MD5
11d48ed83071097d27cbddf4df3b4cf9

SHA1
01f30300ed37d30cf5991321a3e412b083ab8800

SHA256
c14cb563c55b3fa55f482d8975086cb35ce2dfdb238b687425ffba4c5f362219

SHA512
be2f2b450ede74c748ab032e62ed8b225354793e6128480f0df24bcfc5bdb38afb3ed7e966578ec203c3ccf7d257511ec8e80a41b6ad3fb6639935c3c4813e17

Download Submit
memory/1896-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2744-13-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2744-14-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2744-15-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2744-16-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2744-17-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2744-18-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/2744-19-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2744-20-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2744-21-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads