darkcomet | 9df6403ffea68f4e3e46da125f0e18590277e482507e87e5c715103334a2029d

Analysis

max time kernel
135s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-07-2024 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

452287b44889270579355c08e9663733_JaffaCakes118.exe
Size

648KB
MD5

452287b44889270579355c08e9663733
SHA1

8e9fea50314ddf0216d78334bf5544ba03c7b0b0
SHA256

9df6403ffea68f4e3e46da125f0e18590277e482507e87e5c715103334a2029d
SHA512

f64e1599c3f5992041045674ab7cc943cd632cad1e455068b1fc33c0779b5d3992e5a9f034e3cc6df70b90c8db9b0797847cb8683c4762e09c7a06d7744693ad
SSDEEP

12288:g6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfhh:lAmBpVKHu0Mu9Xo20VGLVP5h

Score

10^/10

darkcomet latentbot evasion persistence rat trojan

Malware Config

Extracted

Family

latentbot

thelistener.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe"	452287b44889270579355c08e9663733_JaffaCakes118.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1304	attrib.exe
3056	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
3032	winupdate.exe

Loads dropped DLL 4 IoCs

pid	Process
2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
3032	winupdate.exe
3032	winupdate.exe
3032	winupdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe"	452287b44889270579355c08e9663733_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe"	winupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2708	PING.EXE

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeSecurityPrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeBackupPrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeRestorePrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeShutdownPrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeDebugPrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeUndockPrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: 33	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: 34	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: 35	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3032	winupdate.exe
Token: SeSecurityPrivilege	3032	winupdate.exe
Token: SeTakeOwnershipPrivilege	3032	winupdate.exe
Token: SeLoadDriverPrivilege	3032	winupdate.exe
Token: SeSystemProfilePrivilege	3032	winupdate.exe
Token: SeSystemtimePrivilege	3032	winupdate.exe
Token: SeProfSingleProcessPrivilege	3032	winupdate.exe
Token: SeIncBasePriorityPrivilege	3032	winupdate.exe
Token: SeCreatePagefilePrivilege	3032	winupdate.exe
Token: SeBackupPrivilege	3032	winupdate.exe
Token: SeRestorePrivilege	3032	winupdate.exe
Token: SeShutdownPrivilege	3032	winupdate.exe
Token: SeDebugPrivilege	3032	winupdate.exe
Token: SeSystemEnvironmentPrivilege	3032	winupdate.exe
Token: SeChangeNotifyPrivilege	3032	winupdate.exe
Token: SeRemoteShutdownPrivilege	3032	winupdate.exe
Token: SeUndockPrivilege	3032	winupdate.exe
Token: SeManageVolumePrivilege	3032	winupdate.exe
Token: SeImpersonatePrivilege	3032	winupdate.exe
Token: SeCreateGlobalPrivilege	3032	winupdate.exe
Token: 33	3032	winupdate.exe
Token: 34	3032	winupdate.exe
Token: 35	3032	winupdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3032	winupdate.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 620	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	31
PID 2984 wrote to memory of 620	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	31
PID 2984 wrote to memory of 620	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	31
PID 2984 wrote to memory of 620	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2072	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	32
PID 2984 wrote to memory of 2072	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	32
PID 2984 wrote to memory of 2072	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	32
PID 2984 wrote to memory of 2072	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	32
PID 620 wrote to memory of 1304	620	cmd.exe	35
PID 620 wrote to memory of 1304	620	cmd.exe	35
PID 620 wrote to memory of 1304	620	cmd.exe	35
PID 620 wrote to memory of 1304	620	cmd.exe	35
PID 2072 wrote to memory of 3056	2072	cmd.exe	36
PID 2072 wrote to memory of 3056	2072	cmd.exe	36
PID 2072 wrote to memory of 3056	2072	cmd.exe	36
PID 2072 wrote to memory of 3056	2072	cmd.exe	36
PID 2984 wrote to memory of 3032	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	37
PID 2984 wrote to memory of 3032	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	37
PID 2984 wrote to memory of 3032	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	37
PID 2984 wrote to memory of 3032	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	37
PID 2984 wrote to memory of 3032	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	37
PID 2984 wrote to memory of 3032	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	37
PID 2984 wrote to memory of 3032	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	37
PID 2984 wrote to memory of 2236	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	38
PID 2984 wrote to memory of 2236	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	38
PID 2984 wrote to memory of 2236	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	38
PID 2984 wrote to memory of 2236	2984	452287b44889270579355c08e9663733_JaffaCakes118.exe	38
PID 2236 wrote to memory of 2708	2236	cmd.exe	40
PID 2236 wrote to memory of 2708	2236	cmd.exe	40
PID 2236 wrote to memory of 2708	2236	cmd.exe	40
PID 2236 wrote to memory of 2708	2236	cmd.exe	40

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1304	attrib.exe
3056	attrib.exe

C:\Users\Admin\AppData\Local\Temp\452287b44889270579355c08e9663733_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\452287b44889270579355c08e9663733_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\452287b44889270579355c08e9663733_JaffaCakes118.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\452287b44889270579355c08e9663733_JaffaCakes118.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3056
- C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe
  "C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\452287b44889270579355c08e9663733_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe

Filesize
648KB

MD5
452287b44889270579355c08e9663733

SHA1
8e9fea50314ddf0216d78334bf5544ba03c7b0b0

SHA256
9df6403ffea68f4e3e46da125f0e18590277e482507e87e5c715103334a2029d

SHA512
f64e1599c3f5992041045674ab7cc943cd632cad1e455068b1fc33c0779b5d3992e5a9f034e3cc6df70b90c8db9b0797847cb8683c4762e09c7a06d7744693ad

Download Submit
memory/2984-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2984-8-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3032-18-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3032-20-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3032-15-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3032-16-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3032-17-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3032-13-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3032-19-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3032-14-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3032-21-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3032-22-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3032-23-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3032-24-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3032-25-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3032-26-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads