darkcomet | f805abca58f0933dc66b09f7b9886394a92d481343df2851415f673b2b7ca0f2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe
Size

1.3MB
MD5

5e412597778f7df65155685a8bdcd4be
SHA1

1086c375c09c07486f0542c679a74d61dd943594
SHA256

f805abca58f0933dc66b09f7b9886394a92d481343df2851415f673b2b7ca0f2
SHA512

579bb3cea0b8daa74b9221191d4ad484f92379f01f8298d055fb50e3ae0a58e15847b6933ab6d6960564ebd0625d680ca31b7d74e2a233d7b43ae9e9de1438da
SSDEEP

24576:vFAABG9aJp25/4ddZMAsiIMXNI+RVN64AzFfoC9kAblzH2JCYkkX5zA:ZaaJpo/yZN6MXN9/NrAZgM2JlFA

Score

10^/10

darkcomet latentbot sks persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

SKS

essstzttztz.zapto.org:1612

Mutex

DC_MUTEX-F54S21D

Attributes

gencode
lwRB5npjTSK8
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

essstzttztz.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WLIDSCV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3592	WLIDSCV.exe
3756	flashmk.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1232-39-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-41-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-40-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-42-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-44-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-43-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-45-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-46-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-48-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-49-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-50-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-51-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-52-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-53-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-54-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-55-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-56-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-57-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-58-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1232-59-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiops = "C:\\Users\\Admin\\AppData\\Roaming\\flashmk.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 1820	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	86
PID 3756 set thread context of 1232	3756	flashmk.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\flashmk.exe:ZONE.identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3592	WLIDSCV.exe
3592	WLIDSCV.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3592	WLIDSCV.exe
3756	flashmk.exe
3592	WLIDSCV.exe
3592	WLIDSCV.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3592	WLIDSCV.exe
Token: SeDebugPrivilege	3756	flashmk.exe
Token: SeIncreaseQuotaPrivilege	1232	vbc.exe
Token: SeSecurityPrivilege	1232	vbc.exe
Token: SeTakeOwnershipPrivilege	1232	vbc.exe
Token: SeLoadDriverPrivilege	1232	vbc.exe
Token: SeSystemProfilePrivilege	1232	vbc.exe
Token: SeSystemtimePrivilege	1232	vbc.exe
Token: SeProfSingleProcessPrivilege	1232	vbc.exe
Token: SeIncBasePriorityPrivilege	1232	vbc.exe
Token: SeCreatePagefilePrivilege	1232	vbc.exe
Token: SeBackupPrivilege	1232	vbc.exe
Token: SeRestorePrivilege	1232	vbc.exe
Token: SeShutdownPrivilege	1232	vbc.exe
Token: SeDebugPrivilege	1232	vbc.exe
Token: SeSystemEnvironmentPrivilege	1232	vbc.exe
Token: SeChangeNotifyPrivilege	1232	vbc.exe
Token: SeRemoteShutdownPrivilege	1232	vbc.exe
Token: SeUndockPrivilege	1232	vbc.exe
Token: SeManageVolumePrivilege	1232	vbc.exe
Token: SeImpersonatePrivilege	1232	vbc.exe
Token: SeCreateGlobalPrivilege	1232	vbc.exe
Token: 33	1232	vbc.exe
Token: 34	1232	vbc.exe
Token: 35	1232	vbc.exe
Token: 36	1232	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1820	vbc.exe
1232	vbc.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1820	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	86
PID 1096 wrote to memory of 1820	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	86
PID 1096 wrote to memory of 1820	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	86
PID 1096 wrote to memory of 1820	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	86
PID 1096 wrote to memory of 1820	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	86
PID 1096 wrote to memory of 1820	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	86
PID 1096 wrote to memory of 1820	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	86
PID 1096 wrote to memory of 1820	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	86
PID 1096 wrote to memory of 4964	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	87
PID 1096 wrote to memory of 4964	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	87
PID 1096 wrote to memory of 4964	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	87
PID 1096 wrote to memory of 2600	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	90
PID 1096 wrote to memory of 2600	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	90
PID 1096 wrote to memory of 2600	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	90
PID 2600 wrote to memory of 3200	2600	vbc.exe	92
PID 2600 wrote to memory of 3200	2600	vbc.exe	92
PID 2600 wrote to memory of 3200	2600	vbc.exe	92
PID 1096 wrote to memory of 3592	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	93
PID 1096 wrote to memory of 3592	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	93
PID 1096 wrote to memory of 3592	1096	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	93
PID 3592 wrote to memory of 3756	3592	WLIDSCV.exe	94
PID 3592 wrote to memory of 3756	3592	WLIDSCV.exe	94
PID 3592 wrote to memory of 3756	3592	WLIDSCV.exe	94
PID 3756 wrote to memory of 1232	3756	flashmk.exe	95
PID 3756 wrote to memory of 1232	3756	flashmk.exe	95
PID 3756 wrote to memory of 1232	3756	flashmk.exe	95
PID 3756 wrote to memory of 1232	3756	flashmk.exe	95
PID 3756 wrote to memory of 1232	3756	flashmk.exe	95
PID 3756 wrote to memory of 1232	3756	flashmk.exe	95
PID 3756 wrote to memory of 1232	3756	flashmk.exe	95
PID 3756 wrote to memory of 1232	3756	flashmk.exe	95

C:\Users\Admin\AppData\Local\Temp\5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:1820
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - NTFS ADS
  PID:4964
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hhdpmaiz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B2B6934550644D9BBF72B12DB3236ED.TMP"
    3⤵
    PID:3200
- C:\Users\Admin\AppData\Roaming\WLIDSCV.exe
  "C:\Users\Admin\AppData\Roaming\WLIDSCV.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Users\Admin\AppData\Roaming\flashmk.exe
    "C:\Users\Admin\AppData\Roaming\flashmk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB0B2.tmp

Filesize
1KB

MD5
54dc7cb11bfef79751466b626d1e79d3

SHA1
23d7c56824cc2ea890739cc6e648953a277c611a

SHA256
debed5e0c8232cd7293592a5cd1d7dc35f6e16fcb3815f497174f8c68a24029d

SHA512
e128b6a8d596a7736785b7e64bc5570070b6630e70daff427fc9cc2a1cca2c36ee63e0b54e1f707a263ad9de32140bad30df6a923a2d7bbcce3bd0c838d17b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhdpmaiz.0.vb

Filesize
1KB

MD5
2495f282d9843448e187592dda4bcf4f

SHA1
a8b6a96aa278dd58d6c50280c2294b9a85d3269a

SHA256
712952f1122fba1bbc1e90f094a7bca3dba7ee975f67521a022e709c71830fe8

SHA512
9f361c818dcbba5be12cce22af8244951ce466f5b22b9e7f7e2ee0a691d68b3722994486f87130de8dc3d45c5be606d1550f8b6b806c6c5ed1b3e9b136fe8eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhdpmaiz.cmdline

Filesize
248B

MD5
538001392baaaf6094250de8acef9023

SHA1
6823f79960e6bc2d0fdffff09c84fe07db30a17c

SHA256
27a709e1125d0e2344003aefdb1c04c02f9bd3772ea01e94698a3eaca66786ae

SHA512
ae7b311761a21325d60c50b6c188ce957d22565ba071e2ec82cba7449cc5b6be5c6291f4145df5f3b5647f74f16eb2985acc9dc1e8891954dbd7b4812ab4a6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6B2B6934550644D9BBF72B12DB3236ED.TMP

Filesize
644B

MD5
070d19a29fd713891607e27d97ead816

SHA1
e42cf75eb53e89ce253dea01274f383bc498cb3b

SHA256
1ee0d7a798e175d5a7d518bb3b27d4cebff4bc1bade76f4a3e433d88ee926d1e

SHA512
65a26d184056e35d15c6609bc15313742cbc77baeb0228e1081bdc96ff91631fdcf363787a1bfdfa4883155039c7ef2953ad7e4e4f20e2f71005d0bec98e27ef

Download Submit
C:\Users\Admin\AppData\Roaming\WLIDSCV.exe

Filesize
7KB

MD5
7b1ae20d1c413b3b0a92a4d2e3e2628b

SHA1
92ae2e64f57d2fb431f4f2ed37e89694110dce94

SHA256
1893fe2d5a04b2d6d415b101ede90e39ed48372bd7eb28819febed73f125f545

SHA512
4038e9644d494c03d546959bcb11c058de66a8019337a4d8474befd27c0484275ac83004302ef99f871aa319db3bf03b2efde24507ab1b9798d2703a84c5a61a

Download Submit
C:\Users\Admin\AppData\Roaming\flashmk.exe

Filesize
1.3MB

MD5
5e412597778f7df65155685a8bdcd4be

SHA1
1086c375c09c07486f0542c679a74d61dd943594

SHA256
f805abca58f0933dc66b09f7b9886394a92d481343df2851415f673b2b7ca0f2

SHA512
579bb3cea0b8daa74b9221191d4ad484f92379f01f8298d055fb50e3ae0a58e15847b6933ab6d6960564ebd0625d680ca31b7d74e2a233d7b43ae9e9de1438da

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt

Filesize
102B

MD5
5e173d5661f1703abc3260e4c324026b

SHA1
6faee2710344fe5afbfa4d307b70a33ab234503b

SHA256
d111a7bfe9d17c72ef5db3cf1aabd6ce25f226a0a0b5ee023ae8d286c7f21f14

SHA512
a8715d0a55396163f8119d1dd463b5aa7f61dbe414ffef9fb10ca2d938e762f26217a7f63865232f505ade67b60dbae3e9e8d83b1afa484a0c55f027744b5a6c

Download Submit
memory/1096-1-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1096-2-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1096-0-0x00000000747E2000-0x00000000747E3000-memory.dmp

Filesize
4KB

Download
memory/1096-36-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1232-50-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-45-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-59-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-58-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-57-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-56-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-55-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-39-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-41-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-40-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-42-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-44-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-43-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-54-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-53-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-46-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-48-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-49-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-52-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1232-51-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1820-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1820-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1820-12-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/1820-14-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2600-21-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2600-30-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/3592-47-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/3592-35-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download