darkcomet | 71e9c343e1350db04d97d960f91163ea0d8c33d8149ab6225b0e018e8c161181

General

Target

67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
Size

653KB
MD5

67abc4d8511bef88b5cd7b5884951bf5
SHA1

1e6e8907e291bb71e3d2d1b5050be3a60d39f646
SHA256

71e9c343e1350db04d97d960f91163ea0d8c33d8149ab6225b0e018e8c161181
SHA512

bdd62c7d12dad525a874c689a4f46c7ff068eb2b96620a6945b87ca6e66db54f21652c26ca10eae286f048accf634f1af85aff2439fd4985f596f3108bcd8b7a
SSDEEP

12288:I5MlYxLWIpdgFFyIJjr2I9hPUkxuJzRUL9pYe2Xduxni+Tj:Ia4WLbJH2Wdx0JzRULjn2aT

Score

10^/10

darkcomet latentbot outbound persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Outbound

C2

darkcometsa.zapto.org:1604

Mutex

DC_MUTEX-DTNGSWK

Attributes

gencode
83vLgsEx21jQ
install
false
offline_keylogger
true
password
mikeyj4711
persistence
false

Extracted

Family

latentbot

C2

darkcometsa.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 2 IoCs

pid	Process
2904	svhost.exe
2724	svhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2904-34-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2904-36-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2904-26-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2904-30-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2904-38-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2904-24-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2904-40-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2904-41-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2904-39-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2904-43-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2904-42-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2904-52-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2904-57-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2240 set thread context of 2904	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2904	svhost.exe
Token: SeSecurityPrivilege	2904	svhost.exe
Token: SeTakeOwnershipPrivilege	2904	svhost.exe
Token: SeLoadDriverPrivilege	2904	svhost.exe
Token: SeSystemProfilePrivilege	2904	svhost.exe
Token: SeSystemtimePrivilege	2904	svhost.exe
Token: SeProfSingleProcessPrivilege	2904	svhost.exe
Token: SeIncBasePriorityPrivilege	2904	svhost.exe
Token: SeCreatePagefilePrivilege	2904	svhost.exe
Token: SeBackupPrivilege	2904	svhost.exe
Token: SeRestorePrivilege	2904	svhost.exe
Token: SeShutdownPrivilege	2904	svhost.exe
Token: SeDebugPrivilege	2904	svhost.exe
Token: SeSystemEnvironmentPrivilege	2904	svhost.exe
Token: SeChangeNotifyPrivilege	2904	svhost.exe
Token: SeRemoteShutdownPrivilege	2904	svhost.exe
Token: SeUndockPrivilege	2904	svhost.exe
Token: SeManageVolumePrivilege	2904	svhost.exe
Token: SeImpersonatePrivilege	2904	svhost.exe
Token: SeCreateGlobalPrivilege	2904	svhost.exe
Token: 33	2904	svhost.exe
Token: 34	2904	svhost.exe
Token: 35	2904	svhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2904	svhost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2680	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2680	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2680	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2680	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2904	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	33
PID 2240 wrote to memory of 2904	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	33
PID 2240 wrote to memory of 2904	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	33
PID 2240 wrote to memory of 2904	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	33
PID 2680 wrote to memory of 2200	2680	cmd.exe	32
PID 2680 wrote to memory of 2200	2680	cmd.exe	32
PID 2680 wrote to memory of 2200	2680	cmd.exe	32
PID 2680 wrote to memory of 2200	2680	cmd.exe	32
PID 2240 wrote to memory of 2904	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	33
PID 2240 wrote to memory of 2904	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	33
PID 2240 wrote to memory of 2904	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	33
PID 2240 wrote to memory of 2904	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	33
PID 2240 wrote to memory of 2724	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	34
PID 2240 wrote to memory of 2724	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	34
PID 2240 wrote to memory of 2724	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	34
PID 2240 wrote to memory of 2724	2240	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	34
PID 2200 wrote to memory of 1688	2200	wscript.exe	35
PID 2200 wrote to memory of 1688	2200	wscript.exe	35
PID 2200 wrote to memory of 1688	2200	wscript.exe	35
PID 2200 wrote to memory of 1688	2200	wscript.exe	35

C:\Users\Admin\AppData\Local\Temp\67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\caca.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\caca2.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\caca2.bat" "
      4⤵
      PID:1688
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2904
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\caca.bat

Filesize
47B

MD5
58ccb87aa1da4939df403810f1e68b6b

SHA1
dc8551f41682e5cb1dd25af3f11a789b1d37b295

SHA256
eccc9f27214ff49689c1f597c0d3d3a3e45391064fd0baa9b5e0e03931b7822b

SHA512
17ad698f496a445c5cbd0972df9fe966081a3cbee33fb7d7e003890ae946c65687b85b9b16990a872338d00d798b82dee06e86bd2d38b01ad292048134688fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\caca2.bat

Filesize
52B

MD5
e51bad636923af01489010f23eb805f5

SHA1
e7b519d49ebcc84896c46035dd799430c0f56d6f

SHA256
b8d1ffbf3c846ed148e3bc7c73918626ed89290d03047760420509c177ad9092

SHA512
11c32d00bc33c21c8cab64a524f529c24c2aa0c7097c1d937aa9558ba931493f2ae15b78e8f1c7ebedb4396a8bec2e22682c39dfb2ce9419bccec590793ce8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32-.txt

Filesize
653KB

MD5
67abc4d8511bef88b5cd7b5884951bf5

SHA1
1e6e8907e291bb71e3d2d1b5050be3a60d39f646

SHA256
71e9c343e1350db04d97d960f91163ea0d8c33d8149ab6225b0e018e8c161181

SHA512
bdd62c7d12dad525a874c689a4f46c7ff068eb2b96620a6945b87ca6e66db54f21652c26ca10eae286f048accf634f1af85aff2439fd4985f596f3108bcd8b7a

Download Submit
\Windows\Temp\svhost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/2240-1-0x0000000074CF0000-0x000000007529B000-memory.dmp

Filesize
5.7MB

Download
memory/2240-2-0x0000000074CF0000-0x000000007529B000-memory.dmp

Filesize
5.7MB

Download
memory/2240-55-0x0000000074CF0000-0x000000007529B000-memory.dmp

Filesize
5.7MB

Download
memory/2240-0-0x0000000074CF1000-0x0000000074CF2000-memory.dmp

Filesize
4KB

Download
memory/2240-53-0x0000000074CF0000-0x000000007529B000-memory.dmp

Filesize
5.7MB

Download
memory/2904-36-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2904-42-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2904-22-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2904-40-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2904-41-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2904-39-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2904-43-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2904-24-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2904-38-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2904-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2904-30-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2904-52-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2904-26-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2904-34-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2904-57-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads