darkcomet | 71e9c343e1350db04d97d960f91163ea0d8c33d8149ab6225b0e018e8c161181

General

Target

67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
Size

653KB
MD5

67abc4d8511bef88b5cd7b5884951bf5
SHA1

1e6e8907e291bb71e3d2d1b5050be3a60d39f646
SHA256

71e9c343e1350db04d97d960f91163ea0d8c33d8149ab6225b0e018e8c161181
SHA512

bdd62c7d12dad525a874c689a4f46c7ff068eb2b96620a6945b87ca6e66db54f21652c26ca10eae286f048accf634f1af85aff2439fd4985f596f3108bcd8b7a
SSDEEP

12288:I5MlYxLWIpdgFFyIJjr2I9hPUkxuJzRUL9pYe2Xduxni+Tj:Ia4WLbJH2Wdx0JzRULjn2aT

Score

10^/10

darkcomet latentbot outbound persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Outbound

C2

darkcometsa.zapto.org:1604

Mutex

DC_MUTEX-DTNGSWK

Attributes

gencode
83vLgsEx21jQ
install
false
offline_keylogger
true
password
mikeyj4711
persistence
false

Extracted

Family

latentbot

C2

darkcometsa.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
1828	svhost.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1828-22-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1828-25-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1828-34-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1828-33-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1828-24-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1828-19-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1828-20-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1828-14-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1828-43-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1828-49-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1828-50-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1828-52-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1828-54-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1828-56-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2648 set thread context of 1828	2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1828	svhost.exe
Token: SeSecurityPrivilege	1828	svhost.exe
Token: SeTakeOwnershipPrivilege	1828	svhost.exe
Token: SeLoadDriverPrivilege	1828	svhost.exe
Token: SeSystemProfilePrivilege	1828	svhost.exe
Token: SeSystemtimePrivilege	1828	svhost.exe
Token: SeProfSingleProcessPrivilege	1828	svhost.exe
Token: SeIncBasePriorityPrivilege	1828	svhost.exe
Token: SeCreatePagefilePrivilege	1828	svhost.exe
Token: SeBackupPrivilege	1828	svhost.exe
Token: SeRestorePrivilege	1828	svhost.exe
Token: SeShutdownPrivilege	1828	svhost.exe
Token: SeDebugPrivilege	1828	svhost.exe
Token: SeSystemEnvironmentPrivilege	1828	svhost.exe
Token: SeChangeNotifyPrivilege	1828	svhost.exe
Token: SeRemoteShutdownPrivilege	1828	svhost.exe
Token: SeUndockPrivilege	1828	svhost.exe
Token: SeManageVolumePrivilege	1828	svhost.exe
Token: SeImpersonatePrivilege	1828	svhost.exe
Token: SeCreateGlobalPrivilege	1828	svhost.exe
Token: 33	1828	svhost.exe
Token: 34	1828	svhost.exe
Token: 35	1828	svhost.exe
Token: 36	1828	svhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1828	svhost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 3952	2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	85
PID 2648 wrote to memory of 3952	2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	85
PID 2648 wrote to memory of 3952	2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	85
PID 2648 wrote to memory of 1828	2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	87
PID 2648 wrote to memory of 1828	2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	87
PID 2648 wrote to memory of 1828	2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	87
PID 2648 wrote to memory of 1828	2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	87
PID 2648 wrote to memory of 1828	2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	87
PID 2648 wrote to memory of 1828	2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	87
PID 2648 wrote to memory of 1828	2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	87
PID 2648 wrote to memory of 1828	2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	87
PID 2648 wrote to memory of 2528	2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	88
PID 2648 wrote to memory of 2528	2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	88
PID 2648 wrote to memory of 2528	2648	67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe	88
PID 3952 wrote to memory of 1528	3952	cmd.exe	89
PID 3952 wrote to memory of 1528	3952	cmd.exe	89
PID 3952 wrote to memory of 1528	3952	cmd.exe	89
PID 1528 wrote to memory of 1372	1528	wscript.exe	90
PID 1528 wrote to memory of 1372	1528	wscript.exe	90
PID 1528 wrote to memory of 1372	1528	wscript.exe	90

C:\Users\Admin\AppData\Local\Temp\67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caca.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\caca2.bat
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caca2.bat" "
      4⤵
      PID:1372
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1828
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\%temp%.exe

Filesize
23KB

MD5
0d7fc03759c66ee8d90236e9f77db196

SHA1
c3b71847f65c90a6697798c65d0096403546d45c

SHA256
321bf7e7b14aabf88039b2c7e1fcf2f14994b65bffd6b2672e213a1815b2ac35

SHA512
faba574a9bdfe9542e8a5ea076c360194627af4fa198129638e170e5da3023c698afacd859667ebec11ee4f94ae51f79aa321dbd36a3261d24d8bc3708143bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\caca.bat

Filesize
47B

MD5
58ccb87aa1da4939df403810f1e68b6b

SHA1
dc8551f41682e5cb1dd25af3f11a789b1d37b295

SHA256
eccc9f27214ff49689c1f597c0d3d3a3e45391064fd0baa9b5e0e03931b7822b

SHA512
17ad698f496a445c5cbd0972df9fe966081a3cbee33fb7d7e003890ae946c65687b85b9b16990a872338d00d798b82dee06e86bd2d38b01ad292048134688fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\caca2.bat

Filesize
52B

MD5
e51bad636923af01489010f23eb805f5

SHA1
e7b519d49ebcc84896c46035dd799430c0f56d6f

SHA256
b8d1ffbf3c846ed148e3bc7c73918626ed89290d03047760420509c177ad9092

SHA512
11c32d00bc33c21c8cab64a524f529c24c2aa0c7097c1d937aa9558ba931493f2ae15b78e8f1c7ebedb4396a8bec2e22682c39dfb2ce9419bccec590793ce8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32-.txt

Filesize
653KB

MD5
67abc4d8511bef88b5cd7b5884951bf5

SHA1
1e6e8907e291bb71e3d2d1b5050be3a60d39f646

SHA256
71e9c343e1350db04d97d960f91163ea0d8c33d8149ab6225b0e018e8c161181

SHA512
bdd62c7d12dad525a874c689a4f46c7ff068eb2b96620a6945b87ca6e66db54f21652c26ca10eae286f048accf634f1af85aff2439fd4985f596f3108bcd8b7a

Download Submit
C:\Windows\Temp\svhost.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/1828-20-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1828-49-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1828-56-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1828-36-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/1828-33-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1828-24-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1828-54-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1828-19-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1828-22-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1828-14-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1828-52-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1828-25-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1828-43-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1828-50-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1828-34-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2648-48-0x00000000746D0000-0x0000000074C81000-memory.dmp

Filesize
5.7MB

Download
memory/2648-45-0x00000000746D0000-0x0000000074C81000-memory.dmp

Filesize
5.7MB

Download
memory/2648-44-0x00000000746D2000-0x00000000746D3000-memory.dmp

Filesize
4KB

Download
memory/2648-1-0x00000000746D0000-0x0000000074C81000-memory.dmp

Filesize
5.7MB

Download
memory/2648-0-0x00000000746D2000-0x00000000746D3000-memory.dmp

Filesize
4KB

Download
memory/2648-2-0x00000000746D0000-0x0000000074C81000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads