darkcomet | 8215ca9e02357b4a0019f8813a658a26adbbce59ae3bafb963bfbe0cec81db57

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24-07-2024 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b26b953fc279e0883d5ee11354b8661_JaffaCakes118.exe
Size

1.2MB
MD5

6b26b953fc279e0883d5ee11354b8661
SHA1

04bc5e768bf5ccfd82fa9f833b167d4a45ce7420
SHA256

8215ca9e02357b4a0019f8813a658a26adbbce59ae3bafb963bfbe0cec81db57
SHA512

7e76dce8705d2efd2d263938c955c612e865479e876c0406542cd2bfe73096a1dcecac0d740522abd0fb605a3299157a4959ce8425e93734f9dc4dd3bec61d03
SSDEEP

24576:LsUgX+vFcZsyFmHraK8HXhSQcQzH4cGFq0mp7EAOit5OQmF5Rgcj7TK:opgc2yYHW73c+4cGQ0mzZy5fT

Score

10^/10

darkcomet latentbot youtube discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

YOUTUBE

superduperfly75.zapto.org:1604

Mutex

DCMIN_MUTEX-N89DPZW

Attributes

gencode
pMfPxC3iW6vG
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

superduperfly75.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Utube.exe	474494.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Utube.exe	474494.exe

Executes dropped EXE 4 IoCs

pid	Process
3036	Utube.exe
1772	RES.exe
2580	474494.exe
2176	REFRAC~4.EXE

Loads dropped DLL 4 IoCs

pid	Process
3036	Utube.exe
3036	Utube.exe
3036	Utube.exe
3036	Utube.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6b26b953fc279e0883d5ee11354b8661_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3036 set thread context of 1772	3036	Utube.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Utube.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	474494.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REFRAC~4.EXE

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1772	RES.exe
Token: SeSecurityPrivilege	1772	RES.exe
Token: SeTakeOwnershipPrivilege	1772	RES.exe
Token: SeLoadDriverPrivilege	1772	RES.exe
Token: SeSystemProfilePrivilege	1772	RES.exe
Token: SeSystemtimePrivilege	1772	RES.exe
Token: SeProfSingleProcessPrivilege	1772	RES.exe
Token: SeIncBasePriorityPrivilege	1772	RES.exe
Token: SeCreatePagefilePrivilege	1772	RES.exe
Token: SeBackupPrivilege	1772	RES.exe
Token: SeRestorePrivilege	1772	RES.exe
Token: SeShutdownPrivilege	1772	RES.exe
Token: SeDebugPrivilege	1772	RES.exe
Token: SeSystemEnvironmentPrivilege	1772	RES.exe
Token: SeChangeNotifyPrivilege	1772	RES.exe
Token: SeRemoteShutdownPrivilege	1772	RES.exe
Token: SeUndockPrivilege	1772	RES.exe
Token: SeManageVolumePrivilege	1772	RES.exe
Token: SeImpersonatePrivilege	1772	RES.exe
Token: SeCreateGlobalPrivilege	1772	RES.exe
Token: 33	1772	RES.exe
Token: 34	1772	RES.exe
Token: 35	1772	RES.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1772	RES.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 3036	2004	6b26b953fc279e0883d5ee11354b8661_JaffaCakes118.exe	31
PID 2004 wrote to memory of 3036	2004	6b26b953fc279e0883d5ee11354b8661_JaffaCakes118.exe	31
PID 2004 wrote to memory of 3036	2004	6b26b953fc279e0883d5ee11354b8661_JaffaCakes118.exe	31
PID 2004 wrote to memory of 3036	2004	6b26b953fc279e0883d5ee11354b8661_JaffaCakes118.exe	31
PID 3036 wrote to memory of 1772	3036	Utube.exe	32
PID 3036 wrote to memory of 1772	3036	Utube.exe	32
PID 3036 wrote to memory of 1772	3036	Utube.exe	32
PID 3036 wrote to memory of 1772	3036	Utube.exe	32
PID 3036 wrote to memory of 1772	3036	Utube.exe	32
PID 3036 wrote to memory of 1772	3036	Utube.exe	32
PID 3036 wrote to memory of 1772	3036	Utube.exe	32
PID 3036 wrote to memory of 1772	3036	Utube.exe	32
PID 3036 wrote to memory of 1772	3036	Utube.exe	32
PID 3036 wrote to memory of 1772	3036	Utube.exe	32
PID 3036 wrote to memory of 1772	3036	Utube.exe	32
PID 3036 wrote to memory of 1772	3036	Utube.exe	32
PID 3036 wrote to memory of 1772	3036	Utube.exe	32
PID 3036 wrote to memory of 2892	3036	Utube.exe	33
PID 3036 wrote to memory of 2892	3036	Utube.exe	33
PID 3036 wrote to memory of 2892	3036	Utube.exe	33
PID 3036 wrote to memory of 2892	3036	Utube.exe	33
PID 2892 wrote to memory of 2888	2892	vbc.exe	35
PID 2892 wrote to memory of 2888	2892	vbc.exe	35
PID 2892 wrote to memory of 2888	2892	vbc.exe	35
PID 2892 wrote to memory of 2888	2892	vbc.exe	35
PID 3036 wrote to memory of 2580	3036	Utube.exe	36
PID 3036 wrote to memory of 2580	3036	Utube.exe	36
PID 3036 wrote to memory of 2580	3036	Utube.exe	36
PID 3036 wrote to memory of 2580	3036	Utube.exe	36
PID 2004 wrote to memory of 2176	2004	6b26b953fc279e0883d5ee11354b8661_JaffaCakes118.exe	37
PID 2004 wrote to memory of 2176	2004	6b26b953fc279e0883d5ee11354b8661_JaffaCakes118.exe	37
PID 2004 wrote to memory of 2176	2004	6b26b953fc279e0883d5ee11354b8661_JaffaCakes118.exe	37
PID 2004 wrote to memory of 2176	2004	6b26b953fc279e0883d5ee11354b8661_JaffaCakes118.exe	37

C:\Users\Admin\AppData\Local\Temp\6b26b953fc279e0883d5ee11354b8661_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6b26b953fc279e0883d5ee11354b8661_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Utube.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Utube.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Users\Admin\AppData\Roaming\RES.exe
    C:\Users\Admin\AppData\Roaming\RES.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1772
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sns6oca3.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCAA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDCA9.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2888
- - C:\Users\Admin\AppData\Roaming\474494.exe
    "C:\Users\Admin\AppData\Roaming\474494.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2580
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\REFRAC~4.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\REFRAC~4.EXE
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\REFRAC~4.EXE

Filesize
38KB

MD5
1ee0feeaa8b4ec6d979089e77df7969f

SHA1
eb6d30151989b14b9072b9013cbb1f87561f85b5

SHA256
f44542297b74f9ff431da92f3757b86fe272ed88d70df4946f78cf4a062c95dd

SHA512
412f337e3fe16cfba7cb281c45b730c31a6749bcefeade449c780ca7971b8a9676636864e11723ef849c56802127380d85a84e69a4b0253c7860be786f96401f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Utube.exe

Filesize
1.5MB

MD5
ed46d29f422bd2fd6fac4ed2c51d8eaf

SHA1
655a109f5094adc7b4bde01cf28d204b42de7578

SHA256
d8ae8f0ca1db9160b3880adeaaae7dcfe532048d00286da703bb300ca9bd7c0c

SHA512
ac9e165b20030374d73b3a2a627ea4e8135e6da88d6fc080f4433d1e8fedafa0bcb30321b00b768d215e9771e3e984321fc862a3d11c0a7582528691ed845449

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDCAA.tmp

Filesize
1KB

MD5
8aa4502341f1a8cfccde80fc6d206182

SHA1
ee206326a872133c093b7f10df942535261e2094

SHA256
495613c9969d6274accd1149e73a68836c5149f327f851b8a635c58e0e6747c1

SHA512
1fd71c0f159d6a713d5b2f18db964d88b706efb5e6f0b18aade005921bed875dad3e6c1fb0f5487ee9bccefd7d8a7c3054c0fa8955cc8120e41037489af7df74

Download Submit
C:\Users\Admin\AppData\Local\Temp\sns6oca3.0.vb

Filesize
1KB

MD5
c6e0628ee4f388bb62f447b083ab8760

SHA1
df64d095a7a9c3993d155c134153b9ce8e6d6ec9

SHA256
613f31ab00f2c0f91e7bdb40023571bc44d8606b352b18d10ea36d094cc7e9c0

SHA512
d89813b575ea084796b4035f8da99f07fdd02690a77089435085e53d6b861ffe54f4b249f5a7898ac74a15e2f38f3e5e83f8a4908939d786bcdfcd2b6860d8d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sns6oca3.cmdline

Filesize
234B

MD5
677eaf8549ec894cc0362d42ed5bfee0

SHA1
ad59bdd707f95c203f635c5be078a6bfb1767b31

SHA256
94cf2d6aa6f31fab1627fd85c5c75db8d447599299270a2bbba6bf3faa1ffacc

SHA512
83aeb2193fc694603404ab2663608bd9248e682a29ff8cfc3611e31336bd6a285f929fb75b39f321ac6fbb046b65a8a6d7e8de8a87c22d0e84fc95a0d9f90bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDCA9.tmp

Filesize
880B

MD5
a543ba10dccde645a87d0c9e5c9ebed8

SHA1
dd83570d078b35f7921529ce3a3c807b41ac06bf

SHA256
caf5da0e523d3a252848fb217d6247d37d3fb1296549a7d5781149a7bd450182

SHA512
02bc059b9d68967b0b4ab39b94e4338d9a34d734e87d5f3875403da4d8a72de6ac007ad60c6dcad5649f5d22583c517138626637853642e7ee3c8aab213dfd44

Download Submit
\Users\Admin\AppData\Roaming\474494.exe

Filesize
7KB

MD5
5b953fb3af1852fbfce35fdfd06507d5

SHA1
f42880857e615bef4fddebca1672e99833413006

SHA256
49efed353ba9cdd76139e36eda494d21462498c83db64a688c6a637c8b7579fc

SHA512
f51b3a87b77073f9c5219552269cb6651a42bccff0aa1b6ce29c4fdba102aa13e82aed4c4facce358b711038fe2c6eae2883fcf41951d566ff1ed289e407659f

Download Submit
\Users\Admin\AppData\Roaming\RES.exe

Filesize
1KB

MD5
f54b30f21b7b118bfeda2b1ed3482f84

SHA1
bde084ea60646dadabfed4eafe5bafceb4c11b99

SHA256
62bf121e7c7d3a221718d90de673ab23b9759765bb4aaed747883c7c7d08c2c5

SHA512
8431f8c37b0fbc1077eb0aef78ad2e10c11bb10e16ddbde833f568cbd69551e23c85aadcce4ddc71994a9fede59eca52bc99d595131c2264e4e9917abe87e44d

Download Submit
memory/1772-28-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-32-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-24-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-37-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-22-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-20-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-39-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-42-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-41-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-34-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1772-26-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-27-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-29-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2176-63-0x0000000000070000-0x0000000000082000-memory.dmp

Filesize
72KB

Download
memory/3036-10-0x00000000741C1000-0x00000000741C2000-memory.dmp

Filesize
4KB

Download
memory/3036-58-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/3036-11-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/3036-12-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads