darkcomet | 1374c9b8a6efcd3545952347bf2d76ee31a5170c4f5bdc914766d19bc8286cb5

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe
Size

881KB
MD5

a624aa1f6f7f6eb9d04020e3e6638e84
SHA1

a7f7463fb19e0d04c7c1d63ca2b338c3a7667dfc
SHA256

1374c9b8a6efcd3545952347bf2d76ee31a5170c4f5bdc914766d19bc8286cb5
SHA512

3e9d36a113652efd09d9a2279083da6faafc551828a15f2595bcdbe04326d6f75cacfcc137f3b1f728540fed988f91a71770aa2577bbcf2fa25dcc1177d935ea
SSDEEP

24576:QhGcW2ywZ1kqWgfXNTn+oRKPYuciiCWL:QXW2ywigzruciFa

Score

10^/10

darkcomet latentbot guest16 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

botnetclients.zapto.org:1604

127.0.0.1:1604

Mutex

DC_MUTEX-3AXC87R

Attributes

gencode
9wPMRqlWAgCe
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

botnetclients.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2688	attrib.exe
2624	attrib.exe

Executes dropped EXE 2 IoCs

pid	Process
2316	ƙƈơƅƳ.exe
2684	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe
1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe
1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Google.exe"	ƙƈơƅƳ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1484 set thread context of 2684	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ƙƈơƅƳ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2684	svchost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2684	svchost.exe
Token: SeSecurityPrivilege	2684	svchost.exe
Token: SeTakeOwnershipPrivilege	2684	svchost.exe
Token: SeLoadDriverPrivilege	2684	svchost.exe
Token: SeSystemProfilePrivilege	2684	svchost.exe
Token: SeSystemtimePrivilege	2684	svchost.exe
Token: SeProfSingleProcessPrivilege	2684	svchost.exe
Token: SeIncBasePriorityPrivilege	2684	svchost.exe
Token: SeCreatePagefilePrivilege	2684	svchost.exe
Token: SeBackupPrivilege	2684	svchost.exe
Token: SeRestorePrivilege	2684	svchost.exe
Token: SeShutdownPrivilege	2684	svchost.exe
Token: SeDebugPrivilege	2684	svchost.exe
Token: SeSystemEnvironmentPrivilege	2684	svchost.exe
Token: SeChangeNotifyPrivilege	2684	svchost.exe
Token: SeRemoteShutdownPrivilege	2684	svchost.exe
Token: SeUndockPrivilege	2684	svchost.exe
Token: SeManageVolumePrivilege	2684	svchost.exe
Token: SeImpersonatePrivilege	2684	svchost.exe
Token: SeCreateGlobalPrivilege	2684	svchost.exe
Token: 33	2684	svchost.exe
Token: 34	2684	svchost.exe
Token: 35	2684	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2684	svchost.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2360	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	30
PID 1484 wrote to memory of 2360	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	30
PID 1484 wrote to memory of 2360	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	30
PID 1484 wrote to memory of 2360	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2276	2360	csc.exe	32
PID 2360 wrote to memory of 2276	2360	csc.exe	32
PID 2360 wrote to memory of 2276	2360	csc.exe	32
PID 2360 wrote to memory of 2276	2360	csc.exe	32
PID 1484 wrote to memory of 2316	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	33
PID 1484 wrote to memory of 2316	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	33
PID 1484 wrote to memory of 2316	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	33
PID 1484 wrote to memory of 2316	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	33
PID 1484 wrote to memory of 2684	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	34
PID 1484 wrote to memory of 2684	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	34
PID 1484 wrote to memory of 2684	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	34
PID 1484 wrote to memory of 2684	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	34
PID 1484 wrote to memory of 2684	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	34
PID 1484 wrote to memory of 2684	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	34
PID 1484 wrote to memory of 2684	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	34
PID 1484 wrote to memory of 2684	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	34
PID 1484 wrote to memory of 2684	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	34
PID 1484 wrote to memory of 2684	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	34
PID 1484 wrote to memory of 2684	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	34
PID 1484 wrote to memory of 2684	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	34
PID 1484 wrote to memory of 2684	1484	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	34
PID 2684 wrote to memory of 1152	2684	svchost.exe	35
PID 2684 wrote to memory of 1152	2684	svchost.exe	35
PID 2684 wrote to memory of 1152	2684	svchost.exe	35
PID 2684 wrote to memory of 1152	2684	svchost.exe	35
PID 2684 wrote to memory of 2612	2684	svchost.exe	36
PID 2684 wrote to memory of 2612	2684	svchost.exe	36
PID 2684 wrote to memory of 2612	2684	svchost.exe	36
PID 2684 wrote to memory of 2612	2684	svchost.exe	36
PID 2612 wrote to memory of 2624	2612	cmd.exe	39
PID 2612 wrote to memory of 2624	2612	cmd.exe	39
PID 2612 wrote to memory of 2624	2612	cmd.exe	39
PID 2612 wrote to memory of 2624	2612	cmd.exe	39
PID 1152 wrote to memory of 2688	1152	cmd.exe	40
PID 1152 wrote to memory of 2688	1152	cmd.exe	40
PID 1152 wrote to memory of 2688	1152	cmd.exe	40
PID 1152 wrote to memory of 2688	1152	cmd.exe	40

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2624	attrib.exe
2688	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h9ensuxd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5A3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA5A2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2276
- C:\Users\Admin\AppData\Local\Temp\ƙƈơƅƳ.exe
  "C:\Users\Admin\AppData\Local\Temp\ƙƈơƅƳ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\svchost.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\svchost.exe" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA5A3.tmp

Filesize
1KB

MD5
2bce956a237d918ec70561fe2016c942

SHA1
92e5c2d18c89b10e347e8bd78298ed861ccc9448

SHA256
589d1c8f2d49eb3f3a62f9358abf536ce2f405ea99661c7488c36bc976d1184f

SHA512
7687d97a9b185519c939833a28e1382fdd867a13e728b4e755d39773d1de291deec884782f655d4e6646fae260eec05607ae3f69e2ea66a8a8ab3bc2f6e91c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\ƙƈơƅƳ.exe

Filesize
4KB

MD5
54784c895135b2c1646f4e00583d2ee4

SHA1
d109c3d1d76caf6a9ca82ad70b34da464129f576

SHA256
14f73ce8298b7ea520a8bb72e9247b33a48f1a1c7e857075f066823762a9b20b

SHA512
265fdef721bba4b908c6df43e9ec46d2276b23621b27c3cb33971c64ad79bee54eae5917224aafb8f066029ab8a1e4333b8d03d2fc1d25091b89c83fc941bd22

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA5A2.tmp

Filesize
636B

MD5
1331fe033bf45628f04acd7dd8c0cc7a

SHA1
fe0ac44320307c4968da36b38d50e7f26522272d

SHA256
e7e135e565f686317e4b3eafc32c3ebda615bfbc075bac153e28b641618efe59

SHA512
dc41035bf70b8c325dab40d5b2f8d2d081a87f515c9bc84e0b683729757ea1762c3d678215986e7cc2682670806badd68d1766113dc005abfc8e56a95cc99859

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h9ensuxd.0.cs

Filesize
1KB

MD5
0a995da3c2c392a3d6c91788740a22ed

SHA1
0c663051b94da9f25276097891dbf236cc3a3021

SHA256
19164a18d5e6630c2ca9d82136379ff5bc2b6f12b9e75982ce6fe7c56bff0ce9

SHA512
aef7d416e2b682f3f7279fbfd5e3ea3e5e983de340255156a84eaf495c450a03f9d5c1fff285c56dc8ce7ffce62b616b7cc7efc082dac88658192d5d746d0b60

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h9ensuxd.cmdline

Filesize
263B

MD5
28b44b9b256a52b27ebb1272bee65205

SHA1
cd1279000668aae2e1960cc71d02482a9dbda169

SHA256
7bee52979d9430263efc89895b575e2cea11660bd1485057f080f1d166a4db10

SHA512
4af371e006b91b044adf9cb0844c7fe8bb90cda7cc16772edd11d7fc1812c2026548c8c1fad4a7eec2a415ea066c7fb7dc9b348e3607a1180ef92cecb33a295e

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/1484-0-0x00000000743C1000-0x00000000743C2000-memory.dmp

Filesize
4KB

Download
memory/1484-1-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/1484-2-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/1484-50-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-10-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-15-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-47-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-25-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-42-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2684-37-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-35-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-31-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-48-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-33-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-46-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-29-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-27-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-39-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-45-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-51-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-52-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-53-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-54-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-55-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-56-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-57-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-58-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-59-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-60-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-61-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-62-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-63-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-64-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads