darkcomet | 1374c9b8a6efcd3545952347bf2d76ee31a5170c4f5bdc914766d19bc8286cb5

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe
Size

881KB
MD5

a624aa1f6f7f6eb9d04020e3e6638e84
SHA1

a7f7463fb19e0d04c7c1d63ca2b338c3a7667dfc
SHA256

1374c9b8a6efcd3545952347bf2d76ee31a5170c4f5bdc914766d19bc8286cb5
SHA512

3e9d36a113652efd09d9a2279083da6faafc551828a15f2595bcdbe04326d6f75cacfcc137f3b1f728540fed988f91a71770aa2577bbcf2fa25dcc1177d935ea
SSDEEP

24576:QhGcW2ywZ1kqWgfXNTn+oRKPYuciiCWL:QXW2ywigzruciFa

Score

10^/10

darkcomet latentbot guest16 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

botnetclients.zapto.org:1604

127.0.0.1:1604

Mutex

DC_MUTEX-3AXC87R

Attributes

gencode
9wPMRqlWAgCe
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

botnetclients.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4712	attrib.exe
4292	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
1852	ƙƈơƅƳ.exe
4652	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Google.exe"	ƙƈơƅƳ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4164 set thread context of 4652	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ƙƈơƅƳ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4652	svchost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4652	svchost.exe
Token: SeSecurityPrivilege	4652	svchost.exe
Token: SeTakeOwnershipPrivilege	4652	svchost.exe
Token: SeLoadDriverPrivilege	4652	svchost.exe
Token: SeSystemProfilePrivilege	4652	svchost.exe
Token: SeSystemtimePrivilege	4652	svchost.exe
Token: SeProfSingleProcessPrivilege	4652	svchost.exe
Token: SeIncBasePriorityPrivilege	4652	svchost.exe
Token: SeCreatePagefilePrivilege	4652	svchost.exe
Token: SeBackupPrivilege	4652	svchost.exe
Token: SeRestorePrivilege	4652	svchost.exe
Token: SeShutdownPrivilege	4652	svchost.exe
Token: SeDebugPrivilege	4652	svchost.exe
Token: SeSystemEnvironmentPrivilege	4652	svchost.exe
Token: SeChangeNotifyPrivilege	4652	svchost.exe
Token: SeRemoteShutdownPrivilege	4652	svchost.exe
Token: SeUndockPrivilege	4652	svchost.exe
Token: SeManageVolumePrivilege	4652	svchost.exe
Token: SeImpersonatePrivilege	4652	svchost.exe
Token: SeCreateGlobalPrivilege	4652	svchost.exe
Token: 33	4652	svchost.exe
Token: 34	4652	svchost.exe
Token: 35	4652	svchost.exe
Token: 36	4652	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4652	svchost.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 3596	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	85
PID 4164 wrote to memory of 3596	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	85
PID 4164 wrote to memory of 3596	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	85
PID 3596 wrote to memory of 4236	3596	csc.exe	88
PID 3596 wrote to memory of 4236	3596	csc.exe	88
PID 3596 wrote to memory of 4236	3596	csc.exe	88
PID 4164 wrote to memory of 1852	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	90
PID 4164 wrote to memory of 1852	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	90
PID 4164 wrote to memory of 1852	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	90
PID 4164 wrote to memory of 4652	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	91
PID 4164 wrote to memory of 4652	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	91
PID 4164 wrote to memory of 4652	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	91
PID 4164 wrote to memory of 4652	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	91
PID 4164 wrote to memory of 4652	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	91
PID 4164 wrote to memory of 4652	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	91
PID 4164 wrote to memory of 4652	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	91
PID 4164 wrote to memory of 4652	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	91
PID 4164 wrote to memory of 4652	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	91
PID 4164 wrote to memory of 4652	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	91
PID 4164 wrote to memory of 4652	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	91
PID 4164 wrote to memory of 4652	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	91
PID 4164 wrote to memory of 4652	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	91
PID 4164 wrote to memory of 4652	4164	a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe	91
PID 4652 wrote to memory of 1976	4652	svchost.exe	92
PID 4652 wrote to memory of 1976	4652	svchost.exe	92
PID 4652 wrote to memory of 1976	4652	svchost.exe	92
PID 4652 wrote to memory of 4908	4652	svchost.exe	93
PID 4652 wrote to memory of 4908	4652	svchost.exe	93
PID 4652 wrote to memory of 4908	4652	svchost.exe	93
PID 1976 wrote to memory of 4292	1976	cmd.exe	96
PID 1976 wrote to memory of 4292	1976	cmd.exe	96
PID 1976 wrote to memory of 4292	1976	cmd.exe	96
PID 4908 wrote to memory of 4712	4908	cmd.exe	97
PID 4908 wrote to memory of 4712	4908	cmd.exe	97
PID 4908 wrote to memory of 4712	4908	cmd.exe	97

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4712	attrib.exe
4292	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a624aa1f6f7f6eb9d04020e3e6638e84_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wi6jzcdk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAC8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAAC7.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4236
- C:\Users\Admin\AppData\Local\Temp\ƙƈơƅƳ.exe
  "C:\Users\Admin\AppData\Local\Temp\ƙƈơƅƳ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1852
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\svchost.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\svchost.exe" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4292
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAAC8.tmp

Filesize
1KB

MD5
7fbba2ad1ef3f04dda0457fd65bd2a13

SHA1
87c49cad9a8fab6cfc31afec6b7d8a44733f7105

SHA256
47a3c9cab08cfd81614ea594ce96c18309dcddfe19339335ff995407afe5935a

SHA512
d43089eb07db46e2d46a80c9b7e3d8f1f9981cb5a1e86d1abf96f4922941cd69c9a45a193e63840408edf28846234e55758f64a5eb82a58d9660822f271c4472

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ƙƈơƅƳ.exe

Filesize
4KB

MD5
7c00e2ba53605d489ff76ac9049df73f

SHA1
354459ff23e35528c3c39ae6638cefef0a578608

SHA256
5ebe4de0953ee999838a133f3c01a139a13b58c1334f942cfa36bdbd1ecd35ca

SHA512
bc17602978f5c7360390672fe47230ad4c3e29d40b4061c52e9394f6cd549f3f6622f506fc4797d3ee31581cdda84aafd89989939cf02b1f0abf4c3c5821b116

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAAC7.tmp

Filesize
636B

MD5
1331fe033bf45628f04acd7dd8c0cc7a

SHA1
fe0ac44320307c4968da36b38d50e7f26522272d

SHA256
e7e135e565f686317e4b3eafc32c3ebda615bfbc075bac153e28b641618efe59

SHA512
dc41035bf70b8c325dab40d5b2f8d2d081a87f515c9bc84e0b683729757ea1762c3d678215986e7cc2682670806badd68d1766113dc005abfc8e56a95cc99859

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wi6jzcdk.0.cs

Filesize
1KB

MD5
0a995da3c2c392a3d6c91788740a22ed

SHA1
0c663051b94da9f25276097891dbf236cc3a3021

SHA256
19164a18d5e6630c2ca9d82136379ff5bc2b6f12b9e75982ce6fe7c56bff0ce9

SHA512
aef7d416e2b682f3f7279fbfd5e3ea3e5e983de340255156a84eaf495c450a03f9d5c1fff285c56dc8ce7ffce62b616b7cc7efc082dac88658192d5d746d0b60

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wi6jzcdk.cmdline

Filesize
263B

MD5
b4e3828fd552b5752ae37770e57a562c

SHA1
0656b3a4f9cc770516ccda918e41940686b17f4b

SHA256
e8e846dfb9fc6a588d9ec81242806ae15fe06fff169af10cba9ff3091974b6dd

SHA512
0323cebe70089439ea07c82c89eebcab195bc5e920d49c0efec776a51cf04aa81ff9d73d816ffe762062349ba75b3a25abaf1090ec9c1d88bda73b146ac1672f

Download Submit
memory/1852-22-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/1852-20-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/1852-37-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/1852-30-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/3596-10-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/3596-15-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4164-2-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4164-1-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4164-28-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4164-0-0x0000000075392000-0x0000000075393000-memory.dmp

Filesize
4KB

Download
memory/4652-32-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-43-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-29-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-35-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-34-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-33-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-23-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-39-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-40-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-41-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-42-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-26-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-44-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-45-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-46-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-47-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-48-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-49-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-50-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-51-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4652-52-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads