darkcomet | 22fe32fd72a901239a5635d4fb6efe588e83812e10590cd64419c612e5649e24

General

Target

b545097b070ac19766a36b4617338363_JaffaCakes118.exe
Size

918KB
MD5

b545097b070ac19766a36b4617338363
SHA1

bbec26108117802436b079099a357c04296093fc
SHA256

22fe32fd72a901239a5635d4fb6efe588e83812e10590cd64419c612e5649e24
SHA512

1881ae7735e9dda6f87a3aebe4d73ffd303dd0e44c18116f6da7966ecae9d2a91e87f3956e228eaa55abffaf30f080c6bafc1603d8d43d9c2923175722387b97
SSDEEP

24576:8gefGu8NaXaPkoekz4R7PbMxIozXVbv+4sQuTfpy1BGZ3s:au2iy7P0Bli4Q7peBU3

Score

10^/10

darkcomet latentbot darkz discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

darkz

C2

gameserver2.zapto.org:1604

Mutex

DC_MUTEX-59WS2LP

Attributes

gencode
FCPYmHSjUERL
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

C2

gameserver2.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b545097b070ac19766a36b4617338363_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	b545097b070ac19766a36b4617338363_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b545097b070ac19766a36b4617338363_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2220 set thread context of 2808	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exevbc.exeb545097b070ac19766a36b4617338363_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b545097b070ac19766a36b4617338363_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

vbc.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2808	vbc.exe
Token: SeSecurityPrivilege	2808	vbc.exe
Token: SeTakeOwnershipPrivilege	2808	vbc.exe
Token: SeLoadDriverPrivilege	2808	vbc.exe
Token: SeSystemProfilePrivilege	2808	vbc.exe
Token: SeSystemtimePrivilege	2808	vbc.exe
Token: SeProfSingleProcessPrivilege	2808	vbc.exe
Token: SeIncBasePriorityPrivilege	2808	vbc.exe
Token: SeCreatePagefilePrivilege	2808	vbc.exe
Token: SeBackupPrivilege	2808	vbc.exe
Token: SeRestorePrivilege	2808	vbc.exe
Token: SeShutdownPrivilege	2808	vbc.exe
Token: SeDebugPrivilege	2808	vbc.exe
Token: SeSystemEnvironmentPrivilege	2808	vbc.exe
Token: SeChangeNotifyPrivilege	2808	vbc.exe
Token: SeRemoteShutdownPrivilege	2808	vbc.exe
Token: SeUndockPrivilege	2808	vbc.exe
Token: SeManageVolumePrivilege	2808	vbc.exe
Token: SeImpersonatePrivilege	2808	vbc.exe
Token: SeCreateGlobalPrivilege	2808	vbc.exe
Token: 33	2808	vbc.exe
Token: 34	2808	vbc.exe
Token: 35	2808	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid	Process
2808	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

b545097b070ac19766a36b4617338363_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2220 wrote to memory of 2692	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2692	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2692	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2692	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2808	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2808	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2808	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2808	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2808	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2808	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2808	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2808	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2808	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2808	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2808	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2808	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2808	2220	b545097b070ac19766a36b4617338363_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\b545097b070ac19766a36b4617338363_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b545097b070ac19766a36b4617338363_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ren C:\Users\Admin\AppData\Roaming\winlogon winlogon.exe && exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\winlogon

Filesize
918KB

MD5
b545097b070ac19766a36b4617338363

SHA1
bbec26108117802436b079099a357c04296093fc

SHA256
22fe32fd72a901239a5635d4fb6efe588e83812e10590cd64419c612e5649e24

SHA512
1881ae7735e9dda6f87a3aebe4d73ffd303dd0e44c18116f6da7966ecae9d2a91e87f3956e228eaa55abffaf30f080c6bafc1603d8d43d9c2923175722387b97

Download Submit
memory/2220-21-0x00000000740F0000-0x000000007469B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-1-0x00000000740F0000-0x000000007469B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-2-0x00000000740F0000-0x000000007469B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-0-0x00000000740F1000-0x00000000740F2000-memory.dmp

Filesize
4KB

Download
memory/2808-8-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-25-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-18-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-23-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-22-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-20-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2808-13-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-14-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-12-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-11-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-9-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-10-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-5-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-24-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-19-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-26-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-27-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-28-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-29-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-30-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-31-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-32-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-33-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-34-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-35-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-36-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-37-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-38-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-39-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-40-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2808-41-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads