darkcomet | b698b3926296ddd844e359f482820483fb36b48a88e1e3f05992fedf69307ed8

General

Target

c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe
Size

714KB
MD5

c86fc7fd53318f3b349afc7e6917d4da
SHA1

268cc530681b53b39328493f0356d1b451f641bb
SHA256

b698b3926296ddd844e359f482820483fb36b48a88e1e3f05992fedf69307ed8
SHA512

5aede286cde54573aa4b191511c8de0f536f6f5fb5db9f6150fa12edfaf6b861384240a4a22bc40d4c2be7938ba20de35e80ac8b593356d3a01c023ffba18f35
SSDEEP

12288:uIRG3HAdNawEuNP3NNuQAxKtGg6PVrDNnf9PULAK34+cUcaZOuI+YD4zykQI:lGM8uZNNuVxKtv6PthmLjFcFNXNk

Score

10^/10

darkcomet latentbot cryptex discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

cryptex

C2

maintesting.zapto.org:100

Mutex

DC_MUTEX-N3RRY5E

Attributes

gencode
h9QeFSjJYYDh
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

C2

maintesting.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 2 IoCs

Processes:

zWBE86.execsrss.exe

pid	Process
2760	zWBE86.exe
2864	csrss.exe

Loads dropped DLL 3 IoCs

Processes:

c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe

pid	Process
2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe
2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe
2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

zWBE86.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\java.exe"	zWBE86.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2584 set thread context of 2864	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.execsc.execvtres.exezWBE86.execsrss.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zWBE86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.execsrss.exe

description	pid	Process
Token: SeDebugPrivilege	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2864	csrss.exe
Token: SeSecurityPrivilege	2864	csrss.exe
Token: SeTakeOwnershipPrivilege	2864	csrss.exe
Token: SeLoadDriverPrivilege	2864	csrss.exe
Token: SeSystemProfilePrivilege	2864	csrss.exe
Token: SeSystemtimePrivilege	2864	csrss.exe
Token: SeProfSingleProcessPrivilege	2864	csrss.exe
Token: SeIncBasePriorityPrivilege	2864	csrss.exe
Token: SeCreatePagefilePrivilege	2864	csrss.exe
Token: SeBackupPrivilege	2864	csrss.exe
Token: SeRestorePrivilege	2864	csrss.exe
Token: SeShutdownPrivilege	2864	csrss.exe
Token: SeDebugPrivilege	2864	csrss.exe
Token: SeSystemEnvironmentPrivilege	2864	csrss.exe
Token: SeChangeNotifyPrivilege	2864	csrss.exe
Token: SeRemoteShutdownPrivilege	2864	csrss.exe
Token: SeUndockPrivilege	2864	csrss.exe
Token: SeManageVolumePrivilege	2864	csrss.exe
Token: SeImpersonatePrivilege	2864	csrss.exe
Token: SeCreateGlobalPrivilege	2864	csrss.exe
Token: 33	2864	csrss.exe
Token: 34	2864	csrss.exe
Token: 35	2864	csrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

csrss.exe

pid	Process
2864	csrss.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.execsc.exe

description	pid	Process	procid_target
PID 2584 wrote to memory of 2520	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2520	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2520	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2520	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2400	2520	csc.exe	32
PID 2520 wrote to memory of 2400	2520	csc.exe	32
PID 2520 wrote to memory of 2400	2520	csc.exe	32
PID 2520 wrote to memory of 2400	2520	csc.exe	32
PID 2584 wrote to memory of 2760	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	33
PID 2584 wrote to memory of 2760	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	33
PID 2584 wrote to memory of 2760	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	33
PID 2584 wrote to memory of 2760	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	33
PID 2584 wrote to memory of 2864	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	34
PID 2584 wrote to memory of 2864	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	34
PID 2584 wrote to memory of 2864	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	34
PID 2584 wrote to memory of 2864	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	34
PID 2584 wrote to memory of 2864	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	34
PID 2584 wrote to memory of 2864	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	34
PID 2584 wrote to memory of 2864	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	34
PID 2584 wrote to memory of 2864	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	34
PID 2584 wrote to memory of 2864	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	34
PID 2584 wrote to memory of 2864	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	34
PID 2584 wrote to memory of 2864	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	34
PID 2584 wrote to memory of 2864	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	34
PID 2584 wrote to memory of 2864	2584	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nx2yopgs.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB52D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB52C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2400
- C:\Users\Admin\AppData\Local\Temp\zWBE86.exe
  "C:\Users\Admin\AppData\Local\Temp\zWBE86.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\csrss.exe
  C:\Users\Admin\AppData\Local\Temp\csrss.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB52D.tmp

Filesize
1KB

MD5
91f596d037b72f0e58f9ad81c0be10f1

SHA1
c99d88edc0a8d1951098ab043327266b4fa7532c

SHA256
05d4a61df7a60636c3fffdadbff4156fa1a335d796cc6f20fdda5ce178243f2c

SHA512
0c0001e5b063b1a1f38425a9dd19b6fef4c681b913830f06d610a2fc789a90b7bfe176da6562513272eb191d59332be7f4431032792048c0a0d6d3c1efdadc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\zWBE86.exe

Filesize
4KB

MD5
a20437e7ea759ad7215cf5094b9a4463

SHA1
cf52000d14f6a8e59e26ebac94a0d9e45209ac73

SHA256
0ae1115021ce76e72d6a4d3bee3bb86fbb8fa89bf2bd7e3f1d93e9eac5ecb394

SHA512
58d075b0bcf0c773e59e718c7c55d876c7e3d056f8181522699eb758f3c09c7150f66c9490f12d9ff5e27abfe04bbff366318f2c6cb0b879f7eff1d53c54c53c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB52C.tmp

Filesize
644B

MD5
cacac6fffd7fd540446b0b1c35016152

SHA1
173cc03dd66612da4c5f1b94d6390e8daa411619

SHA256
e941466bf4fe3a0be93df8cd4b12694bdeb793a65a02f8f147cec3ca0c78ee99

SHA512
0c1496b0b965f5ee9ecda80e2a557372cc7990cb1bdf571cac861304fc8d203840fdd5d7db1108fc9b5597cf3cc2b559a6fc5ee6d998dd82c903f7f51a28df0b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nx2yopgs.0.cs

Filesize
1KB

MD5
4586b0964b6dd621eefe180365dac459

SHA1
8f6d6049d4d7aa768b59c68174955e0738c17028

SHA256
bc07f46b1fe228f670a98ea3040426e37d2b432dda06e61386f79428a4c499dd

SHA512
ac7720640b4b1b527afc4c2d481c230102748a7c393f8609afc830b552064157eeeb3fc00fe7adcbf57fc03b8468bf2560110cbca0813b4bbd65969ed196e523

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nx2yopgs.cmdline

Filesize
259B

MD5
c13466927a7b28f6a914f328a8ee0f06

SHA1
af39e46f2ef055a4c6262513ac112aff9a6fe72e

SHA256
a3a2c9a07af3a566305798a46929b161aee767700f82800047863e6ba3c15c85

SHA512
337308ec9f352b534854f0d2dd3cc2ad20266343f1d8ae07b6cf58698f219dead7f6ec4b0963ee8b442f65a956b0d54d79311316f6375122301bd12e1ca468d7

Download Submit
\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/2520-8-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-15-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-45-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2584-2-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-1-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-49-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-0-0x0000000074FC1000-0x0000000074FC2000-memory.dmp

Filesize
4KB

Download
memory/2864-36-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-50-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2864-40-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-39-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-48-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-47-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-46-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-34-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-32-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-30-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-28-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-26-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-43-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-51-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-52-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-53-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-54-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-55-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-56-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-57-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-58-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-59-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-60-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-61-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-62-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2864-63-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads