darkcomet | b698b3926296ddd844e359f482820483fb36b48a88e1e3f05992fedf69307ed8

General

Target

c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe
Size

714KB
MD5

c86fc7fd53318f3b349afc7e6917d4da
SHA1

268cc530681b53b39328493f0356d1b451f641bb
SHA256

b698b3926296ddd844e359f482820483fb36b48a88e1e3f05992fedf69307ed8
SHA512

5aede286cde54573aa4b191511c8de0f536f6f5fb5db9f6150fa12edfaf6b861384240a4a22bc40d4c2be7938ba20de35e80ac8b593356d3a01c023ffba18f35
SSDEEP

12288:uIRG3HAdNawEuNP3NNuQAxKtGg6PVrDNnf9PULAK34+cUcaZOuI+YD4zykQI:lGM8uZNNuVxKtv6PthmLjFcFNXNk

Score

10^/10

darkcomet latentbot cryptex discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

cryptex

C2

maintesting.zapto.org:100

Mutex

DC_MUTEX-N3RRY5E

Attributes

gencode
h9QeFSjJYYDh
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

C2

maintesting.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

zWBE86.execsrss.exe

pid	Process
5028	zWBE86.exe
556	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

zWBE86.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\java.exe"	zWBE86.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe

description	pid	Process	procid_target
PID 3696 set thread context of 556	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.execsc.execvtres.exezWBE86.execsrss.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zWBE86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.execsrss.exe

description	pid	Process
Token: SeDebugPrivilege	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	556	csrss.exe
Token: SeSecurityPrivilege	556	csrss.exe
Token: SeTakeOwnershipPrivilege	556	csrss.exe
Token: SeLoadDriverPrivilege	556	csrss.exe
Token: SeSystemProfilePrivilege	556	csrss.exe
Token: SeSystemtimePrivilege	556	csrss.exe
Token: SeProfSingleProcessPrivilege	556	csrss.exe
Token: SeIncBasePriorityPrivilege	556	csrss.exe
Token: SeCreatePagefilePrivilege	556	csrss.exe
Token: SeBackupPrivilege	556	csrss.exe
Token: SeRestorePrivilege	556	csrss.exe
Token: SeShutdownPrivilege	556	csrss.exe
Token: SeDebugPrivilege	556	csrss.exe
Token: SeSystemEnvironmentPrivilege	556	csrss.exe
Token: SeChangeNotifyPrivilege	556	csrss.exe
Token: SeRemoteShutdownPrivilege	556	csrss.exe
Token: SeUndockPrivilege	556	csrss.exe
Token: SeManageVolumePrivilege	556	csrss.exe
Token: SeImpersonatePrivilege	556	csrss.exe
Token: SeCreateGlobalPrivilege	556	csrss.exe
Token: 33	556	csrss.exe
Token: 34	556	csrss.exe
Token: 35	556	csrss.exe
Token: 36	556	csrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

csrss.exe

pid	Process
556	csrss.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.execsc.exe

description	pid	Process	procid_target
PID 3696 wrote to memory of 4848	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	85
PID 3696 wrote to memory of 4848	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	85
PID 3696 wrote to memory of 4848	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	85
PID 4848 wrote to memory of 1340	4848	csc.exe	89
PID 4848 wrote to memory of 1340	4848	csc.exe	89
PID 4848 wrote to memory of 1340	4848	csc.exe	89
PID 3696 wrote to memory of 5028	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	91
PID 3696 wrote to memory of 5028	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	91
PID 3696 wrote to memory of 5028	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	91
PID 3696 wrote to memory of 556	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	92
PID 3696 wrote to memory of 556	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	92
PID 3696 wrote to memory of 556	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	92
PID 3696 wrote to memory of 556	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	92
PID 3696 wrote to memory of 556	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	92
PID 3696 wrote to memory of 556	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	92
PID 3696 wrote to memory of 556	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	92
PID 3696 wrote to memory of 556	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	92
PID 3696 wrote to memory of 556	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	92
PID 3696 wrote to memory of 556	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	92
PID 3696 wrote to memory of 556	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	92
PID 3696 wrote to memory of 556	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	92
PID 3696 wrote to memory of 556	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	92
PID 3696 wrote to memory of 556	3696	c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c86fc7fd53318f3b349afc7e6917d4da_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q76xwg1x.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8137.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8136.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340
- C:\Users\Admin\AppData\Local\Temp\zWBE86.exe
  "C:\Users\Admin\AppData\Local\Temp\zWBE86.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5028
- C:\Users\Admin\AppData\Local\Temp\csrss.exe
  C:\Users\Admin\AppData\Local\Temp\csrss.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8137.tmp

Filesize
1KB

MD5
3dd02dadf121e12b35ac4ca529259cf0

SHA1
5ba4c5c848112dba3ddfd99ab394146c07fc9e60

SHA256
bd5de81b6c64d604af46fffe285d82e1f33de711f834ee885f092f1ccb60462e

SHA512
46045c441908babef9740acc4549a7af826bdf87ed57ec7caacef456ed461922886003c63b866157b0fc416a418d0d6d752f8a00c5cc0c9b53a67bea78a88410

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zWBE86.exe

Filesize
4KB

MD5
0ff780e6546bc22016277a5f8056c7af

SHA1
647d40b7b2b0429e12da3a4d28a2a27c64bef92d

SHA256
060d5999e9670e3979c5a8077944c8989c8ce5f8e62f769fedc0a388bf44638f

SHA512
8c386884f6fded46a9fb3864350857ec26ed15212062274a79020461cd1f58dddf2ddc4e223cdcdfff1df8b9f82360827482ee53bb1a7f6135bf2ce89c9ac795

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8136.tmp

Filesize
644B

MD5
cacac6fffd7fd540446b0b1c35016152

SHA1
173cc03dd66612da4c5f1b94d6390e8daa411619

SHA256
e941466bf4fe3a0be93df8cd4b12694bdeb793a65a02f8f147cec3ca0c78ee99

SHA512
0c1496b0b965f5ee9ecda80e2a557372cc7990cb1bdf571cac861304fc8d203840fdd5d7db1108fc9b5597cf3cc2b559a6fc5ee6d998dd82c903f7f51a28df0b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q76xwg1x.0.cs

Filesize
1KB

MD5
4586b0964b6dd621eefe180365dac459

SHA1
8f6d6049d4d7aa768b59c68174955e0738c17028

SHA256
bc07f46b1fe228f670a98ea3040426e37d2b432dda06e61386f79428a4c499dd

SHA512
ac7720640b4b1b527afc4c2d481c230102748a7c393f8609afc830b552064157eeeb3fc00fe7adcbf57fc03b8468bf2560110cbca0813b4bbd65969ed196e523

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q76xwg1x.cmdline

Filesize
259B

MD5
f10755b0283bdc6e2bbdfd62f45980a3

SHA1
31505e75430905adaedc35b8df79a30fe54f2381

SHA256
e644733547b569960b89f0b9d6fad8bf9b25ed99a52d16849d382ca0f60d2fb2

SHA512
f2ad95b0b9a9a7bacb4d405f5639d8389f854b22b53b6a5bd95eeb63480ee6c27180082be682dc65ad6278e951bacf279018e5157266bb6a659a3f7d0013ac83

Download Submit
memory/556-34-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-37-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-51-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-50-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-49-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-48-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-47-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-29-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-25-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-30-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-46-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-33-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-45-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-35-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-44-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-43-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-38-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-39-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-40-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-41-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/556-42-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3696-0-0x0000000075322000-0x0000000075323000-memory.dmp

Filesize
4KB

Download
memory/3696-32-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/3696-1-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/3696-22-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/3696-2-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/4848-8-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/4848-15-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/5028-36-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/5028-21-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads