darkcomet | 25b9faa0e98219baa584af25043ae37184dc2ab41e30da04f54e0afde2d55c59

General

Target

e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe
Size

302KB
MD5

e912f3304ad024cd5f372e9841dca40e
SHA1

6143abd6ae53f88316c3c8b6b8e0a276b350caba
SHA256

25b9faa0e98219baa584af25043ae37184dc2ab41e30da04f54e0afde2d55c59
SHA512

b02724ff3663ca5aa3c7dba9745b04da6123dd7b21e6992a7739f0d8d552e85b116afc54b5fc3d757a821111d63886750f2c32087f657251a4cf54110cd93888
SSDEEP

6144:Aa5jVb60xGvzi4h9XyVyeyD4OQPC4i6mjdee7gkXwztrgUffoS9j:A4jVb60V4CyyPYjdP7gkgzpgUXoS

Score

10^/10

darkcomet latentbot discovery persistence rat trojan upx

Malware Config

Extracted

Family

latentbot

C2

pertenemene.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 2 IoCs

pid	Process
2848	FSJoiner.exe
2948	FSJoiner.exe

Loads dropped DLL 5 IoCs

pid	Process
2632	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe
2632	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe
2632	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe
2632	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe
2632	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2632-0-0x0000000000400000-0x0000000000542000-memory.dmp	upx
behavioral1/files/0x0008000000015d7e-21.dat	upx
behavioral1/memory/2632-38-0x0000000000400000-0x0000000000542000-memory.dmp	upx
behavioral1/memory/2848-39-0x0000000000400000-0x0000000000542000-memory.dmp	upx
behavioral1/memory/2948-43-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-48-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2848-47-0x0000000000400000-0x0000000000542000-memory.dmp	upx
behavioral1/memory/2948-45-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-49-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-51-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-50-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-52-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-53-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-54-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-56-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-55-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-57-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-58-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-59-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-60-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-61-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-62-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-63-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-64-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-65-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-66-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-67-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-68-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2948-69-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fsj = "C:\\Users\\Admin\\AppData\\Roaming\\fs\\FSJoiner.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2848 set thread context of 2948	2848	FSJoiner.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FSJoiner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FSJoiner.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2948	FSJoiner.exe
Token: SeSecurityPrivilege	2948	FSJoiner.exe
Token: SeTakeOwnershipPrivilege	2948	FSJoiner.exe
Token: SeLoadDriverPrivilege	2948	FSJoiner.exe
Token: SeSystemProfilePrivilege	2948	FSJoiner.exe
Token: SeSystemtimePrivilege	2948	FSJoiner.exe
Token: SeProfSingleProcessPrivilege	2948	FSJoiner.exe
Token: SeIncBasePriorityPrivilege	2948	FSJoiner.exe
Token: SeCreatePagefilePrivilege	2948	FSJoiner.exe
Token: SeBackupPrivilege	2948	FSJoiner.exe
Token: SeRestorePrivilege	2948	FSJoiner.exe
Token: SeShutdownPrivilege	2948	FSJoiner.exe
Token: SeDebugPrivilege	2948	FSJoiner.exe
Token: SeSystemEnvironmentPrivilege	2948	FSJoiner.exe
Token: SeChangeNotifyPrivilege	2948	FSJoiner.exe
Token: SeRemoteShutdownPrivilege	2948	FSJoiner.exe
Token: SeUndockPrivilege	2948	FSJoiner.exe
Token: SeManageVolumePrivilege	2948	FSJoiner.exe
Token: SeImpersonatePrivilege	2948	FSJoiner.exe
Token: SeCreateGlobalPrivilege	2948	FSJoiner.exe
Token: 33	2948	FSJoiner.exe
Token: 34	2948	FSJoiner.exe
Token: 35	2948	FSJoiner.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2632	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe
2848	FSJoiner.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2648	2632	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2648	2632	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2648	2632	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2648	2632	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2812	2648	cmd.exe	32
PID 2648 wrote to memory of 2812	2648	cmd.exe	32
PID 2648 wrote to memory of 2812	2648	cmd.exe	32
PID 2648 wrote to memory of 2812	2648	cmd.exe	32
PID 2632 wrote to memory of 2848	2632	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe	33
PID 2632 wrote to memory of 2848	2632	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe	33
PID 2632 wrote to memory of 2848	2632	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe	33
PID 2632 wrote to memory of 2848	2632	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe	33
PID 2848 wrote to memory of 2948	2848	FSJoiner.exe	34
PID 2848 wrote to memory of 2948	2848	FSJoiner.exe	34
PID 2848 wrote to memory of 2948	2848	FSJoiner.exe	34
PID 2848 wrote to memory of 2948	2848	FSJoiner.exe	34
PID 2848 wrote to memory of 2948	2848	FSJoiner.exe	34
PID 2848 wrote to memory of 2948	2848	FSJoiner.exe	34
PID 2848 wrote to memory of 2948	2848	FSJoiner.exe	34
PID 2848 wrote to memory of 2948	2848	FSJoiner.exe	34
PID 2848 wrote to memory of 2948	2848	FSJoiner.exe	34

C:\Users\Admin\AppData\Local\Temp\e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\259410973.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "fsj" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\fs\FSJoiner.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2812
- C:\Users\Admin\AppData\Roaming\fs\FSJoiner.exe
  "C:\Users\Admin\AppData\Roaming\fs\FSJoiner.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Roaming\fs\FSJoiner.exe
    C:\Users\Admin\AppData\Roaming\fs\FSJoiner.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259410973.bat

Filesize
134B

MD5
79686e11e1add47ebf72114c3ad5735b

SHA1
9108768456cca6edd324dcb4dca83a7b0d540e14

SHA256
f5f02c8fd1a51460b0ffb3a4d0c951c5b5b446dcf189f70d710f285afd4d49c3

SHA512
31bac9f62297a84df7acec2b4fec62f55ddf2de809d33f745898223f8f4c1f6a10738d5524f48b06fc1c9256e778dae353fc4e830f98c7846d545de9cbf12a6b

Download Submit
\Users\Admin\AppData\Roaming\fs\FSJoiner.exe

Filesize
302KB

MD5
9cd231f2d71913801dcb64b02959253b

SHA1
3abb4c9006fc556689b74e1cf67a5200fd9caa9b

SHA256
04dd59e97f8f7e140f31f32b876fc9e5d0d1e754621e6160f2d32504cd43c15d

SHA512
9a13ac662a4959dc30b1c9fbba5caf4f576a68e88c7f09412233398255c52bf0a54615e21c04114adf889dd176b24c8f86b9b7ff43ff4f39d3f4ec13554e758b

Download Submit
memory/2632-38-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2632-35-0x0000000003A10000-0x0000000003B52000-memory.dmp

Filesize
1.3MB

Download
memory/2632-0-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2848-47-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2848-39-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2948-53-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-57-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-45-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-49-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-51-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-50-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-52-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-43-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-54-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-56-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-55-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-48-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-58-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-59-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-60-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-61-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-62-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-63-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-64-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-65-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-66-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-67-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-68-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-69-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads