darkcomet | 25b9faa0e98219baa584af25043ae37184dc2ab41e30da04f54e0afde2d55c59

General

Target

e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe
Size

302KB
MD5

e912f3304ad024cd5f372e9841dca40e
SHA1

6143abd6ae53f88316c3c8b6b8e0a276b350caba
SHA256

25b9faa0e98219baa584af25043ae37184dc2ab41e30da04f54e0afde2d55c59
SHA512

b02724ff3663ca5aa3c7dba9745b04da6123dd7b21e6992a7739f0d8d552e85b116afc54b5fc3d757a821111d63886750f2c32087f657251a4cf54110cd93888
SSDEEP

6144:Aa5jVb60xGvzi4h9XyVyeyD4OQPC4i6mjdee7gkXwztrgUffoS9j:A4jVb60V4CyyPYjdP7gkgzpgUXoS

Score

10^/10

darkcomet latentbot discovery persistence rat trojan upx

Malware Config

Extracted

Family

latentbot

C2

pertenemene.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3868	FSJoiner.exe
4684	FSJoiner.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3652-0-0x0000000000400000-0x0000000000542000-memory.dmp	upx
behavioral2/files/0x00070000000234c3-11.dat	upx
behavioral2/memory/3868-18-0x0000000000400000-0x0000000000542000-memory.dmp	upx
behavioral2/memory/3652-21-0x0000000000400000-0x0000000000542000-memory.dmp	upx
behavioral2/memory/4684-24-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-27-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-30-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/3868-32-0x0000000000400000-0x0000000000542000-memory.dmp	upx
behavioral2/memory/4684-29-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-34-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-37-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-36-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-33-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-38-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-39-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-41-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-42-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-43-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-44-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-45-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-46-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-47-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-48-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-49-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-50-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-51-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-52-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4684-53-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fsj = "C:\\Users\\Admin\\AppData\\Roaming\\fs\\FSJoiner.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3868 set thread context of 4684	3868	FSJoiner.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FSJoiner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FSJoiner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4684	FSJoiner.exe
Token: SeSecurityPrivilege	4684	FSJoiner.exe
Token: SeTakeOwnershipPrivilege	4684	FSJoiner.exe
Token: SeLoadDriverPrivilege	4684	FSJoiner.exe
Token: SeSystemProfilePrivilege	4684	FSJoiner.exe
Token: SeSystemtimePrivilege	4684	FSJoiner.exe
Token: SeProfSingleProcessPrivilege	4684	FSJoiner.exe
Token: SeIncBasePriorityPrivilege	4684	FSJoiner.exe
Token: SeCreatePagefilePrivilege	4684	FSJoiner.exe
Token: SeBackupPrivilege	4684	FSJoiner.exe
Token: SeRestorePrivilege	4684	FSJoiner.exe
Token: SeShutdownPrivilege	4684	FSJoiner.exe
Token: SeDebugPrivilege	4684	FSJoiner.exe
Token: SeSystemEnvironmentPrivilege	4684	FSJoiner.exe
Token: SeChangeNotifyPrivilege	4684	FSJoiner.exe
Token: SeRemoteShutdownPrivilege	4684	FSJoiner.exe
Token: SeUndockPrivilege	4684	FSJoiner.exe
Token: SeManageVolumePrivilege	4684	FSJoiner.exe
Token: SeImpersonatePrivilege	4684	FSJoiner.exe
Token: SeCreateGlobalPrivilege	4684	FSJoiner.exe
Token: 33	4684	FSJoiner.exe
Token: 34	4684	FSJoiner.exe
Token: 35	4684	FSJoiner.exe
Token: 36	4684	FSJoiner.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3652	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe
3868	FSJoiner.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 624	3652	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe	82
PID 3652 wrote to memory of 624	3652	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe	82
PID 3652 wrote to memory of 624	3652	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe	82
PID 624 wrote to memory of 3120	624	cmd.exe	85
PID 624 wrote to memory of 3120	624	cmd.exe	85
PID 624 wrote to memory of 3120	624	cmd.exe	85
PID 3652 wrote to memory of 3868	3652	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe	86
PID 3652 wrote to memory of 3868	3652	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe	86
PID 3652 wrote to memory of 3868	3652	e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe	86
PID 3868 wrote to memory of 4684	3868	FSJoiner.exe	87
PID 3868 wrote to memory of 4684	3868	FSJoiner.exe	87
PID 3868 wrote to memory of 4684	3868	FSJoiner.exe	87
PID 3868 wrote to memory of 4684	3868	FSJoiner.exe	87
PID 3868 wrote to memory of 4684	3868	FSJoiner.exe	87
PID 3868 wrote to memory of 4684	3868	FSJoiner.exe	87
PID 3868 wrote to memory of 4684	3868	FSJoiner.exe	87
PID 3868 wrote to memory of 4684	3868	FSJoiner.exe	87

C:\Users\Admin\AppData\Local\Temp\e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240629484.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "fsj" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\fs\FSJoiner.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3120
- C:\Users\Admin\AppData\Roaming\fs\FSJoiner.exe
  "C:\Users\Admin\AppData\Roaming\fs\FSJoiner.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Users\Admin\AppData\Roaming\fs\FSJoiner.exe
    C:\Users\Admin\AppData\Roaming\fs\FSJoiner.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240629484.bat

Filesize
134B

MD5
79686e11e1add47ebf72114c3ad5735b

SHA1
9108768456cca6edd324dcb4dca83a7b0d540e14

SHA256
f5f02c8fd1a51460b0ffb3a4d0c951c5b5b446dcf189f70d710f285afd4d49c3

SHA512
31bac9f62297a84df7acec2b4fec62f55ddf2de809d33f745898223f8f4c1f6a10738d5524f48b06fc1c9256e778dae353fc4e830f98c7846d545de9cbf12a6b

Download Submit
C:\Users\Admin\AppData\Roaming\fs\FSJoiner.exe

Filesize
302KB

MD5
9cd231f2d71913801dcb64b02959253b

SHA1
3abb4c9006fc556689b74e1cf67a5200fd9caa9b

SHA256
04dd59e97f8f7e140f31f32b876fc9e5d0d1e754621e6160f2d32504cd43c15d

SHA512
9a13ac662a4959dc30b1c9fbba5caf4f576a68e88c7f09412233398255c52bf0a54615e21c04114adf889dd176b24c8f86b9b7ff43ff4f39d3f4ec13554e758b

Download Submit
memory/3652-21-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3652-0-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3868-32-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3868-18-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4684-33-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-42-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-27-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-29-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-34-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-35-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4684-37-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-36-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-24-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-38-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-40-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4684-39-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-41-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-30-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-43-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-44-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-45-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-46-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-47-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-48-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-49-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-50-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-51-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-52-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4684-53-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads