darkcomet | 2450d1e8bea7cb4606191aa62c208974ab98f7ac3dcefa6a3b09286818a1168d

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
Size

594KB
MD5

ecbe2788da186fb254c618b21d446303
SHA1

0e261dd24f00ad297e93086d9cf1326933137997
SHA256

2450d1e8bea7cb4606191aa62c208974ab98f7ac3dcefa6a3b09286818a1168d
SHA512

93041cb0cf554684a197af525caba96da02f0b45b2d3aa23e140e6ca9c15bb9c4b7f3001fd0f3410a9d2ffacecb47027f742fb10982f87b180462c60cb723bf9
SSDEEP

12288:jK2mhAMJ/cPl+RhW13QPKP21+UDgni/O6AcEeC1d5MytGkNErbYy43AS+HGW+w5l:G2O/Gl+zSQPKP21dD+R6AcEeC1dxzNED

Score

10^/10

darkcomet latentbot trillian discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Trillian

essstzttztz.zapto.org:1612

Mutex

DC_MUTEX-1KBKQVH

Attributes

gencode
nrKvEnTT3cgT
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

essstzttztz.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 2 IoCs

pid	Process
2008	uus.exe
1872	tinychat.exe

Loads dropped DLL 9 IoCs

pid	Process
1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e000000015ceb-21.dat	upx
behavioral1/memory/1576-33-0x0000000001FF0000-0x0000000002016000-memory.dmp	upx
behavioral1/memory/1872-39-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/2644-76-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2644-72-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2644-67-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2644-77-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2644-78-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2644-79-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2644-80-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2644-81-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1872-86-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/2008-105-0x0000000000090000-0x0000000000190000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskmgbj.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\taskmgbj.exe A"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 2644	2008	uus.exe	36
PID 2008 set thread context of 2960	2008	uus.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tinychat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uus.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2644	cmdl32.exe
Token: SeSecurityPrivilege	2644	cmdl32.exe
Token: SeTakeOwnershipPrivilege	2644	cmdl32.exe
Token: SeLoadDriverPrivilege	2644	cmdl32.exe
Token: SeSystemProfilePrivilege	2644	cmdl32.exe
Token: SeSystemtimePrivilege	2644	cmdl32.exe
Token: SeProfSingleProcessPrivilege	2644	cmdl32.exe
Token: SeIncBasePriorityPrivilege	2644	cmdl32.exe
Token: SeCreatePagefilePrivilege	2644	cmdl32.exe
Token: SeBackupPrivilege	2644	cmdl32.exe
Token: SeRestorePrivilege	2644	cmdl32.exe
Token: SeShutdownPrivilege	2644	cmdl32.exe
Token: SeDebugPrivilege	2644	cmdl32.exe
Token: SeSystemEnvironmentPrivilege	2644	cmdl32.exe
Token: SeChangeNotifyPrivilege	2644	cmdl32.exe
Token: SeRemoteShutdownPrivilege	2644	cmdl32.exe
Token: SeUndockPrivilege	2644	cmdl32.exe
Token: SeManageVolumePrivilege	2644	cmdl32.exe
Token: SeImpersonatePrivilege	2644	cmdl32.exe
Token: SeCreateGlobalPrivilege	2644	cmdl32.exe
Token: 33	2644	cmdl32.exe
Token: 34	2644	cmdl32.exe
Token: 35	2644	cmdl32.exe
Token: SeIncreaseQuotaPrivilege	2960	cmdl32.exe
Token: SeSecurityPrivilege	2960	cmdl32.exe
Token: SeTakeOwnershipPrivilege	2960	cmdl32.exe
Token: SeLoadDriverPrivilege	2960	cmdl32.exe
Token: SeSystemProfilePrivilege	2960	cmdl32.exe
Token: SeSystemtimePrivilege	2960	cmdl32.exe
Token: SeProfSingleProcessPrivilege	2960	cmdl32.exe
Token: SeIncBasePriorityPrivilege	2960	cmdl32.exe
Token: SeCreatePagefilePrivilege	2960	cmdl32.exe
Token: SeBackupPrivilege	2960	cmdl32.exe
Token: SeRestorePrivilege	2960	cmdl32.exe
Token: SeShutdownPrivilege	2960	cmdl32.exe
Token: SeDebugPrivilege	2960	cmdl32.exe
Token: SeSystemEnvironmentPrivilege	2960	cmdl32.exe
Token: SeChangeNotifyPrivilege	2960	cmdl32.exe
Token: SeRemoteShutdownPrivilege	2960	cmdl32.exe
Token: SeUndockPrivilege	2960	cmdl32.exe
Token: SeManageVolumePrivilege	2960	cmdl32.exe
Token: SeImpersonatePrivilege	2960	cmdl32.exe
Token: SeCreateGlobalPrivilege	2960	cmdl32.exe
Token: 33	2960	cmdl32.exe
Token: 34	2960	cmdl32.exe
Token: 35	2960	cmdl32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2008	uus.exe
1872	tinychat.exe
1872	tinychat.exe
2644	cmdl32.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 2008	1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	31
PID 1576 wrote to memory of 2008	1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	31
PID 1576 wrote to memory of 2008	1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	31
PID 1576 wrote to memory of 2008	1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	31
PID 1576 wrote to memory of 2008	1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	31
PID 1576 wrote to memory of 2008	1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	31
PID 1576 wrote to memory of 2008	1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	31
PID 1576 wrote to memory of 1872	1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	32
PID 1576 wrote to memory of 1872	1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	32
PID 1576 wrote to memory of 1872	1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	32
PID 1576 wrote to memory of 1872	1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	32
PID 1576 wrote to memory of 1872	1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	32
PID 1576 wrote to memory of 1872	1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	32
PID 1576 wrote to memory of 1872	1576	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	32
PID 2008 wrote to memory of 2756	2008	uus.exe	33
PID 2008 wrote to memory of 2756	2008	uus.exe	33
PID 2008 wrote to memory of 2756	2008	uus.exe	33
PID 2008 wrote to memory of 2756	2008	uus.exe	33
PID 2008 wrote to memory of 2756	2008	uus.exe	33
PID 2008 wrote to memory of 2756	2008	uus.exe	33
PID 2008 wrote to memory of 2756	2008	uus.exe	33
PID 2756 wrote to memory of 2912	2756	cmd.exe	35
PID 2756 wrote to memory of 2912	2756	cmd.exe	35
PID 2756 wrote to memory of 2912	2756	cmd.exe	35
PID 2756 wrote to memory of 2912	2756	cmd.exe	35
PID 2756 wrote to memory of 2912	2756	cmd.exe	35
PID 2756 wrote to memory of 2912	2756	cmd.exe	35
PID 2756 wrote to memory of 2912	2756	cmd.exe	35
PID 2008 wrote to memory of 2644	2008	uus.exe	36
PID 2008 wrote to memory of 2644	2008	uus.exe	36
PID 2008 wrote to memory of 2644	2008	uus.exe	36
PID 2008 wrote to memory of 2644	2008	uus.exe	36
PID 2008 wrote to memory of 2644	2008	uus.exe	36
PID 2008 wrote to memory of 2644	2008	uus.exe	36
PID 2008 wrote to memory of 2644	2008	uus.exe	36
PID 2008 wrote to memory of 2644	2008	uus.exe	36
PID 2008 wrote to memory of 2644	2008	uus.exe	36
PID 2008 wrote to memory of 2644	2008	uus.exe	36
PID 2008 wrote to memory of 2644	2008	uus.exe	36
PID 2008 wrote to memory of 2960	2008	uus.exe	37
PID 2008 wrote to memory of 2960	2008	uus.exe	37
PID 2008 wrote to memory of 2960	2008	uus.exe	37
PID 2008 wrote to memory of 2960	2008	uus.exe	37
PID 2008 wrote to memory of 2960	2008	uus.exe	37
PID 2008 wrote to memory of 2960	2008	uus.exe	37
PID 2008 wrote to memory of 2960	2008	uus.exe	37
PID 2008 wrote to memory of 2960	2008	uus.exe	37
PID 2008 wrote to memory of 2960	2008	uus.exe	37
PID 2008 wrote to memory of 2960	2008	uus.exe	37
PID 2008 wrote to memory of 2960	2008	uus.exe	37

C:\Users\Admin\AppData\Local\Temp\ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\uus.exe
  "C:\Users\Admin\AppData\Local\Temp\uus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\maqui.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run" /v taskmgbj.exe /d "C:\Users\Admin\AppData\Local\Temp\taskmgbj.exe A" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2912
- - C:\Windows\SysWOW64\cmdl32.exe
    "C:\Windows\system32\cmdl32.exe "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2644
- - C:\Windows\SysWOW64\cmdl32.exe
    "C:\Windows\system32\cmdl32.exe "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- C:\Users\Admin\AppData\Local\Temp\tinychat.exe
  "C:\Users\Admin\AppData\Local\Temp\tinychat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\maqui.bat

Filesize
150B

MD5
91f95ff4f3b92893ee4ea67a533da526

SHA1
2b17c54f07df8f803446032dbdf70f8384158f78

SHA256
167ea6d50160180eafeb164fe6d8fdadc90e22dafa655c99e561acd486fec11a

SHA512
73fbf0ddda81fdc8f699e75d0d2e7c9f3584d555273f5cf0625d95af55aaf94f3ff62f611cd16b0bbcccd89c31c11126345f7dc01b65edd51756e88dcbd0de99

Download Submit
C:\Users\Admin\AppData\Local\Temp\uus.exe

Filesize
312KB

MD5
75e8479191225e9543a43f6366cd73fd

SHA1
c591454985172f83b221e4e1ec0fdc60c4fc93c2

SHA256
4b0fca92cd6e7828dc80494062b7965bfb8dad5e77ee4ae84a8ffec1b4d9eed1

SHA512
6654ff9393f73bfbe2a7b4feb8eeb2b7dd801c580c1682f46f200bb19a91df75276d776c7475d603f782f6e5078317ff87542518c4d7dd62a63596a80b71b0bd

Download Submit
\Users\Admin\AppData\Local\Temp\tinychat.EXE

Filesize
52KB

MD5
32254a9009a89147f5cfbd03ba2cee84

SHA1
578439fa4e02a795e44945bb2cb1edd1cb9245ab

SHA256
07ff1f83289f3ad2d7a19d734cb9137517ee7e2cd52160a0f7d599e2ca590e88

SHA512
182c62bd60ac437c4bf8781f74eb49e29312382f066d6acda72db90c91a0c996716c018522db5d3c516463286e8e3dee1f8c8c2d6b621ecf6f55152dd8ee0904

Download Submit
memory/1576-23-0x0000000001FF0000-0x0000000002016000-memory.dmp

Filesize
152KB

Download
memory/1576-35-0x0000000001FF0000-0x0000000002016000-memory.dmp

Filesize
152KB

Download
memory/1576-33-0x0000000001FF0000-0x0000000002016000-memory.dmp

Filesize
152KB

Download
memory/1872-86-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1872-39-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2008-95-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2008-105-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2008-110-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2008-96-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2644-72-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2644-78-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2644-79-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2644-80-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2644-81-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2644-77-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2644-67-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2644-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2644-76-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2644-58-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads