darkcomet | 2450d1e8bea7cb4606191aa62c208974ab98f7ac3dcefa6a3b09286818a1168d

General

Target

ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
Size

594KB
MD5

ecbe2788da186fb254c618b21d446303
SHA1

0e261dd24f00ad297e93086d9cf1326933137997
SHA256

2450d1e8bea7cb4606191aa62c208974ab98f7ac3dcefa6a3b09286818a1168d
SHA512

93041cb0cf554684a197af525caba96da02f0b45b2d3aa23e140e6ca9c15bb9c4b7f3001fd0f3410a9d2ffacecb47027f742fb10982f87b180462c60cb723bf9
SSDEEP

12288:jK2mhAMJ/cPl+RhW13QPKP21+UDgni/O6AcEeC1d5MytGkNErbYy43AS+HGW+w5l:G2O/Gl+zSQPKP21dD+R6AcEeC1dxzNED

Score

10^/10

darkcomet latentbot trillian discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Trillian

C2

essstzttztz.zapto.org:1612

Mutex

DC_MUTEX-1KBKQVH

Attributes

gencode
nrKvEnTT3cgT
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

C2

essstzttztz.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3904	uus.exe
1952	tinychat.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000234ac-16.dat	upx
behavioral2/memory/1952-20-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1952-35-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1604-36-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1604-37-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1604-38-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1604-39-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1604-40-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskmgbj.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\taskmgbj.exe A"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3904 set thread context of 4152	3904	uus.exe	94
PID 3904 set thread context of 1604	3904	uus.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4424	4152	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tinychat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmdl32.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1604	cmdl32.exe
Token: SeSecurityPrivilege	1604	cmdl32.exe
Token: SeTakeOwnershipPrivilege	1604	cmdl32.exe
Token: SeLoadDriverPrivilege	1604	cmdl32.exe
Token: SeSystemProfilePrivilege	1604	cmdl32.exe
Token: SeSystemtimePrivilege	1604	cmdl32.exe
Token: SeProfSingleProcessPrivilege	1604	cmdl32.exe
Token: SeIncBasePriorityPrivilege	1604	cmdl32.exe
Token: SeCreatePagefilePrivilege	1604	cmdl32.exe
Token: SeBackupPrivilege	1604	cmdl32.exe
Token: SeRestorePrivilege	1604	cmdl32.exe
Token: SeShutdownPrivilege	1604	cmdl32.exe
Token: SeDebugPrivilege	1604	cmdl32.exe
Token: SeSystemEnvironmentPrivilege	1604	cmdl32.exe
Token: SeChangeNotifyPrivilege	1604	cmdl32.exe
Token: SeRemoteShutdownPrivilege	1604	cmdl32.exe
Token: SeUndockPrivilege	1604	cmdl32.exe
Token: SeManageVolumePrivilege	1604	cmdl32.exe
Token: SeImpersonatePrivilege	1604	cmdl32.exe
Token: SeCreateGlobalPrivilege	1604	cmdl32.exe
Token: 33	1604	cmdl32.exe
Token: 34	1604	cmdl32.exe
Token: 35	1604	cmdl32.exe
Token: 36	1604	cmdl32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3904	uus.exe
1952	tinychat.exe
1952	tinychat.exe
1604	cmdl32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 3904	2672	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	84
PID 2672 wrote to memory of 3904	2672	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	84
PID 2672 wrote to memory of 3904	2672	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	84
PID 2672 wrote to memory of 1952	2672	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	86
PID 2672 wrote to memory of 1952	2672	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	86
PID 2672 wrote to memory of 1952	2672	ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe	86
PID 3904 wrote to memory of 3756	3904	uus.exe	87
PID 3904 wrote to memory of 3756	3904	uus.exe	87
PID 3904 wrote to memory of 3756	3904	uus.exe	87
PID 3756 wrote to memory of 624	3756	cmd.exe	89
PID 3756 wrote to memory of 624	3756	cmd.exe	89
PID 3756 wrote to memory of 624	3756	cmd.exe	89
PID 3904 wrote to memory of 4152	3904	uus.exe	94
PID 3904 wrote to memory of 4152	3904	uus.exe	94
PID 3904 wrote to memory of 4152	3904	uus.exe	94
PID 3904 wrote to memory of 4152	3904	uus.exe	94
PID 3904 wrote to memory of 1604	3904	uus.exe	99
PID 3904 wrote to memory of 1604	3904	uus.exe	99
PID 3904 wrote to memory of 1604	3904	uus.exe	99
PID 3904 wrote to memory of 1604	3904	uus.exe	99
PID 3904 wrote to memory of 1604	3904	uus.exe	99
PID 3904 wrote to memory of 1604	3904	uus.exe	99
PID 3904 wrote to memory of 1604	3904	uus.exe	99
PID 3904 wrote to memory of 1604	3904	uus.exe	99

C:\Users\Admin\AppData\Local\Temp\ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\uus.exe
  "C:\Users\Admin\AppData\Local\Temp\uus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maqui.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run" /v taskmgbj.exe /d "C:\Users\Admin\AppData\Local\Temp\taskmgbj.exe A" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:624
- - C:\Windows\SysWOW64\cmdl32.exe
    "C:\Windows\system32\cmdl32.exe "
    3⤵
    PID:4152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 80
      4⤵
      Program crash
      PID:4424
- - C:\Windows\SysWOW64\cmdl32.exe
    "C:\Windows\system32\cmdl32.exe "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1604
- C:\Users\Admin\AppData\Local\Temp\tinychat.exe
  "C:\Users\Admin\AppData\Local\Temp\tinychat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4152 -ip 4152
1⤵
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\maqui.bat

Filesize
150B

MD5
91f95ff4f3b92893ee4ea67a533da526

SHA1
2b17c54f07df8f803446032dbdf70f8384158f78

SHA256
167ea6d50160180eafeb164fe6d8fdadc90e22dafa655c99e561acd486fec11a

SHA512
73fbf0ddda81fdc8f699e75d0d2e7c9f3584d555273f5cf0625d95af55aaf94f3ff62f611cd16b0bbcccd89c31c11126345f7dc01b65edd51756e88dcbd0de99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tinychat.EXE

Filesize
52KB

MD5
32254a9009a89147f5cfbd03ba2cee84

SHA1
578439fa4e02a795e44945bb2cb1edd1cb9245ab

SHA256
07ff1f83289f3ad2d7a19d734cb9137517ee7e2cd52160a0f7d599e2ca590e88

SHA512
182c62bd60ac437c4bf8781f74eb49e29312382f066d6acda72db90c91a0c996716c018522db5d3c516463286e8e3dee1f8c8c2d6b621ecf6f55152dd8ee0904

Download Submit
C:\Users\Admin\AppData\Local\Temp\uus.exe

Filesize
312KB

MD5
75e8479191225e9543a43f6366cd73fd

SHA1
c591454985172f83b221e4e1ec0fdc60c4fc93c2

SHA256
4b0fca92cd6e7828dc80494062b7965bfb8dad5e77ee4ae84a8ffec1b4d9eed1

SHA512
6654ff9393f73bfbe2a7b4feb8eeb2b7dd801c580c1682f46f200bb19a91df75276d776c7475d603f782f6e5078317ff87542518c4d7dd62a63596a80b71b0bd

Download Submit
memory/1604-36-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1604-37-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1604-38-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1604-39-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1604-40-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1952-20-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1952-35-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads