darkcomet | fe3e8583a30fc407ec72a0e4a180db0f8815c260b70f3df3c1ea3cb9a5d55684

General

Target

fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe
Size

777KB
MD5

fd23df75aaecb8464e12d29a6a7c2163
SHA1

2fb6b1585193996e143b3f5f2d0d138052c00fa4
SHA256

fe3e8583a30fc407ec72a0e4a180db0f8815c260b70f3df3c1ea3cb9a5d55684
SHA512

f69a08375b1179b60e5770d8da0d430412fa72cd36f6d1056e13b06f569979fb640741283163d366d6bb3912428f9f861a41e3f3e6f8f573e891e47c17741e4f
SSDEEP

24576:aoQk4lKhQuWRCO7/nNUMWkrb4lc6nebuSV5:aPBlhdCO7vNy6OkuW

Score

10^/10

darkcomet latentbot discovery persistence rat trojan

Malware Config

Extracted

Family

latentbot

C2

duckling232.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 2 IoCs

pid	Process
2144	svchost.exe
580	EpicBot.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe
2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MsMpEng.exe"	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2136 set thread context of 2144	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EpicBot.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2144	svchost.exe
Token: SeSecurityPrivilege	2144	svchost.exe
Token: SeTakeOwnershipPrivilege	2144	svchost.exe
Token: SeLoadDriverPrivilege	2144	svchost.exe
Token: SeSystemProfilePrivilege	2144	svchost.exe
Token: SeSystemtimePrivilege	2144	svchost.exe
Token: SeProfSingleProcessPrivilege	2144	svchost.exe
Token: SeIncBasePriorityPrivilege	2144	svchost.exe
Token: SeCreatePagefilePrivilege	2144	svchost.exe
Token: SeBackupPrivilege	2144	svchost.exe
Token: SeRestorePrivilege	2144	svchost.exe
Token: SeShutdownPrivilege	2144	svchost.exe
Token: SeDebugPrivilege	2144	svchost.exe
Token: SeSystemEnvironmentPrivilege	2144	svchost.exe
Token: SeChangeNotifyPrivilege	2144	svchost.exe
Token: SeRemoteShutdownPrivilege	2144	svchost.exe
Token: SeUndockPrivilege	2144	svchost.exe
Token: SeManageVolumePrivilege	2144	svchost.exe
Token: SeImpersonatePrivilege	2144	svchost.exe
Token: SeCreateGlobalPrivilege	2144	svchost.exe
Token: 33	2144	svchost.exe
Token: 34	2144	svchost.exe
Token: 35	2144	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2144	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2144	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2144	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2144	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2144	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2144	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2144	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2144	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2144	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2144	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2144	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2144	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2144	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2144	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	30
PID 2136 wrote to memory of 580	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	31
PID 2136 wrote to memory of 580	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	31
PID 2136 wrote to memory of 580	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	31
PID 2136 wrote to memory of 580	2136	fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe	31
PID 580 wrote to memory of 2996	580	EpicBot.exe	32
PID 580 wrote to memory of 2996	580	EpicBot.exe	32
PID 580 wrote to memory of 2996	580	EpicBot.exe	32
PID 580 wrote to memory of 2996	580	EpicBot.exe	32

C:\Users\Admin\AppData\Local\Temp\fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd23df75aaecb8464e12d29a6a7c2163_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\EpicBot.exe
  "C:\Users\Admin\AppData\Local\Temp\EpicBot.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\EpicBot.jar"
    3⤵
    PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EpicBot.exe

Filesize
43KB

MD5
eb8a2dcc1474b87f78fa342c95771c33

SHA1
26082d5c99d23a5af76d19751c1b21e13b2f4970

SHA256
90a95868f25a28202a04b04aea80594ff1db275f1d5247cda7d86c7dd41e1ab0

SHA512
b6d622549fd50440673d6cedafb3a571291e8f5b90c7ecd0e7db55b9d926a84850e665c27207bea7d4da17f2ccb05299f851f8759a7b53b856fea6babd77676b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/580-38-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2136-0-0x0000000074211000-0x0000000074212000-memory.dmp

Filesize
4KB

Download
memory/2136-1-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download
memory/2136-2-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download
memory/2136-39-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download
memory/2144-9-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-32-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-18-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-27-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-22-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2144-19-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-16-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-14-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-12-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-10-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-29-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-8-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-30-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-31-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-24-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-40-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-41-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-42-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-43-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-44-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-45-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-46-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-47-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-48-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-49-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-50-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-51-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-52-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-53-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2144-54-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads