darkcomet | 10a46ae388ed8008994e9f7ed9ee1c11206ef4572b4c29ed7a03733be48797e6

General

Target

203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe
Size

1.2MB
MD5

203a1e6dfba46d8fa0ee9c61bff1552d
SHA1

8a6378edd890d2a4447ad29b50012940496bd2cf
SHA256

10a46ae388ed8008994e9f7ed9ee1c11206ef4572b4c29ed7a03733be48797e6
SHA512

b89c637af3c19a48ec7fe327ac6191854e4d2f8f4be6df724e7a38a95ba4874f90be05040f5a8b108d4cf8378de10001f6341bc92de3288c61554735c302ec12
SSDEEP

24576:mBLdexGREcLFvIrp+P87FFUhkJrwoWylXnUc:mBLd1RfvIrzF6KrwoWylkc

Score

10^/10

darkcomet latentbot discovery persistence rat trojan

Malware Config

Extracted

Family

latentbot

C2

chaetlolilol.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 1 IoCs

pid	Process
532	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Flash.exe"	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3396 set thread context of 532	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	84

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	532	svchost.exe
Token: SeSecurityPrivilege	532	svchost.exe
Token: SeTakeOwnershipPrivilege	532	svchost.exe
Token: SeLoadDriverPrivilege	532	svchost.exe
Token: SeSystemProfilePrivilege	532	svchost.exe
Token: SeSystemtimePrivilege	532	svchost.exe
Token: SeProfSingleProcessPrivilege	532	svchost.exe
Token: SeIncBasePriorityPrivilege	532	svchost.exe
Token: SeCreatePagefilePrivilege	532	svchost.exe
Token: SeBackupPrivilege	532	svchost.exe
Token: SeRestorePrivilege	532	svchost.exe
Token: SeShutdownPrivilege	532	svchost.exe
Token: SeDebugPrivilege	532	svchost.exe
Token: SeSystemEnvironmentPrivilege	532	svchost.exe
Token: SeChangeNotifyPrivilege	532	svchost.exe
Token: SeRemoteShutdownPrivilege	532	svchost.exe
Token: SeUndockPrivilege	532	svchost.exe
Token: SeManageVolumePrivilege	532	svchost.exe
Token: SeImpersonatePrivilege	532	svchost.exe
Token: SeCreateGlobalPrivilege	532	svchost.exe
Token: 33	532	svchost.exe
Token: 34	532	svchost.exe
Token: 35	532	svchost.exe
Token: 36	532	svchost.exe
Token: SeRestorePrivilege	624	dw20.exe
Token: SeBackupPrivilege	624	dw20.exe
Token: SeBackupPrivilege	624	dw20.exe
Token: SeBackupPrivilege	624	dw20.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
532	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 532	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	84
PID 3396 wrote to memory of 532	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	84
PID 3396 wrote to memory of 532	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	84
PID 3396 wrote to memory of 532	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	84
PID 3396 wrote to memory of 532	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	84
PID 3396 wrote to memory of 532	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	84
PID 3396 wrote to memory of 532	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	84
PID 3396 wrote to memory of 532	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	84
PID 3396 wrote to memory of 532	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	84
PID 3396 wrote to memory of 532	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	84
PID 3396 wrote to memory of 532	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	84
PID 3396 wrote to memory of 532	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	84
PID 3396 wrote to memory of 532	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	84
PID 3396 wrote to memory of 532	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	84
PID 3396 wrote to memory of 624	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	86
PID 3396 wrote to memory of 624	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	86
PID 3396 wrote to memory of 624	3396	203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\203a1e6dfba46d8fa0ee9c61bff1552d_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:532
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1408
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1KB

MD5
3a59a4a04feeabfdc9c0e3cb4f0127fb

SHA1
c797b6208d6f0db0e07cf4c94f5904ca45648661

SHA256
89e8caef7c451837923a0363d8a7b6994f9cbfc9c9515800dcec2c5ea2ff4d48

SHA512
f7762ef018f8cdbfbd7e7efacc9e324bd90ef3422565f1dbbe1288e7e5d750d3268e663f19bcf14ac8b64e166bcbd0b74ba49f26960bf20fb22ec4777ab63510

Download Submit
memory/532-29-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-31-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-25-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-26-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-6-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-10-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-12-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-16-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-15-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-14-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-13-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/532-24-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-37-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-36-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-9-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-27-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-28-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-35-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-30-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-34-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-32-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/532-33-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3396-2-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/3396-0-0x0000000074DA2000-0x0000000074DA3000-memory.dmp

Filesize
4KB

Download
memory/3396-1-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/3396-23-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads