darkcomet | b8b714b79cd5de967763d423693fdd4eee57676eab485bbc3a6aaccf5cda0ba1

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b28d71f5e9a9e74c008f8102923f5d08_JaffaCakes118.exe
Size

1.6MB
MD5

b28d71f5e9a9e74c008f8102923f5d08
SHA1

a7769e1357506e4b66a0048d18b4c8da1df26378
SHA256

b8b714b79cd5de967763d423693fdd4eee57676eab485bbc3a6aaccf5cda0ba1
SHA512

c59c834e03ca30e0cd408082397d5b715ab5459067809aa5e44c2030e80b6d63c7a605eb96ad78c4dd3cc1abadeef0f70fb80b5c43b6b69f4ee428c1efeae4cd
SSDEEP

24576:saHMv6CorjqnyC8ulDrAZ0P4qgarLj+k3JUiDaiR5RzeJTdK6z:s1vqjdC8YDvP4ParLjrnWiteJTh

Score

10^/10

darkcomet latentbot 1 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

hackerman123.zapto.org:1604

91.35.245.232:1604

192.168.2.111:1604

127.0.0.1:1604

Mutex

DC_MUTEX-WJ89VCK

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
MuSbpc6onR2T
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Extracted

Family

latentbot

hackerman123.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	uncrypted.exe

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msdcsc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iexplore.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2696	attrib.exe

Executes dropped EXE 2 IoCs

pid	Process
2688	uncrypted.exe
2644	msdcsc.exe

Loads dropped DLL 7 IoCs

pid	Process
2916	b28d71f5e9a9e74c008f8102923f5d08_JaffaCakes118.exe
2916	b28d71f5e9a9e74c008f8102923f5d08_JaffaCakes118.exe
2916	b28d71f5e9a9e74c008f8102923f5d08_JaffaCakes118.exe
2916	b28d71f5e9a9e74c008f8102923f5d08_JaffaCakes118.exe
2916	b28d71f5e9a9e74c008f8102923f5d08_JaffaCakes118.exe
2688	uncrypted.exe
2688	uncrypted.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	uncrypted.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2916-0-0x0000000000400000-0x0000000000507000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 328	2644	msdcsc.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b28d71f5e9a9e74c008f8102923f5d08_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uncrypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
328	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2688	uncrypted.exe
Token: SeSecurityPrivilege	2688	uncrypted.exe
Token: SeTakeOwnershipPrivilege	2688	uncrypted.exe
Token: SeLoadDriverPrivilege	2688	uncrypted.exe
Token: SeSystemProfilePrivilege	2688	uncrypted.exe
Token: SeSystemtimePrivilege	2688	uncrypted.exe
Token: SeProfSingleProcessPrivilege	2688	uncrypted.exe
Token: SeIncBasePriorityPrivilege	2688	uncrypted.exe
Token: SeCreatePagefilePrivilege	2688	uncrypted.exe
Token: SeBackupPrivilege	2688	uncrypted.exe
Token: SeRestorePrivilege	2688	uncrypted.exe
Token: SeShutdownPrivilege	2688	uncrypted.exe
Token: SeDebugPrivilege	2688	uncrypted.exe
Token: SeSystemEnvironmentPrivilege	2688	uncrypted.exe
Token: SeChangeNotifyPrivilege	2688	uncrypted.exe
Token: SeRemoteShutdownPrivilege	2688	uncrypted.exe
Token: SeUndockPrivilege	2688	uncrypted.exe
Token: SeManageVolumePrivilege	2688	uncrypted.exe
Token: SeImpersonatePrivilege	2688	uncrypted.exe
Token: SeCreateGlobalPrivilege	2688	uncrypted.exe
Token: 33	2688	uncrypted.exe
Token: 34	2688	uncrypted.exe
Token: 35	2688	uncrypted.exe
Token: SeIncreaseQuotaPrivilege	2644	msdcsc.exe
Token: SeSecurityPrivilege	2644	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2644	msdcsc.exe
Token: SeLoadDriverPrivilege	2644	msdcsc.exe
Token: SeSystemProfilePrivilege	2644	msdcsc.exe
Token: SeSystemtimePrivilege	2644	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2644	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2644	msdcsc.exe
Token: SeCreatePagefilePrivilege	2644	msdcsc.exe
Token: SeBackupPrivilege	2644	msdcsc.exe
Token: SeRestorePrivilege	2644	msdcsc.exe
Token: SeShutdownPrivilege	2644	msdcsc.exe
Token: SeDebugPrivilege	2644	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2644	msdcsc.exe
Token: SeChangeNotifyPrivilege	2644	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2644	msdcsc.exe
Token: SeUndockPrivilege	2644	msdcsc.exe
Token: SeManageVolumePrivilege	2644	msdcsc.exe
Token: SeImpersonatePrivilege	2644	msdcsc.exe
Token: SeCreateGlobalPrivilege	2644	msdcsc.exe
Token: 33	2644	msdcsc.exe
Token: 34	2644	msdcsc.exe
Token: 35	2644	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	328	iexplore.exe
Token: SeSecurityPrivilege	328	iexplore.exe
Token: SeTakeOwnershipPrivilege	328	iexplore.exe
Token: SeLoadDriverPrivilege	328	iexplore.exe
Token: SeSystemProfilePrivilege	328	iexplore.exe
Token: SeSystemtimePrivilege	328	iexplore.exe
Token: SeProfSingleProcessPrivilege	328	iexplore.exe
Token: SeIncBasePriorityPrivilege	328	iexplore.exe
Token: SeCreatePagefilePrivilege	328	iexplore.exe
Token: SeBackupPrivilege	328	iexplore.exe
Token: SeRestorePrivilege	328	iexplore.exe
Token: SeShutdownPrivilege	328	iexplore.exe
Token: SeDebugPrivilege	328	iexplore.exe
Token: SeSystemEnvironmentPrivilege	328	iexplore.exe
Token: SeChangeNotifyPrivilege	328	iexplore.exe
Token: SeRemoteShutdownPrivilege	328	iexplore.exe
Token: SeUndockPrivilege	328	iexplore.exe
Token: SeManageVolumePrivilege	328	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
328	iexplore.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2688	2916	b28d71f5e9a9e74c008f8102923f5d08_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2688	2916	b28d71f5e9a9e74c008f8102923f5d08_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2688	2916	b28d71f5e9a9e74c008f8102923f5d08_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2688	2916	b28d71f5e9a9e74c008f8102923f5d08_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2720	2688	uncrypted.exe	31
PID 2688 wrote to memory of 2720	2688	uncrypted.exe	31
PID 2688 wrote to memory of 2720	2688	uncrypted.exe	31
PID 2688 wrote to memory of 2720	2688	uncrypted.exe	31
PID 2688 wrote to memory of 2644	2688	uncrypted.exe	33
PID 2688 wrote to memory of 2644	2688	uncrypted.exe	33
PID 2688 wrote to memory of 2644	2688	uncrypted.exe	33
PID 2688 wrote to memory of 2644	2688	uncrypted.exe	33
PID 2720 wrote to memory of 2696	2720	cmd.exe	34
PID 2720 wrote to memory of 2696	2720	cmd.exe	34
PID 2720 wrote to memory of 2696	2720	cmd.exe	34
PID 2720 wrote to memory of 2696	2720	cmd.exe	34
PID 2644 wrote to memory of 328	2644	msdcsc.exe	35
PID 2644 wrote to memory of 328	2644	msdcsc.exe	35
PID 2644 wrote to memory of 328	2644	msdcsc.exe	35
PID 2644 wrote to memory of 328	2644	msdcsc.exe	35
PID 2644 wrote to memory of 328	2644	msdcsc.exe	35
PID 2644 wrote to memory of 328	2644	msdcsc.exe	35
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36
PID 328 wrote to memory of 2600	328	iexplore.exe	36

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2696	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b28d71f5e9a9e74c008f8102923f5d08_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b28d71f5e9a9e74c008f8102923f5d08_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\uncrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\uncrypted.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2696
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Modifies firewall policy service
      Windows security bypass
      Disables RegEdit via registry modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:328
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\crypt

Filesize
694KB

MD5
74601d515fff8d8f28105306817331ad

SHA1
345854f22ba07078c14f27b5b117f167a6becf36

SHA256
e41ad53c4fdc11b2ca2f0bb5fedca4cfec6e661fd074e5945018616718458000

SHA512
2c35228a09eeb888495ac473e8d931f3098b3b886bf4e86cc453fe83cced803c697d97ea4bb8f3fdb1cec91f3c8abaa24883bb5ede61508ef74bcd0da0dc7ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uncrypted.exe

Filesize
694KB

MD5
acee4d27bf1e817dede359ff3811f5f9

SHA1
c8ba7c1d677252b911b65e35edd25cc07514770f

SHA256
b77520774a7d836867efb30a85104b427f8b2be1cdb940c0006245f77b071503

SHA512
9d30d030ab2ffb5543832a8cb88888b95c02a5a130ee272e5a3887726acebeeabf46d4078f14161f18bb5e5c079eda70816e89d776d19df537f20d508e69050f

Download Submit
memory/328-39-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2600-41-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2600-79-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2644-40-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2688-25-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2688-80-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2916-0-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads