darkcomet | 1826a9ff6613f115cfbec8a32dbdab2e5213735dc0f6340aacc52f66b97f73ae

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe
Size

1.0MB
MD5

5d0c20889e64bd49a511a691002acaa4
SHA1

942271827f52f6be4a207a4672d77fbb4be05268
SHA256

1826a9ff6613f115cfbec8a32dbdab2e5213735dc0f6340aacc52f66b97f73ae
SHA512

ca8bde18497af9e9cf8154a8946a9f1e75575bfed9e743a670210eaa3be39a66b40e189917e5615e876787c65f1a6cd5ac65bb592f630d62d176fb07b398bc97
SSDEEP

24576:9IOmpYMADuf5JpS1oPyzHBS7zZD9YKmeAZ7guNOjKZl6:9FmpBADW5+1oPSCzFWBZ0NWl6

Score

10^/10

darkcomet latentbot rat testslave discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

RAT

hackforums12345.zapto.org:1605

Mutex

DC_MUTEX-SZWA6GX

Attributes

gencode
9SolcJhs9D0S
install
false
offline_keylogger
true
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

Testslave

62.45.180.50:1604

Mutex

DC_MUTEX-LP98189

Attributes

gencode
wCaWr9NaC9ax
install
false
offline_keylogger
true
persistence
false

rc4.plain

Extracted

Family

latentbot

hackforums12345.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Executes dropped EXE 2 IoCs

pid	Process
3008	scvhost.exe
2808	scvhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe
3008	scvhost.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDefender.Exe"	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1644 set thread context of 1612	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	31
PID 3008 set thread context of 2808	3008	scvhost.exe	33

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2808-52-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2808-49-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2808-44-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2808-43-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2808-42-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2808-41-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2808-38-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2808-36-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2808-35-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1612	vbc.exe
Token: SeSecurityPrivilege	1612	vbc.exe
Token: SeTakeOwnershipPrivilege	1612	vbc.exe
Token: SeLoadDriverPrivilege	1612	vbc.exe
Token: SeSystemProfilePrivilege	1612	vbc.exe
Token: SeSystemtimePrivilege	1612	vbc.exe
Token: SeProfSingleProcessPrivilege	1612	vbc.exe
Token: SeIncBasePriorityPrivilege	1612	vbc.exe
Token: SeCreatePagefilePrivilege	1612	vbc.exe
Token: SeBackupPrivilege	1612	vbc.exe
Token: SeRestorePrivilege	1612	vbc.exe
Token: SeShutdownPrivilege	1612	vbc.exe
Token: SeDebugPrivilege	1612	vbc.exe
Token: SeSystemEnvironmentPrivilege	1612	vbc.exe
Token: SeChangeNotifyPrivilege	1612	vbc.exe
Token: SeRemoteShutdownPrivilege	1612	vbc.exe
Token: SeUndockPrivilege	1612	vbc.exe
Token: SeManageVolumePrivilege	1612	vbc.exe
Token: SeImpersonatePrivilege	1612	vbc.exe
Token: SeCreateGlobalPrivilege	1612	vbc.exe
Token: 33	1612	vbc.exe
Token: 34	1612	vbc.exe
Token: 35	1612	vbc.exe
Token: SeDebugPrivilege	3008	scvhost.exe
Token: SeIncreaseQuotaPrivilege	2808	scvhost.exe
Token: SeSecurityPrivilege	2808	scvhost.exe
Token: SeTakeOwnershipPrivilege	2808	scvhost.exe
Token: SeLoadDriverPrivilege	2808	scvhost.exe
Token: SeSystemProfilePrivilege	2808	scvhost.exe
Token: SeSystemtimePrivilege	2808	scvhost.exe
Token: SeProfSingleProcessPrivilege	2808	scvhost.exe
Token: SeIncBasePriorityPrivilege	2808	scvhost.exe
Token: SeCreatePagefilePrivilege	2808	scvhost.exe
Token: SeBackupPrivilege	2808	scvhost.exe
Token: SeRestorePrivilege	2808	scvhost.exe
Token: SeShutdownPrivilege	2808	scvhost.exe
Token: SeDebugPrivilege	2808	scvhost.exe
Token: SeSystemEnvironmentPrivilege	2808	scvhost.exe
Token: SeChangeNotifyPrivilege	2808	scvhost.exe
Token: SeRemoteShutdownPrivilege	2808	scvhost.exe
Token: SeUndockPrivilege	2808	scvhost.exe
Token: SeManageVolumePrivilege	2808	scvhost.exe
Token: SeImpersonatePrivilege	2808	scvhost.exe
Token: SeCreateGlobalPrivilege	2808	scvhost.exe
Token: 33	2808	scvhost.exe
Token: 34	2808	scvhost.exe
Token: 35	2808	scvhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1612	vbc.exe
2808	scvhost.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1612	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	31
PID 1644 wrote to memory of 1612	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	31
PID 1644 wrote to memory of 1612	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	31
PID 1644 wrote to memory of 1612	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	31
PID 1644 wrote to memory of 1612	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	31
PID 1644 wrote to memory of 1612	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	31
PID 1644 wrote to memory of 1612	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	31
PID 1644 wrote to memory of 1612	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	31
PID 1644 wrote to memory of 1612	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	31
PID 1644 wrote to memory of 1612	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	31
PID 1644 wrote to memory of 1612	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	31
PID 1644 wrote to memory of 1612	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	31
PID 1644 wrote to memory of 1612	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	31
PID 1644 wrote to memory of 3008	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	32
PID 1644 wrote to memory of 3008	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	32
PID 1644 wrote to memory of 3008	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	32
PID 1644 wrote to memory of 3008	1644	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	32
PID 3008 wrote to memory of 2808	3008	scvhost.exe	33
PID 3008 wrote to memory of 2808	3008	scvhost.exe	33
PID 3008 wrote to memory of 2808	3008	scvhost.exe	33
PID 3008 wrote to memory of 2808	3008	scvhost.exe	33
PID 3008 wrote to memory of 2808	3008	scvhost.exe	33
PID 3008 wrote to memory of 2808	3008	scvhost.exe	33
PID 3008 wrote to memory of 2808	3008	scvhost.exe	33
PID 3008 wrote to memory of 2808	3008	scvhost.exe	33
PID 3008 wrote to memory of 2856	3008	scvhost.exe	34
PID 3008 wrote to memory of 2856	3008	scvhost.exe	34
PID 3008 wrote to memory of 2856	3008	scvhost.exe	34
PID 3008 wrote to memory of 2856	3008	scvhost.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1612
- C:\Users\Admin\AppData\Local\Temp\scvhost.exe
  "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\scvhost.exe
    C:\Users\Admin\AppData\Local\Temp\scvhost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2808
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\iNqqm.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\scvhost.exe

Filesize
315KB

MD5
8200bc9bbdb13aae172bc2f16dd7df8f

SHA1
a5004912a56f75f72b41405661a37b9439a11be0

SHA256
d758dc12f9591f8940ca6a66ecd0ba21ae8341720f473f93c5fc0021dc880a4b

SHA512
68dbfd629d50f949237d0a431b3d3fdf0bf9ab81a4cea5353e7ad05c8770d0f6e8bef190f1ffa0f16ba52a04115d353d72f4fbaee5eb6c931cbbbf716403a299

Download Submit
C:\Users\Admin\AppData\Roaming\iNqqm.vbs

Filesize
405B

MD5
2c2f1364faa343dc5045c4faa8ddb9bd

SHA1
a9926b763cfe2b878674cb20921b2e601ccaf83f

SHA256
3a77727e342c3f6759938394f1162b2ea96dadf38f980d4c1aefdffddb7023dc

SHA512
63490a4cfd553107b8093209776069364db25fc0261546000b332ad206ebb84e2464f0804336cf6d819e0d15b3753ef8e862abcfbf10df52a933e8bbdb5f70a2

Download Submit
memory/1612-54-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1612-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-11-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-10-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-9-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-7-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-5-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-16-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-27-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-26-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-21-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-20-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-15-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-3-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-55-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-53-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1644-1-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/1644-2-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/1644-0-0x0000000074E81000-0x0000000074E82000-memory.dmp

Filesize
4KB

Download
memory/1644-31-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-44-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2808-41-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2808-42-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2808-35-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2808-49-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2808-43-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2808-38-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2808-52-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2808-34-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2808-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2808-36-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3008-51-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/3008-32-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads