darkcomet | 1826a9ff6613f115cfbec8a32dbdab2e5213735dc0f6340aacc52f66b97f73ae

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe
Size

1.0MB
MD5

5d0c20889e64bd49a511a691002acaa4
SHA1

942271827f52f6be4a207a4672d77fbb4be05268
SHA256

1826a9ff6613f115cfbec8a32dbdab2e5213735dc0f6340aacc52f66b97f73ae
SHA512

ca8bde18497af9e9cf8154a8946a9f1e75575bfed9e743a670210eaa3be39a66b40e189917e5615e876787c65f1a6cd5ac65bb592f630d62d176fb07b398bc97
SSDEEP

24576:9IOmpYMADuf5JpS1oPyzHBS7zZD9YKmeAZ7guNOjKZl6:9FmpBADW5+1oPSCzFWBZ0NWl6

Score

10^/10

darkcomet latentbot rat testslave discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

RAT

hackforums12345.zapto.org:1605

Mutex

DC_MUTEX-SZWA6GX

Attributes

gencode
9SolcJhs9D0S
install
false
offline_keylogger
true
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

Testslave

62.45.180.50:1604

Mutex

DC_MUTEX-LP98189

Attributes

gencode
wCaWr9NaC9ax
install
false
offline_keylogger
true
persistence
false

rc4.plain

Extracted

Family

latentbot

hackforums12345.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	scvhost.exe

Executes dropped EXE 2 IoCs

pid	Process
3772	scvhost.exe
1836	scvhost.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDefender.Exe"	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4708 set thread context of 4968	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	101
PID 3772 set thread context of 1836	3772	scvhost.exe	106

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1836-37-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1836-43-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1836-42-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1836-41-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1836-40-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1836-45-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1836-44-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings	scvhost.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4968	vbc.exe
Token: SeSecurityPrivilege	4968	vbc.exe
Token: SeTakeOwnershipPrivilege	4968	vbc.exe
Token: SeLoadDriverPrivilege	4968	vbc.exe
Token: SeSystemProfilePrivilege	4968	vbc.exe
Token: SeSystemtimePrivilege	4968	vbc.exe
Token: SeProfSingleProcessPrivilege	4968	vbc.exe
Token: SeIncBasePriorityPrivilege	4968	vbc.exe
Token: SeCreatePagefilePrivilege	4968	vbc.exe
Token: SeBackupPrivilege	4968	vbc.exe
Token: SeRestorePrivilege	4968	vbc.exe
Token: SeShutdownPrivilege	4968	vbc.exe
Token: SeDebugPrivilege	4968	vbc.exe
Token: SeSystemEnvironmentPrivilege	4968	vbc.exe
Token: SeChangeNotifyPrivilege	4968	vbc.exe
Token: SeRemoteShutdownPrivilege	4968	vbc.exe
Token: SeUndockPrivilege	4968	vbc.exe
Token: SeManageVolumePrivilege	4968	vbc.exe
Token: SeImpersonatePrivilege	4968	vbc.exe
Token: SeCreateGlobalPrivilege	4968	vbc.exe
Token: 33	4968	vbc.exe
Token: 34	4968	vbc.exe
Token: 35	4968	vbc.exe
Token: 36	4968	vbc.exe
Token: SeDebugPrivilege	3772	scvhost.exe
Token: SeIncreaseQuotaPrivilege	1836	scvhost.exe
Token: SeSecurityPrivilege	1836	scvhost.exe
Token: SeTakeOwnershipPrivilege	1836	scvhost.exe
Token: SeLoadDriverPrivilege	1836	scvhost.exe
Token: SeSystemProfilePrivilege	1836	scvhost.exe
Token: SeSystemtimePrivilege	1836	scvhost.exe
Token: SeProfSingleProcessPrivilege	1836	scvhost.exe
Token: SeIncBasePriorityPrivilege	1836	scvhost.exe
Token: SeCreatePagefilePrivilege	1836	scvhost.exe
Token: SeBackupPrivilege	1836	scvhost.exe
Token: SeRestorePrivilege	1836	scvhost.exe
Token: SeShutdownPrivilege	1836	scvhost.exe
Token: SeDebugPrivilege	1836	scvhost.exe
Token: SeSystemEnvironmentPrivilege	1836	scvhost.exe
Token: SeChangeNotifyPrivilege	1836	scvhost.exe
Token: SeRemoteShutdownPrivilege	1836	scvhost.exe
Token: SeUndockPrivilege	1836	scvhost.exe
Token: SeManageVolumePrivilege	1836	scvhost.exe
Token: SeImpersonatePrivilege	1836	scvhost.exe
Token: SeCreateGlobalPrivilege	1836	scvhost.exe
Token: 33	1836	scvhost.exe
Token: 34	1836	scvhost.exe
Token: 35	1836	scvhost.exe
Token: 36	1836	scvhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4968	vbc.exe
1836	scvhost.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 4968	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	101
PID 4708 wrote to memory of 4968	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	101
PID 4708 wrote to memory of 4968	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	101
PID 4708 wrote to memory of 4968	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	101
PID 4708 wrote to memory of 4968	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	101
PID 4708 wrote to memory of 4968	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	101
PID 4708 wrote to memory of 4968	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	101
PID 4708 wrote to memory of 4968	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	101
PID 4708 wrote to memory of 4968	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	101
PID 4708 wrote to memory of 4968	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	101
PID 4708 wrote to memory of 4968	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	101
PID 4708 wrote to memory of 4968	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	101
PID 4708 wrote to memory of 4968	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	101
PID 4708 wrote to memory of 4968	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	101
PID 4708 wrote to memory of 3772	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	102
PID 4708 wrote to memory of 3772	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	102
PID 4708 wrote to memory of 3772	4708	JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe	102
PID 3772 wrote to memory of 1836	3772	scvhost.exe	106
PID 3772 wrote to memory of 1836	3772	scvhost.exe	106
PID 3772 wrote to memory of 1836	3772	scvhost.exe	106
PID 3772 wrote to memory of 1836	3772	scvhost.exe	106
PID 3772 wrote to memory of 1836	3772	scvhost.exe	106
PID 3772 wrote to memory of 1836	3772	scvhost.exe	106
PID 3772 wrote to memory of 1836	3772	scvhost.exe	106
PID 3772 wrote to memory of 1836	3772	scvhost.exe	106
PID 3772 wrote to memory of 1696	3772	scvhost.exe	107
PID 3772 wrote to memory of 1696	3772	scvhost.exe	107
PID 3772 wrote to memory of 1696	3772	scvhost.exe	107

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d0c20889e64bd49a511a691002acaa4.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4968
- C:\Users\Admin\AppData\Local\Temp\scvhost.exe
  "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Users\Admin\AppData\Local\Temp\scvhost.exe
    C:\Users\Admin\AppData\Local\Temp\scvhost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1836
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\iNqqm.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\scvhost.exe

Filesize
315KB

MD5
8200bc9bbdb13aae172bc2f16dd7df8f

SHA1
a5004912a56f75f72b41405661a37b9439a11be0

SHA256
d758dc12f9591f8940ca6a66ecd0ba21ae8341720f473f93c5fc0021dc880a4b

SHA512
68dbfd629d50f949237d0a431b3d3fdf0bf9ab81a4cea5353e7ad05c8770d0f6e8bef190f1ffa0f16ba52a04115d353d72f4fbaee5eb6c931cbbbf716403a299

Download Submit
C:\Users\Admin\AppData\Roaming\iNqqm.vbs

Filesize
405B

MD5
2c2f1364faa343dc5045c4faa8ddb9bd

SHA1
a9926b763cfe2b878674cb20921b2e601ccaf83f

SHA256
3a77727e342c3f6759938394f1162b2ea96dadf38f980d4c1aefdffddb7023dc

SHA512
63490a4cfd553107b8093209776069364db25fc0261546000b332ad206ebb84e2464f0804336cf6d819e0d15b3753ef8e862abcfbf10df52a933e8bbdb5f70a2

Download Submit
memory/1836-45-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1836-37-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1836-43-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1836-42-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1836-41-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1836-40-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1836-44-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3772-28-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/3772-52-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/3772-26-0x0000000074B12000-0x0000000074B13000-memory.dmp

Filesize
4KB

Download
memory/3772-29-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/3772-34-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/3772-33-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4708-5-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4708-3-0x0000000074B12000-0x0000000074B13000-memory.dmp

Filesize
4KB

Download
memory/4708-4-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4708-0-0x0000000074B12000-0x0000000074B13000-memory.dmp

Filesize
4KB

Download
memory/4708-30-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4708-2-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4708-1-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4968-35-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-36-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-32-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-31-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-14-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-15-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-13-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-11-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-7-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-6-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-53-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-54-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-55-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4968-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads