darkcomet | 21a8bcc1b3175e1388f76c38f9c9ca55815989f9d8cb81139ea9033b467dbbf8

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2025, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe
Size

2.3MB
MD5

79177807ca02ab91118156ed7da95cb1
SHA1

03eeaca2b6f69044fbec25324ac184b44a135e59
SHA256

21a8bcc1b3175e1388f76c38f9c9ca55815989f9d8cb81139ea9033b467dbbf8
SHA512

0bacdc44c2706ece383b09f4f52a69ad943235a9bc520711cfe919d8804d14121fb14fcc92318e8f7e314678b1225e4d0faf66cfc8e04267509339e8bfdc22d8
SSDEEP

49152:5GNXcWomAEPyHL2Bt0CE5T5b1bqqKGbo+ik/MdXlLIbGkssf+qI:5GNsZmAEPvoCGT1lx/MdVLwGfslI

Score

10^/10

darkcomet latentbot fortune bypass discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Fortune Bypass

duckling232.zapto.org:100

Mutex

DC_MUTEX-57EV568

Attributes

gencode
+w9i6zlUS#k1
install
false
offline_keylogger
true
persistence
false

rc4.plain

Extracted

Family

latentbot

duckling232.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe

Executes dropped EXE 4 IoCs

pid	Process
1332	ƳǣպƱƒ.exe
2800	svchost.exe
1088	EpicBotCracked 520.exe
4432	EpicBotCracked 520.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MsMpEng.exe"	ƳǣպƱƒ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3592 set thread context of 2800	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EpicBotCracked 520.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ƳǣպƱƒ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EpicBotCracked 520.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1088	EpicBotCracked 520.exe
1088	EpicBotCracked 520.exe
1088	EpicBotCracked 520.exe
1088	EpicBotCracked 520.exe
4432	EpicBotCracked 520.exe
4432	EpicBotCracked 520.exe
4432	EpicBotCracked 520.exe
4432	EpicBotCracked 520.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe
Token: SeIncreaseQuotaPrivilege	2800	svchost.exe
Token: SeSecurityPrivilege	2800	svchost.exe
Token: SeTakeOwnershipPrivilege	2800	svchost.exe
Token: SeLoadDriverPrivilege	2800	svchost.exe
Token: SeSystemProfilePrivilege	2800	svchost.exe
Token: SeSystemtimePrivilege	2800	svchost.exe
Token: SeProfSingleProcessPrivilege	2800	svchost.exe
Token: SeIncBasePriorityPrivilege	2800	svchost.exe
Token: SeCreatePagefilePrivilege	2800	svchost.exe
Token: SeBackupPrivilege	2800	svchost.exe
Token: SeRestorePrivilege	2800	svchost.exe
Token: SeShutdownPrivilege	2800	svchost.exe
Token: SeDebugPrivilege	2800	svchost.exe
Token: SeSystemEnvironmentPrivilege	2800	svchost.exe
Token: SeChangeNotifyPrivilege	2800	svchost.exe
Token: SeRemoteShutdownPrivilege	2800	svchost.exe
Token: SeUndockPrivilege	2800	svchost.exe
Token: SeManageVolumePrivilege	2800	svchost.exe
Token: SeImpersonatePrivilege	2800	svchost.exe
Token: SeCreateGlobalPrivilege	2800	svchost.exe
Token: 33	2800	svchost.exe
Token: 34	2800	svchost.exe
Token: 35	2800	svchost.exe
Token: 36	2800	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2800	svchost.exe
4432	EpicBotCracked 520.exe
4432	EpicBotCracked 520.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 3140	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	88
PID 3592 wrote to memory of 3140	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	88
PID 3592 wrote to memory of 3140	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	88
PID 3140 wrote to memory of 1452	3140	csc.exe	90
PID 3140 wrote to memory of 1452	3140	csc.exe	90
PID 3140 wrote to memory of 1452	3140	csc.exe	90
PID 3592 wrote to memory of 1332	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	91
PID 3592 wrote to memory of 1332	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	91
PID 3592 wrote to memory of 1332	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	91
PID 3592 wrote to memory of 2800	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	92
PID 3592 wrote to memory of 2800	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	92
PID 3592 wrote to memory of 2800	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	92
PID 3592 wrote to memory of 2800	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	92
PID 3592 wrote to memory of 2800	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	92
PID 3592 wrote to memory of 2800	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	92
PID 3592 wrote to memory of 2800	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	92
PID 3592 wrote to memory of 2800	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	92
PID 3592 wrote to memory of 2800	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	92
PID 3592 wrote to memory of 2800	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	92
PID 3592 wrote to memory of 2800	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	92
PID 3592 wrote to memory of 2800	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	92
PID 3592 wrote to memory of 2800	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	92
PID 3592 wrote to memory of 2800	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	92
PID 3592 wrote to memory of 1088	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	93
PID 3592 wrote to memory of 1088	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	93
PID 3592 wrote to memory of 1088	3592	JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe	93
PID 1088 wrote to memory of 4432	1088	EpicBotCracked 520.exe	94
PID 1088 wrote to memory of 4432	1088	EpicBotCracked 520.exe	94
PID 1088 wrote to memory of 4432	1088	EpicBotCracked 520.exe	94

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_79177807ca02ab91118156ed7da95cb1.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r0pze3xm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48D1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC48D0.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1452
- C:\Users\Admin\AppData\Local\Temp\ƳǣպƱƒ.exe
  "C:\Users\Admin\AppData\Local\Temp\ƳǣպƱƒ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1332
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\EpicBotCracked 520.exe
  "C:\Users\Admin\AppData\Local\Temp\EpicBotCracked 520.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\EpicBotCracked 520.exe
    "C:\Users\Admin\AppData\Local\Temp\EpicBotCracked 520.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_52f303810"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EpicBotCracked 520.exe

Filesize
1.6MB

MD5
8964bf8a3bd9e77e49ff8c90e3a0d14d

SHA1
461d19ef136235f23f8ffb5adc74a6e9aa59df10

SHA256
348ac5a4e71e8cc077b5d08acfaa6b53d2d4f38d46613569b52e6254b407ff7a

SHA512
c1dbce797cf891ff3650846c4ea1bd104bab44dddb7d07484ad00fcb06bd36c14227065229b224a681bf5d1d94fd3fbc85182ff3d2cf627cecc3cadc76f6533c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES48D1.tmp

Filesize
1KB

MD5
49c6c337076ec38e4f3265da775e2c53

SHA1
5e0e09bd00286df63aa423f2fb4b565c326f8c60

SHA256
21ab12e54a86dc1cf3884b5e23c743673682511504ff4a06cc7b73f8a5972b63

SHA512
44e9c8a7c3b1ec1bb17df1a5a919cf4a3b0cee76483624faf4722f34510866158b6f5af6972476d08100ed5b612e48c5630c60c7fbfd0564adf4fddbd5b58a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_52f303810\autorun.txt

Filesize
114B

MD5
c819368178ce1e40fd55c813340a597a

SHA1
81aef3fd883c52de4fe211f3e43f70137cbccdf6

SHA256
1334449583ff7823df9ba97e57bed51eaaba21eed4551e25b07794f1d48c3e31

SHA512
753ce58ed7b76de63f8d68bf95949dfd772e805d0ab514f2706d72b2d504fb53e9beadaed0d34d933fee4f98d3ea13172c8b3a0e391bcab639c3d70003ec71a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_52f303810\wrapper.xml

Filesize
942B

MD5
5c292748257ad5905629464778294451

SHA1
60881f97bf759d87c42fe388d35aca0f8d2164f4

SHA256
ef43feb50e5bb1775195ca8c44f2af90661a6c06703c0a70c8e191bf9931c1a8

SHA512
b1769d551421f119f92b62e5717565bb72e41f0288a0cc6f81621fd3a540dfc5370c7944c106499a0b474f50eeb6be8dbee5d3dc2618a8802ac90b73fde7aaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ƳǣպƱƒ.exe

Filesize
4KB

MD5
260d145f42960915eaf80b75e4353b39

SHA1
8539fa7927788a0780a077368c05a2fabdf17397

SHA256
6fb6a7143b5fefed2c72a44847754f400bc35af742c8cfa5eea5cea48cfe3e45

SHA512
13d5375a7fff532c938fac79d624f0979f00e03a2636caf56825c3d04354ed7761eda66d5e3ccc2c5c21ebf2c11e798d2d9affa81ecd5a9090590742d557e6c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC48D0.tmp

Filesize
636B

MD5
27b71e0b64e514653bf6a5682ace29e2

SHA1
87104c1ead6310c7b5c94a42aeaaa970f487f509

SHA256
e9514606a14bf12a938b47e129f6d0850bd6430f11079b19d6f07ec07d5a221e

SHA512
7d867527ceb96aae747f74794bead9e9a5759b5ed2e9be78889338792ef184c9d0ad818544c339d3a5f73581c70c2703e35b4c221fcd3694e4a664463adf779d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r0pze3xm.0.cs

Filesize
1KB

MD5
aa0bbfcea85c7590ea7c15f3e9d033b1

SHA1
8022ff3f723b7372d4dd39dc6611e489466e7fd9

SHA256
5b2ee2df80bdd2999b28a576052439d18de2d47c893b21ed062b86edf03910c3

SHA512
3e3ff768d598b8ee6e09b4bc3b9d27f51b15c99b25b01fe2fdee308396010dbec1756114ba9a933aa4697c6283e582d6e140832e602dff41cf81ce4274b1a6fa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r0pze3xm.cmdline

Filesize
263B

MD5
fa0d42e1b35bd2b338d47567b618d34d

SHA1
22117b08c08e501387f2f32887725de6d76171e9

SHA256
503188fa5e7a1dfa3d30927dcc09af2a81e633078a1220278c78856d0063cc90

SHA512
54c4222644b05a58f6cb3acc30d521b4ce798fe1ba27f469176a9b6fc02f8b9b2d558e855dc90815e9cfd451c5c02833d5a7ceb805930eaa7e815655d1744800

Download Submit
memory/1332-94-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/1332-21-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/2800-38-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-114-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-22-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-122-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-36-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-27-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-39-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-121-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-37-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-120-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-119-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-118-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-117-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-108-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-109-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-110-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-111-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-112-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-113-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-25-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-115-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2800-116-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3140-8-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3140-15-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3592-1-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3592-2-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3592-44-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3592-0-0x00000000753F2000-0x00000000753F3000-memory.dmp

Filesize
4KB

Download