darkcomet | fdc99489f71d7f72e1ec5746cdae8cc7d441c28082de699d6e066c1c16b1ee77

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
26-06-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe
Size

689KB
MD5

133b22daeb05a907491ce1c8fbef04b9
SHA1

f801a99437c15f0ac34fe3297b945bf410c37cc2
SHA256

fdc99489f71d7f72e1ec5746cdae8cc7d441c28082de699d6e066c1c16b1ee77
SHA512

2f7ce692eaf86275eeba0eece50841b3f74668ab00be62c3d310cf1201cbdca48fd2b2535302019856ee4c57bc8f6da6471abed89f9d2bce14e89815e7df67ad
SSDEEP

12288:dGezWOMTBYrGEVbsgr1mCk5Ko0L78a3BeBv8P8oaTGUZy9amJ9q3K4P3x8c8Hx3w:lLMTBYyEOgkCWK3BeBUkpG1cmJoXfx3P

Score

10^/10

darkcomet latentbot guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

botnetclients.zapto.org:1604

Mutex

DC_MUTEX-4ET0BTN

Attributes

gencode
vkUUxAwqAkJT
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

botnetclients.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Executes dropped EXE 2 IoCs

Processes:

ƴƐơӸƛ.exesvchost.exe

pid process

2708 ƴƐơӸƛ.exe
2604 svchost.exe
Loads dropped DLL 3 IoCs

Processes:

133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe

pid process

2444 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe
2444 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe
2444 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe

pid	process
2708	ƴƐơӸƛ.exe
2604	svchost.exe

pid	process
2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe
2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe
2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ƴƐơӸƛ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Googleupdaterss = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GoogleUpdate.exe"	ƴƐơӸƛ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe

description pid process target process

PID 2444 set thread context of 2604 2444 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2444 set thread context of 2604	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2604	svchost.exe
Token: SeSecurityPrivilege	2604	svchost.exe
Token: SeTakeOwnershipPrivilege	2604	svchost.exe
Token: SeLoadDriverPrivilege	2604	svchost.exe
Token: SeSystemProfilePrivilege	2604	svchost.exe
Token: SeSystemtimePrivilege	2604	svchost.exe
Token: SeProfSingleProcessPrivilege	2604	svchost.exe
Token: SeIncBasePriorityPrivilege	2604	svchost.exe
Token: SeCreatePagefilePrivilege	2604	svchost.exe
Token: SeBackupPrivilege	2604	svchost.exe
Token: SeRestorePrivilege	2604	svchost.exe
Token: SeShutdownPrivilege	2604	svchost.exe
Token: SeDebugPrivilege	2604	svchost.exe
Token: SeSystemEnvironmentPrivilege	2604	svchost.exe
Token: SeChangeNotifyPrivilege	2604	svchost.exe
Token: SeRemoteShutdownPrivilege	2604	svchost.exe
Token: SeUndockPrivilege	2604	svchost.exe
Token: SeManageVolumePrivilege	2604	svchost.exe
Token: SeImpersonatePrivilege	2604	svchost.exe
Token: SeCreateGlobalPrivilege	2604	svchost.exe
Token: 33	2604	svchost.exe
Token: 34	2604	svchost.exe
Token: 35	2604	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2604 svchost.exe

pid	process
2604	svchost.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 2444 wrote to memory of 2412	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	csc.exe
PID 2444 wrote to memory of 2412	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	csc.exe
PID 2444 wrote to memory of 2412	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	csc.exe
PID 2444 wrote to memory of 2412	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	csc.exe
PID 2412 wrote to memory of 3068	2412	csc.exe	cvtres.exe
PID 2412 wrote to memory of 3068	2412	csc.exe	cvtres.exe
PID 2412 wrote to memory of 3068	2412	csc.exe	cvtres.exe
PID 2412 wrote to memory of 3068	2412	csc.exe	cvtres.exe
PID 2444 wrote to memory of 2708	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	ƴƐơӸƛ.exe
PID 2444 wrote to memory of 2708	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	ƴƐơӸƛ.exe
PID 2444 wrote to memory of 2708	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	ƴƐơӸƛ.exe
PID 2444 wrote to memory of 2708	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	ƴƐơӸƛ.exe
PID 2444 wrote to memory of 2604	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 2444 wrote to memory of 2604	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 2444 wrote to memory of 2604	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 2444 wrote to memory of 2604	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 2444 wrote to memory of 2604	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 2444 wrote to memory of 2604	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 2444 wrote to memory of 2604	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 2444 wrote to memory of 2604	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 2444 wrote to memory of 2604	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 2444 wrote to memory of 2604	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 2444 wrote to memory of 2604	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 2444 wrote to memory of 2604	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 2444 wrote to memory of 2604	2444	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7mzsi43y.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F60.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5F5F.tmp"
3⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\ƴƐơӸƛ.exe
"C:\Users\Admin\AppData\Local\Temp\ƴƐơӸƛ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2708

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5F60.tmp
Filesize
1KB

MD5
34793905d04d0c7496fa35c7b00910c2

SHA1
364f0dd3b7b56e1a65a65f44ddc84939b39efebc

SHA256
3851cea9e95bdb99d168b37831b9d82446f6d1ddb737029eb3d14e521a8351d3

SHA512
148c4602bb7de0839835a8a86a39048cb83d3acad25942b66c189317631ee44feab39f639b8ace071f461e6d57e25f63c7d386cbe73f21357427e8beb7599138

Download Submit
C:\Users\Admin\AppData\Local\Temp\ƴƐơӸƛ.exe
Filesize
4KB

MD5
625fbe98fb723b1181ceae84b621865f

SHA1
9392708d9c12b88bc12f16528110906f6e2d2820

SHA256
f62a7a8b59825f7f63b4d8bde7c208fe1a41b3443dfe06f53d6c5eb3ff646f24

SHA512
df734f9b61861272c221c03026928c753fa271947a8c84cdfdb0e24e69aa0f7c9f6ceeee21585e857a009b34f60e8dacec094d42db37a78d6221fb45981fbaa9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7mzsi43y.0.cs
Filesize
1KB

MD5
f80b11bd919779674e6eafe423e97e60

SHA1
909c86bd235bbae1769517843edb6d963effa3a2

SHA256
9c93657602cf1b1d423c530c66cad6fee05420cb9058fd887d689d4aa38bb6c9

SHA512
c17379d0a5461ba9111bb2367025d993904cf063bd71e93806e672847f5bbe8bfad8953706a358d22f36bad05ec04411445d109d982f1942980953e3819e5c66

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7mzsi43y.cmdline
Filesize
263B

MD5
25a6bc1120c3addc990931df4b9e1353

SHA1
f85af7d0255e459e5e5cc37cdb3d8f4411ff8404

SHA256
29195459bf4be3ee830b4c4862e0a9069f90291aff9a03bf2f5f3b11012dcfe6

SHA512
080c02f5a9e258aa7ae70e4eb5ba5a11510ff661625e3751fd74d8a19869bb5adda64f3668875cf71ccf3db84810cd99a71a980eb304fceb34b3c5ee74b5a02a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5F5F.tmp
Filesize
636B

MD5
2730ab17d4096ca3bd422d60329a4dd4

SHA1
5e2b17f0949eff720b65a436ebcab5ee7c9981a6

SHA256
60c5e88c7e70c5261c29c4f6658893c93eebe2c5a0a60b6a7aa8431bd3b55bfa

SHA512
c74a0088cf03f3171b31a13a54d37d35cadc796f5bec6508291b60835c445cfc04cc1f10ca14b059b58b250aeda235bed6a272839c170700cdb505a532a3d451

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/2412-8-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2412-15-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2444-46-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2444-2-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2444-1-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2444-0-0x0000000074A21000-0x0000000074A22000-memory.dmp

Filesize
4KB

Download
memory/2444-44-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/2604-35-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-49-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-48-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-45-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-42-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2604-39-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-29-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-27-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-26-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-37-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-33-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-31-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-47-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-50-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-51-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-52-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-53-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-54-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-55-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-56-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-57-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-58-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-59-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-60-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-61-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-62-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download