darkcomet | fdc99489f71d7f72e1ec5746cdae8cc7d441c28082de699d6e066c1c16b1ee77

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe
Size

689KB
MD5

133b22daeb05a907491ce1c8fbef04b9
SHA1

f801a99437c15f0ac34fe3297b945bf410c37cc2
SHA256

fdc99489f71d7f72e1ec5746cdae8cc7d441c28082de699d6e066c1c16b1ee77
SHA512

2f7ce692eaf86275eeba0eece50841b3f74668ab00be62c3d310cf1201cbdca48fd2b2535302019856ee4c57bc8f6da6471abed89f9d2bce14e89815e7df67ad
SSDEEP

12288:dGezWOMTBYrGEVbsgr1mCk5Ko0L78a3BeBv8P8oaTGUZy9amJ9q3K4P3x8c8Hx3w:lLMTBYyEOgkCWK3BeBUkpG1cmJoXfx3P

Score

10^/10

darkcomet latentbot guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

botnetclients.zapto.org:1604

Mutex

DC_MUTEX-4ET0BTN

Attributes

gencode
vkUUxAwqAkJT
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

botnetclients.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

ƴƐơӸƛ.exesvchost.exe

pid process

1656 ƴƐơӸƛ.exe
1132 svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe

pid	process
1656	ƴƐơӸƛ.exe
1132	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ƴƐơӸƛ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Googleupdaterss = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GoogleUpdate.exe"	ƴƐơӸƛ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe

description pid process target process

PID 624 set thread context of 1132 624 133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 624 set thread context of 1132	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1132	svchost.exe
Token: SeSecurityPrivilege	1132	svchost.exe
Token: SeTakeOwnershipPrivilege	1132	svchost.exe
Token: SeLoadDriverPrivilege	1132	svchost.exe
Token: SeSystemProfilePrivilege	1132	svchost.exe
Token: SeSystemtimePrivilege	1132	svchost.exe
Token: SeProfSingleProcessPrivilege	1132	svchost.exe
Token: SeIncBasePriorityPrivilege	1132	svchost.exe
Token: SeCreatePagefilePrivilege	1132	svchost.exe
Token: SeBackupPrivilege	1132	svchost.exe
Token: SeRestorePrivilege	1132	svchost.exe
Token: SeShutdownPrivilege	1132	svchost.exe
Token: SeDebugPrivilege	1132	svchost.exe
Token: SeSystemEnvironmentPrivilege	1132	svchost.exe
Token: SeChangeNotifyPrivilege	1132	svchost.exe
Token: SeRemoteShutdownPrivilege	1132	svchost.exe
Token: SeUndockPrivilege	1132	svchost.exe
Token: SeManageVolumePrivilege	1132	svchost.exe
Token: SeImpersonatePrivilege	1132	svchost.exe
Token: SeCreateGlobalPrivilege	1132	svchost.exe
Token: 33	1132	svchost.exe
Token: 34	1132	svchost.exe
Token: 35	1132	svchost.exe
Token: 36	1132	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

1132 svchost.exe

pid	process
1132	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 624 wrote to memory of 760	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	csc.exe
PID 624 wrote to memory of 760	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	csc.exe
PID 624 wrote to memory of 760	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	csc.exe
PID 760 wrote to memory of 1788	760	csc.exe	cvtres.exe
PID 760 wrote to memory of 1788	760	csc.exe	cvtres.exe
PID 760 wrote to memory of 1788	760	csc.exe	cvtres.exe
PID 624 wrote to memory of 1656	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	ƴƐơӸƛ.exe
PID 624 wrote to memory of 1656	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	ƴƐơӸƛ.exe
PID 624 wrote to memory of 1656	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	ƴƐơӸƛ.exe
PID 624 wrote to memory of 1132	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 624 wrote to memory of 1132	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 624 wrote to memory of 1132	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 624 wrote to memory of 1132	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 624 wrote to memory of 1132	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 624 wrote to memory of 1132	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 624 wrote to memory of 1132	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 624 wrote to memory of 1132	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 624 wrote to memory of 1132	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 624 wrote to memory of 1132	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 624 wrote to memory of 1132	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 624 wrote to memory of 1132	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 624 wrote to memory of 1132	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe
PID 624 wrote to memory of 1132	624	133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\133b22daeb05a907491ce1c8fbef04b9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gtwvkvzl.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A99.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3A98.tmp"
3⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\ƴƐơӸƛ.exe
"C:\Users\Admin\AppData\Local\Temp\ƴƐơӸƛ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1656

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3A99.tmp
Filesize
1KB

MD5
f945b67328147d12c25845ea161ced14

SHA1
2990d7ee4f3463021fe415648da87a12a8019b80

SHA256
f5e8b37ecb29a81009c5b8ef43d238a50054e6fd629f7d8c2cbe0dd11e711111

SHA512
afaf9682582f7fe86412ccc0a63a07e5323f394769a08336a15fea068681110913451b6d2dba97df6f133f550761d0d06f494411377c44c6aa339c7c452fc4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ƴƐơӸƛ.exe
Filesize
4KB

MD5
0d445dec862f16335f356fe9e7b0ffb2

SHA1
b9705ecb09ff5a35937a02f9435918ffda6e2e72

SHA256
e4282c30dfeac24350abe4b1526f440b74460f0e6c79a006dda923b702f0d72a

SHA512
d98c52c4f9aa1d3e4678d80cfa0a9bcdf0f22b969f97a417bc36a0bc9840f0f1bec4b1f453076c0010004de556ba914f94b3ab74ef08623a86a08f07e79c1842

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3A98.tmp
Filesize
636B

MD5
2730ab17d4096ca3bd422d60329a4dd4

SHA1
5e2b17f0949eff720b65a436ebcab5ee7c9981a6

SHA256
60c5e88c7e70c5261c29c4f6658893c93eebe2c5a0a60b6a7aa8431bd3b55bfa

SHA512
c74a0088cf03f3171b31a13a54d37d35cadc796f5bec6508291b60835c445cfc04cc1f10ca14b059b58b250aeda235bed6a272839c170700cdb505a532a3d451

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gtwvkvzl.0.cs
Filesize
1KB

MD5
f80b11bd919779674e6eafe423e97e60

SHA1
909c86bd235bbae1769517843edb6d963effa3a2

SHA256
9c93657602cf1b1d423c530c66cad6fee05420cb9058fd887d689d4aa38bb6c9

SHA512
c17379d0a5461ba9111bb2367025d993904cf063bd71e93806e672847f5bbe8bfad8953706a358d22f36bad05ec04411445d109d982f1942980953e3819e5c66

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gtwvkvzl.cmdline
Filesize
263B

MD5
548951bdd37d847911db5ae73ba74dd0

SHA1
b8e4773b71982f675c3fe8a81ba66b06cd926f2a

SHA256
c4d9a1e3d8c9022c7749321c08b88e512233cd73ef52f9e1e2354412e509dc80

SHA512
3eedadcaa0842dc11fffe3867c906b6d3f6f58ef0ce503b8bc6a3707be8933f5ac4ffc76d68222fcff4f9b56e7f1160d3e930b1b17066babdd867a356ad07f8f

Download Submit
memory/624-30-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/624-1-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/624-2-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/624-0-0x00000000752C2000-0x00000000752C3000-memory.dmp

Filesize
4KB

Download
memory/760-8-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/760-15-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/1132-31-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-43-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-33-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-32-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-49-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-28-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-48-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-22-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-47-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-36-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-37-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-38-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-39-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-40-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-41-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-42-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-26-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-44-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-45-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-46-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1656-35-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/1656-27-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/1656-21-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download