darkcomet | 57ea44e7ea896880c5b5326a00cf6527c77ad7c6380439163e11212613127d93

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe
Size

1.0MB
MD5

1f18839709ec59ce1b42254d69810bdc
SHA1

b4c4dd3003469a6f30a749cdadbca651684e95aa
SHA256

57ea44e7ea896880c5b5326a00cf6527c77ad7c6380439163e11212613127d93
SHA512

2ddf8a10c0aee436f0141139285f1c837b08ebae6d9022791680c0e528eaedaed1946335e37fb3418c9b37e8ba8ea8f46484e292989eba5fbc795eb4a732db84
SSDEEP

24576:GiysXgXVrDbWEQeboNgj2ERfspk7MheYmv2LYmv2:VjXgXVHbFvkDo0pk7M+vev

Score

10^/10

darkcomet latentbot persistence rat trojan

Malware Config

Extracted

Family

latentbot

slavezbyjay.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

ǢƐǢǍƴ.exesvchost.exe

pid process

3688 ǢƐǢǍƴ.exe
4660 svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe

pid	process
3688	ǢƐǢǍƴ.exe
4660	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ǢƐǢǍƴ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MsMpEng.exe"	ǢƐǢǍƴ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe

description pid process target process

PID 1524 set thread context of 4660 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1524 set thread context of 4660	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	svchost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4660	svchost.exe
Token: SeSecurityPrivilege	4660	svchost.exe
Token: SeTakeOwnershipPrivilege	4660	svchost.exe
Token: SeLoadDriverPrivilege	4660	svchost.exe
Token: SeSystemProfilePrivilege	4660	svchost.exe
Token: SeSystemtimePrivilege	4660	svchost.exe
Token: SeProfSingleProcessPrivilege	4660	svchost.exe
Token: SeIncBasePriorityPrivilege	4660	svchost.exe
Token: SeCreatePagefilePrivilege	4660	svchost.exe
Token: SeBackupPrivilege	4660	svchost.exe
Token: SeRestorePrivilege	4660	svchost.exe
Token: SeShutdownPrivilege	4660	svchost.exe
Token: SeDebugPrivilege	4660	svchost.exe
Token: SeSystemEnvironmentPrivilege	4660	svchost.exe
Token: SeChangeNotifyPrivilege	4660	svchost.exe
Token: SeRemoteShutdownPrivilege	4660	svchost.exe
Token: SeUndockPrivilege	4660	svchost.exe
Token: SeManageVolumePrivilege	4660	svchost.exe
Token: SeImpersonatePrivilege	4660	svchost.exe
Token: SeCreateGlobalPrivilege	4660	svchost.exe
Token: 33	4660	svchost.exe
Token: 34	4660	svchost.exe
Token: 35	4660	svchost.exe
Token: 36	4660	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

4660 svchost.exe

pid	process
4660	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 1524 wrote to memory of 1448	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	csc.exe
PID 1524 wrote to memory of 1448	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	csc.exe
PID 1524 wrote to memory of 1448	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	csc.exe
PID 1448 wrote to memory of 4844	1448	csc.exe	cvtres.exe
PID 1448 wrote to memory of 4844	1448	csc.exe	cvtres.exe
PID 1448 wrote to memory of 4844	1448	csc.exe	cvtres.exe
PID 1524 wrote to memory of 3688	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	ǢƐǢǍƴ.exe
PID 1524 wrote to memory of 3688	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	ǢƐǢǍƴ.exe
PID 1524 wrote to memory of 3688	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	ǢƐǢǍƴ.exe
PID 1524 wrote to memory of 4660	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	svchost.exe
PID 1524 wrote to memory of 4660	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	svchost.exe
PID 1524 wrote to memory of 4660	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	svchost.exe
PID 1524 wrote to memory of 4660	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	svchost.exe
PID 1524 wrote to memory of 4660	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	svchost.exe
PID 1524 wrote to memory of 4660	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	svchost.exe
PID 1524 wrote to memory of 4660	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	svchost.exe
PID 1524 wrote to memory of 4660	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	svchost.exe
PID 1524 wrote to memory of 4660	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	svchost.exe
PID 1524 wrote to memory of 4660	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	svchost.exe
PID 1524 wrote to memory of 4660	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	svchost.exe
PID 1524 wrote to memory of 4660	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	svchost.exe
PID 1524 wrote to memory of 4660	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	svchost.exe
PID 1524 wrote to memory of 4660	1524	1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\usdo7qnn.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4353.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4352.tmp"
3⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\ǢƐǢǍƴ.exe
"C:\Users\Admin\AppData\Local\Temp\ǢƐǢǍƴ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3688

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4660

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4353.tmp
Filesize
1KB

MD5
928c160fb48cb77353a62cb64bd7bb42

SHA1
63df8d4bd0a5a19b2e9224d60bb459066b1fea79

SHA256
c1cf5f6de7948473f9e5f111ed54410ddaac70e54727f38b94a931646adc8828

SHA512
2aa6fa38771511cef6acf44c36f2acd66474fda6c262ce8dbdfb7b39cd84e3b1e4870ae19d2f88ace6373463554d8a86b401abb8efb3d702f1f5b1bbeb1a9205

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ǢƐǢǍƴ.exe
Filesize
4KB

MD5
90a10d96cb223d406f3eddae750d41ca

SHA1
89fe3f8fde4c60be4dc12cc28556906d7fb695ec

SHA256
3952836b6255b5445a8f110d76bb242ad30480c2ee7e70b3501c00985b79e2f3

SHA512
931914319bef79bd540a565d82b82a541d328a85468cfdbb20a1d493f86cd20e56e824555719d605212a6cad7a23b90fccdb5cd03c21946e988d7a19b039034f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4352.tmp
Filesize
636B

MD5
1ed09b8d8947d389be1439030754d340

SHA1
2b7836da28b9148262c55ec9f57eae5776bf48e6

SHA256
69e73c7d2b18decef75a50cdd4a2727494113429a812165fb45593df92056254

SHA512
61ab17f3661f6e222bc81139b55c9a9cf8f2a9802c188a6c2b6e7b7ac6625b732008082ffcc317881584b69b43d87fb02db7108944bc3ce9b0c2f3b083013312

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\usdo7qnn.0.cs
Filesize
1KB

MD5
e1c06cbe9e8d137d0a90f16bef0d6fef

SHA1
fbf77e7a3c6c69967e3378ff31544e0af0b8b9af

SHA256
6c10b5abbab4f514b740a3345d64fea27a78e63a9e33eac4e6658bf3cdbf24ec

SHA512
51c39e2525d82ec3376f1edc282f28600aedb601d68bd680d8a20524e6452259ae01777085f8a7701afef33ac69e23a70e15ee96169dcc80675974f3fbe07eb5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\usdo7qnn.cmdline
Filesize
263B

MD5
209e6ef40587d8488caefa15f1372c9f

SHA1
e701f6766d9cf207ea07a3e1012357cf986632e2

SHA256
54bddeb03e684c456656a4f7f45ff23304d4b9faa4d47538d247652cf5a1de5d

SHA512
1016fcec7ef905bc9644e998fea8e5af917d27502a7f3264aa961313b8590ae723cf11539e5d1b28078e879dc3e35090e66b99b5ee974eaefef40eaf18cfbf6c

Download Submit
memory/1448-15-0x0000000075070000-0x0000000075621000-memory.dmp

Filesize
5.7MB

Download
memory/1448-10-0x0000000075070000-0x0000000075621000-memory.dmp

Filesize
5.7MB

Download
memory/1524-38-0x0000000075070000-0x0000000075621000-memory.dmp

Filesize
5.7MB

Download
memory/1524-1-0x0000000075070000-0x0000000075621000-memory.dmp

Filesize
5.7MB

Download
memory/1524-2-0x0000000075070000-0x0000000075621000-memory.dmp

Filesize
5.7MB

Download
memory/1524-0-0x0000000075072000-0x0000000075073000-memory.dmp

Filesize
4KB

Download
memory/3688-21-0x0000000075070000-0x0000000075621000-memory.dmp

Filesize
5.7MB

Download
memory/3688-31-0x0000000075070000-0x0000000075621000-memory.dmp

Filesize
5.7MB

Download
memory/3688-35-0x0000000075070000-0x0000000075621000-memory.dmp

Filesize
5.7MB

Download
memory/4660-23-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-43-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-29-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-32-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-36-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-33-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-34-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-39-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-40-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-41-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-42-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-27-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-44-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-45-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-46-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-47-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-48-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-49-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-50-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-51-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4660-52-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download