General

  • Target

    bead91caaf845e14a7001231698f1144beb8cb8c157a794d74fc1c160d2a3c4d

  • Size

    756KB

  • Sample

    220725-ajc3jaefh4

  • MD5

    e9c92662c7d369291871125329171a44

  • SHA1

    c801b48c299553f9b69bf8c9787fc8f2e8f7d777

  • SHA256

    bead91caaf845e14a7001231698f1144beb8cb8c157a794d74fc1c160d2a3c4d

  • SHA512

    1ffc4ccd4078d316fdaf92c6a69d81f697eb710906484b123ebb0ee53c00a4525d612d50cab96f2ba1793582f7ffab7b9b2e0a99f106f5ca8e482d84380ec37f

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

clxwer.ddns.net:1604

Mutex

DC_MUTEX-4H8YQZ6

Attributes
  • InstallPath

    MSDCSC\Java

  • gencode

    w8l5MY1E88kN

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    svchost

Targets

    • Target

      bead91caaf845e14a7001231698f1144beb8cb8c157a794d74fc1c160d2a3c4d

    • Size

      756KB

    • MD5

      e9c92662c7d369291871125329171a44

    • SHA1

      c801b48c299553f9b69bf8c9787fc8f2e8f7d777

    • SHA256

      bead91caaf845e14a7001231698f1144beb8cb8c157a794d74fc1c160d2a3c4d

    • SHA512

      1ffc4ccd4078d316fdaf92c6a69d81f697eb710906484b123ebb0ee53c00a4525d612d50cab96f2ba1793582f7ffab7b9b2e0a99f106f5ca8e482d84380ec37f

    Score
    10/10
    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

2
T1158

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks