Overview

overview

10

Static

static

3

e87062f7c9...18.exe

windows7-x64

10

e87062f7c9...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e87062f7c9f0b92009872542004ead46_JaffaCakes118

  • Size

    785KB

  • Sample

    240408-z64anscb88

  • MD5

    e87062f7c9f0b92009872542004ead46

  • SHA1

    f3b5953b9ff340ad1760e7db7cb2f258abd28ec2

  • SHA256

    1302269ff3ed8121d83f80ac345f9e5e647b055b015e0dfc20277d0fa24c25e6

  • SHA512

    36c9f389c352d701645980e9d78e0f1ceb579bff1b9993ee906de15e003112b4ee94681ac8db256627ea5a01104e4dc9ea356912c37084f796bc07e1277cdf61

  • SSDEEP

    12288:z9KHIPV55+Ndq+tnj8KyEpQdGMXJMIHdfJzW3Ie0HqJyVejgfMAVd74LeFYV1:NPV5ANdzvuHdfZW4J+apf7RWeFY3

Score
10/10
darkcometguest16persistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

remoterat11.no-ip.biz:1604

Mutex

DC_MUTEX-F54S21D

Attributes
  • gencode

    9xPue2Ae0bpq

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      e87062f7c9f0b92009872542004ead46_JaffaCakes118

    • Size

      785KB

    • MD5

      e87062f7c9f0b92009872542004ead46

    • SHA1

      f3b5953b9ff340ad1760e7db7cb2f258abd28ec2

    • SHA256

      1302269ff3ed8121d83f80ac345f9e5e647b055b015e0dfc20277d0fa24c25e6

    • SHA512

      36c9f389c352d701645980e9d78e0f1ceb579bff1b9993ee906de15e003112b4ee94681ac8db256627ea5a01104e4dc9ea356912c37084f796bc07e1277cdf61

    • SSDEEP

      12288:z9KHIPV55+Ndq+tnj8KyEpQdGMXJMIHdfJzW3Ie0HqJyVejgfMAVd74LeFYV1:NPV5ANdzvuHdfZW4J+apf7RWeFY3

    Score
    10/10
    darkcometguest16persistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks