General

  • Target

    ed10850ad8d0971da324de2c30729742_JaffaCakes118

  • Size

    2.1MB

  • Sample

    240411-k4bejsgd34

  • MD5

    ed10850ad8d0971da324de2c30729742

  • SHA1

    bb2f3935b780d1200554d9915da9e87d76edffbe

  • SHA256

    ba91d49ac453d3eb14950819a8cd6ee72aa704a24f1e47d0f8e180a3dfc768e9

  • SHA512

    197ce8f3282cfc640e702841d87f088e4a86a1c95f3bdb78f806eb86d1b72684ebfc1f53b98e8708e71c87b92c8f5b5f969bd84194a3260ea7f95980ef54a8dd

  • SSDEEP

    49152:EiobiV082zrjoFFfQnU26RO0QaXIe7P7uCzrlOrtD57loZQu:ZVX2zraE1yIe+CzrlO557pu

Malware Config

Extracted

Family

darkcomet

Botnet

SeptemBER 2021

C2

bonding79.ddns.net:3316

goodgt79.ddns.net:3316

whatis79.ddns.net:3316

smath79.ddns.net:3316

jacknop79.ddns.net:3316

chrisle79.ddns.net:3316

Mutex

DC_MUTEX-6JQTXC0

Attributes
  • gencode

    cVaduGzs7zFu

  • install

    false

  • offline_keylogger

    true

  • password

    Password20$

  • persistence

    false

Targets

    • Target

      ed10850ad8d0971da324de2c30729742_JaffaCakes118

    • Size

      2.1MB

    • MD5

      ed10850ad8d0971da324de2c30729742

    • SHA1

      bb2f3935b780d1200554d9915da9e87d76edffbe

    • SHA256

      ba91d49ac453d3eb14950819a8cd6ee72aa704a24f1e47d0f8e180a3dfc768e9

    • SHA512

      197ce8f3282cfc640e702841d87f088e4a86a1c95f3bdb78f806eb86d1b72684ebfc1f53b98e8708e71c87b92c8f5b5f969bd84194a3260ea7f95980ef54a8dd

    • SSDEEP

      49152:EiobiV082zrjoFFfQnU26RO0QaXIe7P7uCzrlOrtD57loZQu:ZVX2zraE1yIe+CzrlO557pu

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

2
T1497

Scripting

1
T1064

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

1
T1082

Tasks