Overview

overview

10

Static

static

3

fae3720e64...18.exe

windows7-x64

10

fae3720e64...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fae3720e64245eba913ba5d5de5a637c_JaffaCakes118

  • Size

    412KB

  • Sample

    240419-wwm9xsbf88

  • MD5

    fae3720e64245eba913ba5d5de5a637c

  • SHA1

    bc7f68a84e695085a1311ceaf8db9241a6da2345

  • SHA256

    43b5a19582bf1ecb7d5a97998f4d4fe68854f5800bc9373544d67aa54eaa62ea

  • SHA512

    5212fbdbefb90fcfce0679f7220fe0f70c1f9049d3c9ad6dab7d86e7bb2c52283ef135d772bb3b7cc9d7d96e53ae88a02b0a312432998ae56234552bca845eaf

  • SSDEEP

    12288:4hqgXz7Kb0oNAIDKth/iJ+2qtBuCXx9ar:457+b8JuVqX10

Score
10/10
darkcometguest16_minpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

tazukibounce.no-ip.info:9678

Mutex

DCMIN_MUTEX-PW6CDLH

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    4a1nDTvXMDlZ

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    server

Targets

    • Target

      fae3720e64245eba913ba5d5de5a637c_JaffaCakes118

    • Size

      412KB

    • MD5

      fae3720e64245eba913ba5d5de5a637c

    • SHA1

      bc7f68a84e695085a1311ceaf8db9241a6da2345

    • SHA256

      43b5a19582bf1ecb7d5a97998f4d4fe68854f5800bc9373544d67aa54eaa62ea

    • SHA512

      5212fbdbefb90fcfce0679f7220fe0f70c1f9049d3c9ad6dab7d86e7bb2c52283ef135d772bb3b7cc9d7d96e53ae88a02b0a312432998ae56234552bca845eaf

    • SSDEEP

      12288:4hqgXz7Kb0oNAIDKth/iJ+2qtBuCXx9ar:457+b8JuVqX10

    Score
    10/10
    darkcometguest16_minpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks