Overview

overview

10

Static

static

10

fe59b3e207...18.exe

windows7-x64

10

fe59b3e207...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fe59b3e207af9fe2969ce96f79358761_JaffaCakes118

  • Size

    760KB

  • Sample

    240421-eammtsab64

  • MD5

    fe59b3e207af9fe2969ce96f79358761

  • SHA1

    dfa507906ddbd3497cf2584b79f4b7672303e710

  • SHA256

    57281d396b9308707868699a7fb3d32eacc664bb0fbc88767d9addbb4053398b

  • SHA512

    f7f3fed145adbebd502e46e75db040ee878b334019c5594ef135707b2b9a8b6fb252fe2a6d9856456a1285e740b56d5eaf7b2d5888f4a3a4a9525f6e30e8d27f

  • SSDEEP

    12288:i3OpvNW4a76S/Ddon/m09bbYlIaaMcE2YGhq3vo1RnfAvIESJgoE26yc/RU:MOA4aWNn/m09fKIaaBEtWq3A1Ov8JgbK

Score
10/10
darkcometguest16persistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

41.68.138.235:1604

Mutex

DC_MUTEX-JZ6FMXB

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    r6i0G5J0NCmb

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      fe59b3e207af9fe2969ce96f79358761_JaffaCakes118

    • Size

      760KB

    • MD5

      fe59b3e207af9fe2969ce96f79358761

    • SHA1

      dfa507906ddbd3497cf2584b79f4b7672303e710

    • SHA256

      57281d396b9308707868699a7fb3d32eacc664bb0fbc88767d9addbb4053398b

    • SHA512

      f7f3fed145adbebd502e46e75db040ee878b334019c5594ef135707b2b9a8b6fb252fe2a6d9856456a1285e740b56d5eaf7b2d5888f4a3a4a9525f6e30e8d27f

    • SSDEEP

      12288:i3OpvNW4a76S/Ddon/m09bbYlIaaMcE2YGhq3vo1RnfAvIESJgoE26yc/RU:MOA4aWNn/m09fKIaaBEtWq3A1Ov8JgbK

    Score
    10/10
    darkcometguest16persistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks