Overview

overview

10

Static

static

10

dark.exe

windows7-x64

10

dark.exe

windows10-2004-x64

10

server.exe

windows7-x64

1

server.exe

windows10-2004-x64

1

sss.exe

windows7-x64

10

sss.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5e733be34154c08bf006204767e97534_JaffaCakes118

  • Size

    395KB

  • Sample

    240520-lx49qaec65

  • MD5

    5e733be34154c08bf006204767e97534

  • SHA1

    8c5cced4455c0fd909f13186e38f092208f8198a

  • SHA256

    745c2ebd15d66fa5f5a900c03d8f0c6d8bbc9f6e2b6d9ccfeed52cc7fd25bc42

  • SHA512

    bcc84ab164c0559656e85f538744385dd0e9b51b42fb9dfd7a2d4453ca730dd76ccfcb5c6f2464329cfe4365db87744e4812fa386d7c615b4d6306e1dbf8bcc8

  • SSDEEP

    12288:YfBxIL50o4cxbBSZKeTS2//k0ksW1GaCfaumuwze:YZxE50oVLSPu6k7sWU5R

Score
10/10
darkcometmodiloadertekevasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

tek

C2

gecce.no-ip.biz:3461

Mutex

DC_MUTEX-M0JG7NY

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    Q7wXAkJLgEkp

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      dark.exe

    • Size

      658KB

    • MD5

      230751a9ef1cdccc11aa40a70a259f22

    • SHA1

      84f530c5b6313e9bad82c7d1d0826a3948658149

    • SHA256

      bc1ad6c5ba21d4007f5b06b13bd9f1647188fc4605dea8e13a039ce5ec5f7eb2

    • SHA512

      31ce9157cdfb89e7f28303c9bcb4c5a10fa1c0a150119d7abfe016858031dc4e9987175139f5768846eeb03cdb93afb8fd46f816f2a286c35eb2d6ac1cba6269

    • SSDEEP

      12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hU:eZ1xuVVjfFoynPaVBUR8f+kN10EBm

    Score
    10/10
    darkcomettekpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      server.exe

    • Size

      28KB

    • MD5

      f858e5c8d1665a8c12c0fa7f775c7fe7

    • SHA1

      321d5579b2a651937ffae6f16414d6d08cb0c1b1

    • SHA256

      4345d7553ceda66d33cdbcefa3bd2d30eec8a60c8529aaa522000c695be804cf

    • SHA512

      270ab51ce3f112545d69c349f97bd274ea91c741601e8fa2f9e3572000a16eb5b8cf29b6e2bd1783968f2a9d22dbfa345e5637f6055a25afdf2d129e2ab11195

    • SSDEEP

      384:UmOyMLjKMPH1Dxw7ZA8l9ZoA7k+w9G5hmssR0IkR46nzojn8mgRRtssIeo/r5J1w:hUjKVjl9xw3x6nz7vj1wr49

    Score
    1/10
    behavioral3behavioral4

    • Target

      sss.exe

    • Size

      108KB

    • MD5

      c966db1f910185819f5ddec4eb437e4f

    • SHA1

      b59d46d6f84b5062f15d9a5b518d68a9e77b4e66

    • SHA256

      4ffe19677b72eb2d3ecbc9ee9ade77413b48cc6189776a704b9e114fb05c8860

    • SHA512

      0a6ece3f6a4513597fbac5405da61f775e60741ce24c56223f8a79c2d653850546fc5efb9d65a217cfa33cab1f6ff52e56f7ef51212c0713797edcceb99dd89c

    • SSDEEP

      3072:hoy8j7VnNdrPHaSekwi+mW+2fnp/Viout:x8jZ7rvaU3+mWrPp/VioS

    Score
    10/10
    modiloaderevasionpersistencetrojanupx

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • UAC bypass

      evasiontrojan

    • ModiLoader Second Stage

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

5
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks