General
-
Target
5e733be34154c08bf006204767e97534_JaffaCakes118
-
Size
395KB
-
Sample
240520-lx49qaec65
-
MD5
5e733be34154c08bf006204767e97534
-
SHA1
8c5cced4455c0fd909f13186e38f092208f8198a
-
SHA256
745c2ebd15d66fa5f5a900c03d8f0c6d8bbc9f6e2b6d9ccfeed52cc7fd25bc42
-
SHA512
bcc84ab164c0559656e85f538744385dd0e9b51b42fb9dfd7a2d4453ca730dd76ccfcb5c6f2464329cfe4365db87744e4812fa386d7c615b4d6306e1dbf8bcc8
-
SSDEEP
12288:YfBxIL50o4cxbBSZKeTS2//k0ksW1GaCfaumuwze:YZxE50oVLSPu6k7sWU5R
Behavioral task
behavioral1
Sample
dark.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dark.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
server.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
server.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
sss.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
sss.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
darkcomet
tek
gecce.no-ip.biz:3461
DC_MUTEX-M0JG7NY
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Q7wXAkJLgEkp
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
dark.exe
-
Size
658KB
-
MD5
230751a9ef1cdccc11aa40a70a259f22
-
SHA1
84f530c5b6313e9bad82c7d1d0826a3948658149
-
SHA256
bc1ad6c5ba21d4007f5b06b13bd9f1647188fc4605dea8e13a039ce5ec5f7eb2
-
SHA512
31ce9157cdfb89e7f28303c9bcb4c5a10fa1c0a150119d7abfe016858031dc4e9987175139f5768846eeb03cdb93afb8fd46f816f2a286c35eb2d6ac1cba6269
-
SSDEEP
12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hU:eZ1xuVVjfFoynPaVBUR8f+kN10EBm
Score10/10-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
server.exe
-
Size
28KB
-
MD5
f858e5c8d1665a8c12c0fa7f775c7fe7
-
SHA1
321d5579b2a651937ffae6f16414d6d08cb0c1b1
-
SHA256
4345d7553ceda66d33cdbcefa3bd2d30eec8a60c8529aaa522000c695be804cf
-
SHA512
270ab51ce3f112545d69c349f97bd274ea91c741601e8fa2f9e3572000a16eb5b8cf29b6e2bd1783968f2a9d22dbfa345e5637f6055a25afdf2d129e2ab11195
-
SSDEEP
384:UmOyMLjKMPH1Dxw7ZA8l9ZoA7k+w9G5hmssR0IkR46nzojn8mgRRtssIeo/r5J1w:hUjKVjl9xw3x6nz7vj1wr49
Score1/10 -
-
-
Target
sss.exe
-
Size
108KB
-
MD5
c966db1f910185819f5ddec4eb437e4f
-
SHA1
b59d46d6f84b5062f15d9a5b518d68a9e77b4e66
-
SHA256
4ffe19677b72eb2d3ecbc9ee9ade77413b48cc6189776a704b9e114fb05c8860
-
SHA512
0a6ece3f6a4513597fbac5405da61f775e60741ce24c56223f8a79c2d653850546fc5efb9d65a217cfa33cab1f6ff52e56f7ef51212c0713797edcceb99dd89c
-
SSDEEP
3072:hoy8j7VnNdrPHaSekwi+mW+2fnp/Viout:x8jZ7rvaU3+mWrPp/VioS
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1