Overview

overview

10

Static

static

10

bb32e1af9a...18.exe

windows7-x64

10

bb32e1af9a...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bb32e1af9a4bfa8e3cf473ad54354eb9_JaffaCakes118

  • Size

    702KB

  • Sample

    240618-hq2y8swcnr

  • MD5

    bb32e1af9a4bfa8e3cf473ad54354eb9

  • SHA1

    55428fad1677ddd437fcb798baac234c99de7b59

  • SHA256

    44beca4107263dd406893a7c9f46e716bcfd121c41c15130a868f2345d5143f2

  • SHA512

    7750bcad505a96382e9c7652faac3f2d27cf38242aedcfb89bb3989eea4d0a68dffc3b4c326123360572bb6b1751a2c03dbadf76951148e8348a6cfcd84a4c0c

  • SSDEEP

    12288:ffFcGAT79cO2ZKpKHNMF4cDzJRlK2o58u1ij3Z2yn/fj:npYoZKEMFvDzJqhOuQ5/

Score
10/10
darkcometevasionpersistencerattrojan

Malware Config

Targets

    • Target

      bb32e1af9a4bfa8e3cf473ad54354eb9_JaffaCakes118

    • Size

      702KB

    • MD5

      bb32e1af9a4bfa8e3cf473ad54354eb9

    • SHA1

      55428fad1677ddd437fcb798baac234c99de7b59

    • SHA256

      44beca4107263dd406893a7c9f46e716bcfd121c41c15130a868f2345d5143f2

    • SHA512

      7750bcad505a96382e9c7652faac3f2d27cf38242aedcfb89bb3989eea4d0a68dffc3b4c326123360572bb6b1751a2c03dbadf76951148e8348a6cfcd84a4c0c

    • SSDEEP

      12288:ffFcGAT79cO2ZKpKHNMF4cDzJRlK2o58u1ij3Z2yn/fj:npYoZKEMFvDzJqhOuQ5/

    Score
    10/10
    darkcometevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Drops file in Drivers directory

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks