General

  • Target

    12288800a2c8aefa00993b501e908233_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240626-qw5ajsxapa

  • MD5

    12288800a2c8aefa00993b501e908233

  • SHA1

    0b4b185fae527c58ebbf930208b610b5f071413e

  • SHA256

    d7b457ba147580d23442b45138694102762734ea5facc4b014e1be29e3f27c2f

  • SHA512

    edebce73eb832f1c10c88debecb3e2077028cfbcc404df85fc0f86510fbaa1091f9e9c1baa41a048573a1b288ac76b126889fbd1f9723b7ec67c5138d9d713ce

  • SSDEEP

    24576:zyIC5kDDLPKVI69HIGV+ybSvQsO6CK6pNmMp:zyZ5SLS3IiBSoMCKKNb

Malware Config

Extracted

Family

darkcomet

Botnet

defeult

C2

someonei.zapto.org:1604

Mutex

DC_MUTEX-84ZPHN0

Attributes
  • InstallPath

    MSDCSC\crss.exe

  • gencode

    jdDHAcgEiQiK

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    crss

Targets

    • Target

      12288800a2c8aefa00993b501e908233_JaffaCakes118

    • Size

      1.2MB

    • MD5

      12288800a2c8aefa00993b501e908233

    • SHA1

      0b4b185fae527c58ebbf930208b610b5f071413e

    • SHA256

      d7b457ba147580d23442b45138694102762734ea5facc4b014e1be29e3f27c2f

    • SHA512

      edebce73eb832f1c10c88debecb3e2077028cfbcc404df85fc0f86510fbaa1091f9e9c1baa41a048573a1b288ac76b126889fbd1f9723b7ec67c5138d9d713ce

    • SSDEEP

      24576:zyIC5kDDLPKVI69HIGV+ybSvQsO6CK6pNmMp:zyZ5SLS3IiBSoMCKKNb

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks