Overview

overview

10

Static

static

10

137216fa1b...18.exe

windows7-x64

10

137216fa1b...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    137216fa1bf334b302a597654ea4c2e8_JaffaCakes118

  • Size

    660KB

  • Sample

    240626-zv9cjstdpb

  • MD5

    137216fa1bf334b302a597654ea4c2e8

  • SHA1

    bb863423c36a1f3139c3dede5c7624db15982c17

  • SHA256

    2d1454d5a268e0fa16368a335629f48a9f9bac0d1c8c064b5a1a9c67e36a1712

  • SHA512

    7152c4304280ad47f9990aadd078a91850fe636fbb8fcf8b5515c80d644e8fa7a2d70bbf72528cdf1a70c1ac6a411f6ddadb1f4e100ce249dd7bd101754c1229

  • SSDEEP

    12288:8XhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UG:qnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JW

Score
10/10
darkcometguest16_minpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

127.0.0.1:1604

Mutex

DCMIN_MUTEX-V4V1XNK

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    Ajy9BXUY5vWS

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Targets

    • Target

      137216fa1bf334b302a597654ea4c2e8_JaffaCakes118

    • Size

      660KB

    • MD5

      137216fa1bf334b302a597654ea4c2e8

    • SHA1

      bb863423c36a1f3139c3dede5c7624db15982c17

    • SHA256

      2d1454d5a268e0fa16368a335629f48a9f9bac0d1c8c064b5a1a9c67e36a1712

    • SHA512

      7152c4304280ad47f9990aadd078a91850fe636fbb8fcf8b5515c80d644e8fa7a2d70bbf72528cdf1a70c1ac6a411f6ddadb1f4e100ce249dd7bd101754c1229

    • SSDEEP

      12288:8XhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UG:qnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JW

    Score
    10/10
    darkcometguest16_minpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks