Overview

overview

10

Static

static

7

2a0f1cd7d4...18.exe

windows7-x64

10

2a0f1cd7d4...18.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2a0f1cd7d475462583b4a1d8615f89c4_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240707-2s8dkszfrr

  • MD5

    2a0f1cd7d475462583b4a1d8615f89c4

  • SHA1

    a77491f04b0e4bf75a164977fbe93df6acbf641c

  • SHA256

    37f59493e7a2f4c0b348ea467f852ac96a397d3ef433957e4b7e65a817acce58

  • SHA512

    587ff0f54b16bc9f15de2bd7acd5750ad1fba0bc09020364dbdbd2238c4938c81f4e5cdbeaf1541f51e8f288f03941657d3b845709cabc912cce6f51bdace88a

  • SSDEEP

    24576:MzbV9S6gHsJ6ej/k4fh+Hi4dQGXF/UawJlhmpY+V+EUSSzM:GV9S9He6gk4fh+CQ8awJlhmpY+UEUz

Score
10/10
darkcometguest16evasionpersistenceratthemidatrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

m20sh9.no-ip.org:1515

Mutex

DC_MUTEX-6CS0QG0

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    ZnjlgA8vjJDX

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      2a0f1cd7d475462583b4a1d8615f89c4_JaffaCakes118

    • Size

      1.1MB

    • MD5

      2a0f1cd7d475462583b4a1d8615f89c4

    • SHA1

      a77491f04b0e4bf75a164977fbe93df6acbf641c

    • SHA256

      37f59493e7a2f4c0b348ea467f852ac96a397d3ef433957e4b7e65a817acce58

    • SHA512

      587ff0f54b16bc9f15de2bd7acd5750ad1fba0bc09020364dbdbd2238c4938c81f4e5cdbeaf1541f51e8f288f03941657d3b845709cabc912cce6f51bdace88a

    • SSDEEP

      24576:MzbV9S6gHsJ6ej/k4fh+Hi4dQGXF/UawJlhmpY+V+EUSSzM:GV9S9He6gk4fh+CQ8awJlhmpY+UEUz

    Score
    10/10
    darkcometguest16evasionpersistenceratthemidatrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks