Overview

overview

10

Static

static

3

29e8318559...18.exe

windows7-x64

10

29e8318559...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    29e83185591ddaca9c4a69f03d658177_JaffaCakes118

  • Size

    1.6MB

  • Sample

    240707-l3h9faygql

  • MD5

    29e83185591ddaca9c4a69f03d658177

  • SHA1

    c1618cc383486637a318adaaa12c9760eb7e14b1

  • SHA256

    fb7f5f1814dbf4782ec77c8ecf5b135c7b65a3a96c74851a6aa9392a3cd6bedc

  • SHA512

    7178fabfa97b18914056a48d3e74c98aabdb580830e639ecf7033c99118bbdec7ad687e4bc02c28ea7218ba2d2c0adce29534134ce03368218c1d005f0662362

  • SSDEEP

    24576:voaLBLoMBWjDWARABr9Zkyv4mkvEUYtQS6Os5ueI9AUgFO4xibgi8/81UWow8QAU:voavUOOM8EUYtZ6OYI9DaiQJWoQx

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

cheeseman64.no-ip.org:1604

Mutex

DC_MUTEX-M2LA0SQ

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    CtVmu4KfgZq1

  • install

    true

  • offline_keylogger

    true

  • password

    soccer98

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      29e83185591ddaca9c4a69f03d658177_JaffaCakes118

    • Size

      1.6MB

    • MD5

      29e83185591ddaca9c4a69f03d658177

    • SHA1

      c1618cc383486637a318adaaa12c9760eb7e14b1

    • SHA256

      fb7f5f1814dbf4782ec77c8ecf5b135c7b65a3a96c74851a6aa9392a3cd6bedc

    • SHA512

      7178fabfa97b18914056a48d3e74c98aabdb580830e639ecf7033c99118bbdec7ad687e4bc02c28ea7218ba2d2c0adce29534134ce03368218c1d005f0662362

    • SSDEEP

      24576:voaLBLoMBWjDWARABr9Zkyv4mkvEUYtQS6Os5ueI9AUgFO4xibgi8/81UWow8QAU:voavUOOM8EUYtZ6OYI9DaiQJWoQx

    Score
    10/10
    darkcometguest16evasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Scripting

1
T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks