Overview

overview

10

Static

static

3

4b98a6012a...18.exe

windows7-x64

10

4b98a6012a...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4b98a6012a34d58c6a841826f7c6770d_JaffaCakes118

  • Size

    386KB

  • Sample

    240715-1ywrastgmf

  • MD5

    4b98a6012a34d58c6a841826f7c6770d

  • SHA1

    842fc6e8eabd18af0ff5e199def9e07d163a152b

  • SHA256

    5724fae723388dc60a22003ea1a3fc1701546b45a2492784680970edb3a7ab23

  • SHA512

    2c34da5fca6a2ddc58858bbeeeb2ad1740519bbfae8c414fbc0fccfde9aea32fc07a4e5ae22316c60be14c1d7e841e58f6c623f1cff6530e254653ab9b1d33f9

  • SSDEEP

    12288:PCAr7h0cWueSo6VWT4YRGsVAvQsvoyyM:Dtu6VWCYsvoU

Score
10/10
darkcometguest16_minpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

no-ip.arbpg.com:1604

Mutex

DCMIN_MUTEX-LG6HZ56

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    vDY24jATvm2b

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    bougassa

Targets

    • Target

      4b98a6012a34d58c6a841826f7c6770d_JaffaCakes118

    • Size

      386KB

    • MD5

      4b98a6012a34d58c6a841826f7c6770d

    • SHA1

      842fc6e8eabd18af0ff5e199def9e07d163a152b

    • SHA256

      5724fae723388dc60a22003ea1a3fc1701546b45a2492784680970edb3a7ab23

    • SHA512

      2c34da5fca6a2ddc58858bbeeeb2ad1740519bbfae8c414fbc0fccfde9aea32fc07a4e5ae22316c60be14c1d7e841e58f6c623f1cff6530e254653ab9b1d33f9

    • SSDEEP

      12288:PCAr7h0cWueSo6VWT4YRGsVAvQsvoyyM:Dtu6VWCYsvoU

    Score
    10/10
    darkcometguest16_minpersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks