Overview

overview

10

Static

static

3

4d6a7dfc8a...18.exe

windows7-x64

10

4d6a7dfc8a...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4d6a7dfc8a0dad3438f21d4ca74ac5e6_JaffaCakes118

  • Size

    624KB

  • Sample

    240716-jrd48svdpc

  • MD5

    4d6a7dfc8a0dad3438f21d4ca74ac5e6

  • SHA1

    dda851821f047a71b6974b11f5ae5f88fffadd07

  • SHA256

    cde80d943f99be364f48983fffb67d6da6f3f27c1d1eae0c7884fce45e2426cb

  • SHA512

    4b1f924855277d4ec25cd3c08316e9d8b7965bb80e14e65b01dfd0ad5080ce833137a87337ee7ea493f2b9e7ff86b67b06057fcbed32c986514e1e4d607b7c7c

  • SSDEEP

    12288:6NBZuNpc6tdQnw6q6VS8iVYq0HOL5YpQauQNRZvSAe1cma5Z:6NBZm/tdmwNSS3Y9g5YUMZ6AeqTZ

Score
10/10
darkcometguest16_minpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

188.40.51.96:3442

Mutex

DCMIN_MUTEX-SZL6979

Attributes
  • gencode

    PrH0WY3RCe14

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      4d6a7dfc8a0dad3438f21d4ca74ac5e6_JaffaCakes118

    • Size

      624KB

    • MD5

      4d6a7dfc8a0dad3438f21d4ca74ac5e6

    • SHA1

      dda851821f047a71b6974b11f5ae5f88fffadd07

    • SHA256

      cde80d943f99be364f48983fffb67d6da6f3f27c1d1eae0c7884fce45e2426cb

    • SHA512

      4b1f924855277d4ec25cd3c08316e9d8b7965bb80e14e65b01dfd0ad5080ce833137a87337ee7ea493f2b9e7ff86b67b06057fcbed32c986514e1e4d607b7c7c

    • SSDEEP

      12288:6NBZuNpc6tdQnw6q6VS8iVYq0HOL5YpQauQNRZvSAe1cma5Z:6NBZm/tdmwNSS3Y9g5YUMZ6AeqTZ

    Score
    10/10
    darkcometguest16_minpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks