Overview

overview

10

Static

static

3

5d535157e6...18.exe

windows7-x64

1

5d535157e6...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5d535157e6bdda7ab036857a8071b3cd_JaffaCakes118

  • Size

    1003KB

  • Sample

    240719-x4h6lswcnm

  • MD5

    5d535157e6bdda7ab036857a8071b3cd

  • SHA1

    a4f43a1a9e210cd4b00e641c5af71d3fd6f0f836

  • SHA256

    3e222729468642f9fc66c7cee374ccbcb5c8ecccac7a8f13fe4233dabcf2109b

  • SHA512

    d0d445894576c644a84a9cd11c318ec0a119ebacc3238a3b8e0236a07283558f11ee7ef37c14891155f2f290304c345b4f23ae31da7efc8505fadf95fd30d5d4

  • SSDEEP

    24576:3sW0y24yZiZDSlavH9VfZbAdvNmAI26o:GHlanZbwmO6o

Score
10/10
darkcometguest16_minpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

127.0.0.1:1604

Mutex

DCMIN_MUTEX-BDK1ZLN

Attributes
  • gencode

    QiPVD35yKLgo

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      5d535157e6bdda7ab036857a8071b3cd_JaffaCakes118

    • Size

      1003KB

    • MD5

      5d535157e6bdda7ab036857a8071b3cd

    • SHA1

      a4f43a1a9e210cd4b00e641c5af71d3fd6f0f836

    • SHA256

      3e222729468642f9fc66c7cee374ccbcb5c8ecccac7a8f13fe4233dabcf2109b

    • SHA512

      d0d445894576c644a84a9cd11c318ec0a119ebacc3238a3b8e0236a07283558f11ee7ef37c14891155f2f290304c345b4f23ae31da7efc8505fadf95fd30d5d4

    • SSDEEP

      24576:3sW0y24yZiZDSlavH9VfZbAdvNmAI26o:GHlanZbwmO6o

    Score
    10/10
    darkcometguest16_minpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks