General

  • Target

    676702084348dee449906e0c22a29673_JaffaCakes118

  • Size

    1.5MB

  • Sample

    240723-nlm76stbra

  • MD5

    676702084348dee449906e0c22a29673

  • SHA1

    4f2383819806d8f31abcfa176187352e470ec892

  • SHA256

    1f5511a403731f2684d7ef1bfd0f4dab2f5aa72ef41980e34c9918bfee973fd6

  • SHA512

    92747599158f7e20d312add154ffe8f403c0f9fcd2ca1baf17fa9127cdbc9ba99d354e4386b0b4f25c232a356c19a5ff666dca5fb47f4788c0a415dbbff0e2dc

  • SSDEEP

    24576:p9++PM4QtPZBpQCCBjyihviSzw5nkZHzQDO+J1tgXzJdB4qaK3R:p9++PMPQCMdhvtzw5n605gXV85K3R

Malware Config

Extracted

Family

darkcomet

Botnet

defeult

C2

someonei.zapto.org:1604

Mutex

DC_MUTEX-84ZPHN0

Attributes
  • InstallPath

    MSDCSC\crss.exe

  • gencode

    jdDHAcgEiQiK

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    crss

Targets

    • Target

      676702084348dee449906e0c22a29673_JaffaCakes118

    • Size

      1.5MB

    • MD5

      676702084348dee449906e0c22a29673

    • SHA1

      4f2383819806d8f31abcfa176187352e470ec892

    • SHA256

      1f5511a403731f2684d7ef1bfd0f4dab2f5aa72ef41980e34c9918bfee973fd6

    • SHA512

      92747599158f7e20d312add154ffe8f403c0f9fcd2ca1baf17fa9127cdbc9ba99d354e4386b0b4f25c232a356c19a5ff666dca5fb47f4788c0a415dbbff0e2dc

    • SSDEEP

      24576:p9++PM4QtPZBpQCCBjyihviSzw5nkZHzQDO+J1tgXzJdB4qaK3R:p9++PMPQCMdhvtzw5n605gXV85K3R

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks