Resubmissions

11-08-2024 16:27

240811-tx5jgs1hnc 10

11-08-2024 04:12

240811-espvxavbrl 10

General

  • Target

    88f2ea17a90d31b673d1a54e25477756_JaffaCakes118

  • Size

    804KB

  • Sample

    240811-espvxavbrl

  • MD5

    88f2ea17a90d31b673d1a54e25477756

  • SHA1

    ac58cdd1ca9ef4c33682d5403169d2d8e4116648

  • SHA256

    e37abad92404bba98bc23c66ae860cdf6a99d417f1ec32e86b4b6ea7dd5d61f9

  • SHA512

    3362e64ff382bd6f5aca75060df2ace3b987ab59f3ab38c2152bfec28b0efb36c9b32739aea374ad6c4f4125463ce174cef3f94e43e124faa0eeba302d2800d3

  • SSDEEP

    12288:DYBwvN79lQW+Xdan4vSSCLj5ggdZzyVNPrYZzfKsgRVNlMZt8K/bvHMtvk:DAwvN79lWNan42jO8sWLjolmtdMJk

Malware Config

Extracted

Family

darkcomet

Botnet

HydraAntivirüs

C2

127.0.0.1:1604

hydrahydra1907.zapto.org:1604

Mutex

DC_MUTEX-N3ACU05

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    Bj3PNgEjTbH5

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Extracted

Family

latentbot

C2

hydrahydra1907.zapto.org

Targets

    • Target

      88f2ea17a90d31b673d1a54e25477756_JaffaCakes118

    • Size

      804KB

    • MD5

      88f2ea17a90d31b673d1a54e25477756

    • SHA1

      ac58cdd1ca9ef4c33682d5403169d2d8e4116648

    • SHA256

      e37abad92404bba98bc23c66ae860cdf6a99d417f1ec32e86b4b6ea7dd5d61f9

    • SHA512

      3362e64ff382bd6f5aca75060df2ace3b987ab59f3ab38c2152bfec28b0efb36c9b32739aea374ad6c4f4125463ce174cef3f94e43e124faa0eeba302d2800d3

    • SSDEEP

      12288:DYBwvN79lQW+Xdan4vSSCLj5ggdZzyVNPrYZzfKsgRVNlMZt8K/bvHMtvk:DAwvN79lWNan42jO8sWLjolmtdMJk

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Modifies WinLogon for persistence

    • Modifies security service

    • Windows security bypass

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Modifies Windows Firewall

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks