Overview

overview

10

Static

static

7

JaffaCakes...b5.exe

windows7-x64

10

JaffaCakes...b5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_68b51f46404ef40e243df9bc6f97fbb5

  • Size

    747KB

  • Sample

    250102-2txy8synb1

  • MD5

    68b51f46404ef40e243df9bc6f97fbb5

  • SHA1

    a0b1253f2f72ca6cfbbd45892d7a6ec708874d2b

  • SHA256

    fb4385a75b5c49473057991eda06012c9774fac6578a861558139718cb5b7108

  • SHA512

    6b1d72fa2302638b910906d1211f5042a908813779aa6bd7aa9d8d8046c61f7318b9b8646a80fc234dc2c5a584f95bb3ea1f527bb7ce0918cd5948383a58ef57

  • SSDEEP

    12288:1ZQt4Q2+rqkgeCW47dwfzOJSiElgR5eSJcf6colYQY/MvnB7yubadHQZzaFWwV:rwK8Xge7smbO915eSJ9c/2ssz

Score
10/10
darkcometmodiloaderguest16aspackv2discoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

bojan9090.no-ip.biz:90

Mutex

DC_MUTEX-1LECKLA

Attributes
  • InstallPath

    system32\winupdate.exe

  • gencode

    DjaJfA5nYcpv

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      JaffaCakes118_68b51f46404ef40e243df9bc6f97fbb5

    • Size

      747KB

    • MD5

      68b51f46404ef40e243df9bc6f97fbb5

    • SHA1

      a0b1253f2f72ca6cfbbd45892d7a6ec708874d2b

    • SHA256

      fb4385a75b5c49473057991eda06012c9774fac6578a861558139718cb5b7108

    • SHA512

      6b1d72fa2302638b910906d1211f5042a908813779aa6bd7aa9d8d8046c61f7318b9b8646a80fc234dc2c5a584f95bb3ea1f527bb7ce0918cd5948383a58ef57

    • SSDEEP

      12288:1ZQt4Q2+rqkgeCW47dwfzOJSiElgR5eSJcf6colYQY/MvnB7yubadHQZzaFWwV:rwK8Xge7smbO915eSJ9c/2ssz

    Score
    10/10
    darkcometmodiloaderguest16aspackv2discoveryevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modifies WinLogon for persistence

      persistence

    • Modiloader family

      modiloader

    • Windows security bypass

      evasiontrojan

    • ModiLoader Second Stage

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks