Overview

overview

10

Static

static

3

Simple BTC...n].exe

windows7-x64

10

Simple BTC...n].exe

windows10-2004-x64

10

Simple BTC...-0.dll

windows7-x64

1

Simple BTC...-0.dll

windows10-2004-x64

1

Simple BTC...32.dll

windows7-x64

1

Simple BTC...32.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_6b4acaaf3539c92bcf89df2d011f7080

  • Size

    602KB

  • Sample

    250103-j2nfnavqb1

  • MD5

    6b4acaaf3539c92bcf89df2d011f7080

  • SHA1

    10e029131670dccc4eabe97047ef4e71c8f77839

  • SHA256

    3f019bbc851fab085db708dc4ea98a6981d0c48506d24b17d15e26f102b4aec1

  • SHA512

    e31d89d7170784c9ec430acfdff88ffd7897d0f110c526f31b97931c0c45ec753aa854baff796bcaa2b755eaae5e8566c17a77e5ac34931e9cca809fef2a1c10

  • SSDEEP

    12288:GwOwkFr2oZjUDNpebMxDU7syqEz6X9kvmG4K3jct5H/f6AX8eiZXZBVVW0:GwOwkFrZ+N8IxBE6G4OjcL6E8l1zP

Score
10/10
darkcometcoindiscoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Coin

C2

89.173.7.7:200

Mutex

DC_MUTEX-YG8ENTR

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    g43hiCLbWeZk

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      Simple BTC Trader v1.3/Simple BTC Trader v1.3 [Trial Version].exe

    • Size

      1.0MB

    • MD5

      d493ef686bd337ee99459886c3ef6f93

    • SHA1

      e0b99011aec22e73f0eb362d503e724567b2ae33

    • SHA256

      fc46fddea9f07579ff17ca2045151449488c44c30435df61f560797d9e4a1bff

    • SHA512

      96074111f22fbb6c7d13a42d0fc6a60a50f98e3e0ddc79458469b6edcec24c596bc5966419516225fc26fa9b2bf85c9dd6ce6933d4cbb42faf41d1aa3c16068c

    • SSDEEP

      12288:rhE5xyytgDbV5WC2Mry6Wzgo0Rl7yX5vWL1wajud:NE5Yd5ZrG2lO+1O

    Score
    10/10
    darkcometcoindiscoveryevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Modifies WinLogon for persistence

      persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Simple BTC Trader v1.3/api-ms-win-core-libraryloader-l1-1-0.dll

    • Size

      52KB

    • MD5

      1bef2b0855145e7498ec34c8a1d8fc0d

    • SHA1

      fe565246c9a3fb14703fd83a22a506b180e252b7

    • SHA256

      d4e9e2fc909f46012243c20fffbcce4e41134529f5527b9f59bb945148e67c9a

    • SHA512

      2b3355db5ab867bd8ec101ec1269ac2289380a7cc02704e547618ba1eeb76f44267e686747fefc0c552cc66bed44264907233e28de2e975b1afd88cb810cdcdb

    • SSDEEP

      12:GPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPO:H

    Score
    1/10
    behavioral3behavioral4

    • Target

      Simple BTC Trader v1.3/crypt32.dll

    • Size

      84KB

    • MD5

      ef534f923c580b6222bcc388e7924659

    • SHA1

      e553458367a89cdf745dc571603666b672f0c060

    • SHA256

      bf38d3d3a7024ddc41e8ee0cd4b6fefe19a97e498132f9d82fa56b3c0ac0f4aa

    • SHA512

      da4ace948879757cb69dd77a771cbde96b7d0e7215390824770be34b1936d4ad7dd27dd0bcaaa31348b48ab29bb86a60bface7860a45b0474ce96900b51649b5

    • SSDEEP

      384:uQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQh:y

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks