Overview

overview

10

Static

static

3

JaffaCakes...b0.exe

windows7-x64

10

JaffaCakes...b0.exe

windows10-2004-x64

10

$PLUGINSDI...ts.dll

windows7-x64

3

$PLUGINSDI...ts.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_7a20bc1617941753c2df045d10b2e9b0

  • Size

    300KB

  • Sample

    250104-rh8w9aspgz

  • MD5

    7a20bc1617941753c2df045d10b2e9b0

  • SHA1

    7cf9362db3615c9d7ac1bd86a8b34767ad1bb7e2

  • SHA256

    1fe57ec8aa73b0a0ec80fc3b2c508597724165cd2754b2589d974e917726dd34

  • SHA512

    638da391a2e39d38d8c18fba23b20055dfa92b98402898477643bd2fd97a2852ebbf3190a1b99b2794cccb572fe33863762590431a7894066f0fcddc61ce5f80

  • SSDEEP

    6144:1wHysEYOmWb2UfOEmvb/cjO6wlD+GznCWFYx185H1cI5+2d2Qd0HTLCXv:eEY52eb/cSFFquN5+hpHfC/

Score
10/10
darkcometmemberdiscoverypersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Member

C2

privatefirmservices.misconfused.org:1889

Mutex

DC_MUTEX-VPYPTFZ

Attributes
  • InstallPath

    outlook\reader.exe

  • gencode

    lMrP0lsejr0x

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      JaffaCakes118_7a20bc1617941753c2df045d10b2e9b0

    • Size

      300KB

    • MD5

      7a20bc1617941753c2df045d10b2e9b0

    • SHA1

      7cf9362db3615c9d7ac1bd86a8b34767ad1bb7e2

    • SHA256

      1fe57ec8aa73b0a0ec80fc3b2c508597724165cd2754b2589d974e917726dd34

    • SHA512

      638da391a2e39d38d8c18fba23b20055dfa92b98402898477643bd2fd97a2852ebbf3190a1b99b2794cccb572fe33863762590431a7894066f0fcddc61ce5f80

    • SSDEEP

      6144:1wHysEYOmWb2UfOEmvb/cjO6wlD+GznCWFYx185H1cI5+2d2Qd0HTLCXv:eEY52eb/cSFFquN5+hpHfC/

    Score
    10/10
    darkcometmemberdiscoverypersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Modifies WinLogon for persistence

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      $PLUGINSDIR/snorts.dll

    • Size

      22KB

    • MD5

      03335eedd55f4e846c30f6e343b79f72

    • SHA1

      d97be693fa21f3e1f75f6aec08c943a5589d0de4

    • SHA256

      0379140a954b9a8cd1be8fa6302a7296af60298b7af77a1e40914f95d012b647

    • SHA512

      2f43d9a46c720ae424354b5082f37422d8add2d0931f628fb8f503de5860c94efd130bf66b61efaf6865984fea573d122ada603af06aec56286cd29d9faf5b18

    • SSDEEP

      384:Hj4re84+kszLu+16L2DXrnLV4lOPqAWwE1poFirP7X:LP3s+SSfOPqANepo6

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks