Overview

overview

10

Static

static

3

JaffaCakes...9b.exe

windows7-x64

10

JaffaCakes...9b.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_c99f2f9d8bf76a0f5df6c68c0064b79b

  • Size

    960KB

  • Sample

    250209-bvr69szrcy

  • MD5

    c99f2f9d8bf76a0f5df6c68c0064b79b

  • SHA1

    6c1227ae30358b799692990bf277d8291ce8847d

  • SHA256

    4346e483651ad78f456c640d9b7df0a0818d37497216d79f2e885d39d6a95430

  • SHA512

    f26c47cb6edb11ef5167fe1617d16eca1d48ac63cb0ffc9540aa228d9d3ef7127bd676451b40f06301058f8582d4e60b851b531708987dfba0b53b71ce01296c

  • SSDEEP

    24576:aBUx73EDlSNnYMQwQ6iyIakELz9JysaZbmNrU69:aBm73glSolvL8zzTaZSg69

Score
10/10
darkcometvictimedefense_evasiondiscoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Victime

C2

mougly.zapto.org:1604

Mutex

DC_MUTEX-W9LP9DR

Attributes
  • InstallPath

    Unknown\unknown.exe

  • gencode

    taca-�DWWfVW

  • install

    true

  • offline_keylogger

    true

  • password

    pinpin55

  • persistence

    true

  • reg_key

    unknown

rc4.plain

Targets

    • Target

      JaffaCakes118_c99f2f9d8bf76a0f5df6c68c0064b79b

    • Size

      960KB

    • MD5

      c99f2f9d8bf76a0f5df6c68c0064b79b

    • SHA1

      6c1227ae30358b799692990bf277d8291ce8847d

    • SHA256

      4346e483651ad78f456c640d9b7df0a0818d37497216d79f2e885d39d6a95430

    • SHA512

      f26c47cb6edb11ef5167fe1617d16eca1d48ac63cb0ffc9540aa228d9d3ef7127bd676451b40f06301058f8582d4e60b851b531708987dfba0b53b71ce01296c

    • SSDEEP

      24576:aBUx73EDlSNnYMQwQ6iyIakELz9JysaZbmNrU69:aBm73glSolvL8zzTaZSg69

    Score
    10/10
    darkcometvictimedefense_evasiondiscoverypersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      defense_evasion

    • Modifies security service

      defense_evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks