Overview

overview

10

Static

static

3

JaffaCakes...2f.exe

windows7-x64

JaffaCakes...2f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_f0e5ed93d10a45df5ef2805468a1092f

  • Size

    4.3MB

  • Sample

    250212-rhy22svlen

  • MD5

    f0e5ed93d10a45df5ef2805468a1092f

  • SHA1

    d831431314316e474cd76dc2c9e9c23fed2e006b

  • SHA256

    3b9d489a5d83a68aa03d38a896f79ec455ba5ff16caf5bea0aa04ff846d4b421

  • SHA512

    367dfbe9354195d2a068127e5eeed07483a9aa7ab33dbc6126af43b6ab885dc7a1d02ffb8198c1fa6ebcb88ed4d2b8e32546ddd2e10d4e05a380888d41a3ba86

  • SSDEEP

    98304:AH4rWqBFXasqdAYPhZSLBfPz+msa2xL2AKNuj5QcJ9a:AYVBFAA8vSlfr+vxbKaXJ

Score
10/10
darkcometloader 2012.01defense_evasiondiscoveryexploitpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Loader 2012.01

C2

ka8evdei.no-ip.info:6969

Mutex

DC_MUTEX-7JG656R

Attributes
  • gencode

    hJpLHl1fk4Dj

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

rc4.plain

Targets

    • Target

      JaffaCakes118_f0e5ed93d10a45df5ef2805468a1092f

    • Size

      4.3MB

    • MD5

      f0e5ed93d10a45df5ef2805468a1092f

    • SHA1

      d831431314316e474cd76dc2c9e9c23fed2e006b

    • SHA256

      3b9d489a5d83a68aa03d38a896f79ec455ba5ff16caf5bea0aa04ff846d4b421

    • SHA512

      367dfbe9354195d2a068127e5eeed07483a9aa7ab33dbc6126af43b6ab885dc7a1d02ffb8198c1fa6ebcb88ed4d2b8e32546ddd2e10d4e05a380888d41a3ba86

    • SSDEEP

      98304:AH4rWqBFXasqdAYPhZSLBfPz+msa2xL2AKNuj5QcJ9a:AYVBFAA8vSlfr+vxbKaXJ

    Score
    10/10
    darkcometloader 2012.01defense_evasiondiscoveryexploitpersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Downloads MZ/PE file

    • Possible privilege escalation attempt

      exploit

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks