Overview

overview

10

Static

static

3

JaffaCakes...65.exe

windows7-x64

10

JaffaCakes...65.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_ff279548cab424e57cda1f37d6572365

  • Size

    418KB

  • Sample

    250216-eash3s1lfv

  • MD5

    ff279548cab424e57cda1f37d6572365

  • SHA1

    07e7a3d79b361650da06101b56a0bf896ce83aac

  • SHA256

    4fc11d9c75ff22a30cd8f4d7464f6b9382e1a7be6f73708e0a5b120b7f1a4d60

  • SHA512

    4919913eab6e81ebdb6b948d4c957cc7ab9e767321f10e648a77c0d8c29f5b939c1aabec8597d5bce9bf3d55c950b82c7f094fd22d15b4b1663a99869fd012c9

  • SSDEEP

    6144:sTUcONNgYccDj1n7FInjR4FOccSB140AlxgnB7kI7UVAiXEE3VJoZSLd2EJ:sTPYccP1n7Fwt4cccI2PSVrkLUE

Score
10/10
darkcometi4i - inceptiondiscoverypersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

I4I - Inception

C2

r3c0n.no-ip.org:2744

Mutex

DC_MUTEX-KL0WYVV

Attributes
  • InstallPath

    Microsoft\jusched.exe

  • gencode

    w./4G9G6�lKU

  • install

    true

  • offline_keylogger

    true

  • password

    daniel1994

  • persistence

    true

  • reg_key

    Windows Registry Editor

rc4.plain

Targets

    • Target

      JaffaCakes118_ff279548cab424e57cda1f37d6572365

    • Size

      418KB

    • MD5

      ff279548cab424e57cda1f37d6572365

    • SHA1

      07e7a3d79b361650da06101b56a0bf896ce83aac

    • SHA256

      4fc11d9c75ff22a30cd8f4d7464f6b9382e1a7be6f73708e0a5b120b7f1a4d60

    • SHA512

      4919913eab6e81ebdb6b948d4c957cc7ab9e767321f10e648a77c0d8c29f5b939c1aabec8597d5bce9bf3d55c950b82c7f094fd22d15b4b1663a99869fd012c9

    • SSDEEP

      6144:sTUcONNgYccDj1n7FInjR4FOccSB140AlxgnB7kI7UVAiXEE3VJoZSLd2EJ:sTPYccP1n7Fwt4cccI2PSVrkLUE

    Score
    10/10
    darkcometi4i - inceptiondiscoverypersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Modifies WinLogon for persistence

      persistence

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks