Overview

overview

10

Static

static

10

JaffaCakes...53.exe

windows7-x64

10

JaffaCakes...53.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_0975c66605ec9186f18238b6461ce553

  • Size

    764KB

  • Sample

    250220-eekn2awldr

  • MD5

    0975c66605ec9186f18238b6461ce553

  • SHA1

    14be3649cc916d6c752f9cc196160632eb2f73c3

  • SHA256

    99189d84f5d8918f385a386c46929a16a5d04a710b780404bae288a605412ba6

  • SHA512

    ba85cbe3d915d2a3548deca41970f0197f193bb286a4de2ad9970900242165680a7b3e371d5ed98a7631d628050510e81583eeb2989cb0148d2b462b19692594

  • SSDEEP

    12288:u3vYTTiDDHPZlA8v+rzG+pniwi0TfO92lPXDK8G+5KOhds77YfcROTohEoNUe:avTvw8v+rzRpU0Y3+KOhds77YfK3

Score
10/10
darkcometguest16discoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain

Extracted

Family

darkcomet

Botnet

Guest16

C2

orik745.redirectme.net:7454

Mutex

DC_MUTEX-KR9X87H

Attributes
  • InstallPath

    Windupdte\winupdate.exe

  • gencode

    CT-x/#mjy0C5

  • install

    true

  • offline_keylogger

    false

  • persistence

    false

  • reg_key

    winupdate

rc4.plain

Targets

    • Target

      JaffaCakes118_0975c66605ec9186f18238b6461ce553

    • Size

      764KB

    • MD5

      0975c66605ec9186f18238b6461ce553

    • SHA1

      14be3649cc916d6c752f9cc196160632eb2f73c3

    • SHA256

      99189d84f5d8918f385a386c46929a16a5d04a710b780404bae288a605412ba6

    • SHA512

      ba85cbe3d915d2a3548deca41970f0197f193bb286a4de2ad9970900242165680a7b3e371d5ed98a7631d628050510e81583eeb2989cb0148d2b462b19692594

    • SSDEEP

      12288:u3vYTTiDDHPZlA8v+rzG+pniwi0TfO92lPXDK8G+5KOhds77YfcROTohEoNUe:avTvw8v+rzRpU0Y3+KOhds77YfK3

    Score
    10/10
    darkcometguest16discoverypersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Modifies WinLogon for persistence

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks