General

  • Target

    JaffaCakes118_1af3961d3eceac14e67e090ab84967ed

  • Size

    2.0MB

  • Sample

    250222-t9rs6awjx8

  • MD5

    1af3961d3eceac14e67e090ab84967ed

  • SHA1

    946181a01d9dd0a0337ab14d6f57f90dc5d29363

  • SHA256

    13a8c8a3eb4bd0e2af4a08188ed98217dcbcfcfef8d862a2a2c4bcc0ca95d7c6

  • SHA512

    4056e8b5267e87dff075a240da863488a63356db0fdfa175526858f65bd689b263cd35a11e1811f951656dc9302cde2b3b3aa1a6f5920e48ba342adc4bf9edea

  • SSDEEP

    24576:PxGLXsolxr0wdKQ/zIehPIflgcQCVBvMkOfLHIfuD2ynNWF3TklqK:GDHKQ/1MQZzICowl5

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

hackers-2007.zapto.org:1604

Mutex

DC_MUTEX-LC2UPNF

Attributes
  • InstallPath

    Windupdt\winupdate.exe

  • gencode

    cJAW7ndnjaMS

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    winupdater

rc4.plain

Targets

    • Target

      JaffaCakes118_1af3961d3eceac14e67e090ab84967ed

    • Size

      2.0MB

    • MD5

      1af3961d3eceac14e67e090ab84967ed

    • SHA1

      946181a01d9dd0a0337ab14d6f57f90dc5d29363

    • SHA256

      13a8c8a3eb4bd0e2af4a08188ed98217dcbcfcfef8d862a2a2c4bcc0ca95d7c6

    • SHA512

      4056e8b5267e87dff075a240da863488a63356db0fdfa175526858f65bd689b263cd35a11e1811f951656dc9302cde2b3b3aa1a6f5920e48ba342adc4bf9edea

    • SSDEEP

      24576:PxGLXsolxr0wdKQ/zIehPIflgcQCVBvMkOfLHIfuD2ynNWF3TklqK:GDHKQ/1MQZzICowl5

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks