Overview

overview

10

Static

static

7

JaffaCakes...31.exe

windows7-x64

10

JaffaCakes...31.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_90daf928ceabe45ad2a9aaded817da31

  • Size

    1.5MB

  • Sample

    250329-wxvqdsytet

  • MD5

    90daf928ceabe45ad2a9aaded817da31

  • SHA1

    d669f57b51672a1191b2fdf634414c2f3714f1bc

  • SHA256

    0725a2881b4533002e5e3ed20a6db2fd6cd610fb10cacd1d3152ee611652615d

  • SHA512

    30159904cfbf39e20791ab5c04b27f5852c63f9da435233815418ade73d58874bda8a9f107bd4c238d889802d954c345e68f9ed86e7670774ac1b74ecb18c354

  • SSDEEP

    49152:zgYnI9lCORJJP/TLNwbRRoyne9jVmwbSjTa:ztkRzP/e1e9jVmw+C

Score
10/10
darkcomettestingdefense_evasiondiscoverypersistenceratthemidatrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Testing

C2

h7eatshot.sytes.net:550

Mutex

DC_MUTEX-2CVGDU5

Attributes
  • InstallPath

    Windupdt\winupdate.exe

  • gencode

    �z*�Hy7$To*Y

  • install

    true

  • offline_keylogger

    false

  • persistence

    false

  • reg_key

    winupdater

rc4.plain

Targets

    • Target

      JaffaCakes118_90daf928ceabe45ad2a9aaded817da31

    • Size

      1.5MB

    • MD5

      90daf928ceabe45ad2a9aaded817da31

    • SHA1

      d669f57b51672a1191b2fdf634414c2f3714f1bc

    • SHA256

      0725a2881b4533002e5e3ed20a6db2fd6cd610fb10cacd1d3152ee611652615d

    • SHA512

      30159904cfbf39e20791ab5c04b27f5852c63f9da435233815418ade73d58874bda8a9f107bd4c238d889802d954c345e68f9ed86e7670774ac1b74ecb18c354

    • SSDEEP

      49152:zgYnI9lCORJJP/TLNwbRRoyne9jVmwbSjTa:ztkRzP/e1e9jVmw+C

    Score
    10/10
    darkcomettestingdefense_evasiondiscoverypersistenceratthemidatrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Modifies WinLogon for persistence

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks