Overview

overview

10

Static

static

5

JaffaCakes...e9.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_b8413f3c5293f5469a55af23f502e3e9

  • Size

    6.6MB

  • Sample

    250414-s7gpqs1yev

  • MD5

    b8413f3c5293f5469a55af23f502e3e9

  • SHA1

    38c42a6edc62b48af0795166b146f0cdead1ee00

  • SHA256

    b2145db16c8b923e9734aa05cd5c05a160aabc24f6e4fd81cea5e95ffe14973b

  • SHA512

    1d7697b58a015d2ca688a754d42fc4eeff7b3680ab437afe2fcbabcc9505695156b50756bad5ecb570f0a58beb047f09f99dc079077a2640519c21134f87d7a2

  • SSDEEP

    196608:aaP5IKXAaH0CdugLKVI2htNnEfK0A5t5ApVzDyuD:aaDXAKT62K0A5nA/zDyI

Score
10/10
darkcometguest16defense_evasiondiscoverypersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

loveayada.zapto.org:82

Mutex

DC_MUTEX-QLHXCM9

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    t4ncNQbXdKme

  • install

    true

  • offline_keylogger

    true

  • password

    ayada

  • persistence

    true

  • reg_key

    MicroUpdate

rc4.plain

Targets

    • Target

      JaffaCakes118_b8413f3c5293f5469a55af23f502e3e9

    • Size

      6.6MB

    • MD5

      b8413f3c5293f5469a55af23f502e3e9

    • SHA1

      38c42a6edc62b48af0795166b146f0cdead1ee00

    • SHA256

      b2145db16c8b923e9734aa05cd5c05a160aabc24f6e4fd81cea5e95ffe14973b

    • SHA512

      1d7697b58a015d2ca688a754d42fc4eeff7b3680ab437afe2fcbabcc9505695156b50756bad5ecb570f0a58beb047f09f99dc079077a2640519c21134f87d7a2

    • SSDEEP

      196608:aaP5IKXAaH0CdugLKVI2htNnEfK0A5t5ApVzDyuD:aaDXAKT62K0A5nA/zDyI

    Score
    10/10
    darkcometguest16defense_evasiondiscoverypersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      defense_evasion

    • Modifies security service

      defense_evasion

    • Windows security bypass

      defense_evasiontrojan

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      defense_evasiontrojan

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Modify Registry

7
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks