Overview

overview

10

Static

static

3

JaffaCakes...e7.exe

windows10-2004-x64

10

JaffaCakes...e7.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_bfbd626689ff3e772a2f3d0cb856b3e7

  • Size

    2.1MB

  • Sample

    250418-zrhqesvwdx

  • MD5

    bfbd626689ff3e772a2f3d0cb856b3e7

  • SHA1

    2b5d188dd4bfe0782deadffced7cd625e0f1912e

  • SHA256

    cc559c0ec06055373bd5fbe8a7ba034507291248eb1e66a946c665fb68adb97f

  • SHA512

    608e97495ffbf80798e18f863ca00be4d32fec79cd2c0fbf3915ad7f93d7a93a6b7cb39ed2f52944b62ec18c010639685b1c2d8566d6d40554ccbfce6cdb7eb4

  • SSDEEP

    49152:skTgQLELdDvSlMLMvvddF2kwJye6TsHWSXI1AWYnEh:spQLyd4MLevckGVVHWOI1/yU

Score
10/10
darkcometisrstealeropfercollectiondiscoverypersistenceratstealertrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Opfer

C2

panzaknacka.hopto.org:1337

Mutex

MAC-7UVFFZ6

Attributes
  • InstallPath

    MSDCSC\sysdate.exe

  • gencode

    5KLmF0Xbpz15

  • install

    true

  • offline_keylogger

    true

  • password

    l0rn

  • persistence

    false

  • reg_key

    sysdate.exe

rc4.plain

Targets

    • Target

      JaffaCakes118_bfbd626689ff3e772a2f3d0cb856b3e7

    • Size

      2.1MB

    • MD5

      bfbd626689ff3e772a2f3d0cb856b3e7

    • SHA1

      2b5d188dd4bfe0782deadffced7cd625e0f1912e

    • SHA256

      cc559c0ec06055373bd5fbe8a7ba034507291248eb1e66a946c665fb68adb97f

    • SHA512

      608e97495ffbf80798e18f863ca00be4d32fec79cd2c0fbf3915ad7f93d7a93a6b7cb39ed2f52944b62ec18c010639685b1c2d8566d6d40554ccbfce6cdb7eb4

    • SSDEEP

      49152:skTgQLELdDvSlMLMvvddF2kwJye6TsHWSXI1AWYnEh:spQLyd4MLevckGVVHWOI1/yU

    Score
    10/10
    darkcometisrstealeropfercollectiondiscoverypersistenceratstealertrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • ISR Stealer

      ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

      trojanstealerisrstealer

    • ISR Stealer payload

    • Isrstealer family

      isrstealer

    • Modifies WinLogon for persistence

      persistence

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v16

Tasks