General

  • Target

    JaffaCakes118_0d2e6264031502a4a23f4e94e799c3af

  • Size

    2.0MB

  • Sample

    250604-eht2wazxet

  • MD5

    0d2e6264031502a4a23f4e94e799c3af

  • SHA1

    445bcf4de35b1e892534b3b3bf43eb298323ca92

  • SHA256

    403339e5ba26be619d50188edc37d763a9e76f30c2b053a2d3f6ae85a6fcae57

  • SHA512

    0e7b098bbe8c1901185da62c31c78e058cd4690e66659e83a9aa5e84c2132b379e3e48a1a35bacaf05ff5197d2a823b6b973bfd77f12759e2fb1bf1652208369

  • SSDEEP

    49152:ujv9eqOj5KFzXsV/MrM6TC6kEiXiL3CzO/gurq5rzWAZQfXRv:uxtOj5KFzcVE4IUXiLoZauQvRv

Malware Config

Extracted

Family

darkcomet

Botnet

PADILASAHIWA

C2

drkc.no-ip.biz:2605

Mutex

DC_MUTEX-XT4W5MP

Attributes
  • InstallPath

    MSDCSC\windowsupdater.exe

  • gencode

    nR7TKDNYZglG

  • install

    true

  • offline_keylogger

    true

  • password

    tingil123

  • persistence

    true

  • reg_key

    MicrosoftUpdate

rc4.plain

Targets

    • Target

      JaffaCakes118_0d2e6264031502a4a23f4e94e799c3af

    • Size

      2.0MB

    • MD5

      0d2e6264031502a4a23f4e94e799c3af

    • SHA1

      445bcf4de35b1e892534b3b3bf43eb298323ca92

    • SHA256

      403339e5ba26be619d50188edc37d763a9e76f30c2b053a2d3f6ae85a6fcae57

    • SHA512

      0e7b098bbe8c1901185da62c31c78e058cd4690e66659e83a9aa5e84c2132b379e3e48a1a35bacaf05ff5197d2a823b6b973bfd77f12759e2fb1bf1652208369

    • SSDEEP

      49152:ujv9eqOj5KFzXsV/MrM6TC6kEiXiL3CzO/gurq5rzWAZQfXRv:uxtOj5KFzcVE4IUXiLoZauQvRv

    • Ardamax

      A keylogger first seen in 2013.

    • Ardamax family

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks