Overview

overview

10

Static

static

3

1816dd0f97...18.exe

windows7-x64

10

1816dd0f97...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1816dd0f974fecd01a3aee390593de19_JaffaCakes118

  • Size

    1.3MB

  • Sample

    240628-al6gvsshqp

  • MD5

    1816dd0f974fecd01a3aee390593de19

  • SHA1

    67c477675af6dfd5fca81669a58daae9fa8ddc8c

  • SHA256

    4b259a4d6a566836a4e511b7ca5d0bd5775360fd52eaf89b03035d4e602431c5

  • SHA512

    2488732d171cbd43f283cf423d493b1294439a5a4e200b6454a24267eb8f2a815058ef4798c16198b9b6bd4dbbb5442adaf103f483b02935b098bd9fa5fe966a

  • SSDEEP

    24576:KdWfwUBOzQKW8d4UR/tqhnyMIo0eyauZUKctbFPZX46fJ6dVUqhkNvaWJ6Uq:q0p6pR/mndIoxyPU/btmVUqyRTq

Score
10/10
darkcometmetin2-gioevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

metin2-gio

C2

127.0.0.1:1604

hepter.dyndns.biz:8211

hepter.no-ip.org:8211

127.0.0.1:8211
Mutex

DC_MUTEX-C50UDX6

Attributes
  • InstallPath

    Resimlerim\Profiles\chrome.exe

  • gencode

    ja8PAQUAvm4V

  • install

    true

  • offline_keylogger

    true

  • password

    hepter

  • persistence

    true

  • reg_key

    GoogleUpdate

Targets

    • Target

      1816dd0f974fecd01a3aee390593de19_JaffaCakes118

    • Size

      1.3MB

    • MD5

      1816dd0f974fecd01a3aee390593de19

    • SHA1

      67c477675af6dfd5fca81669a58daae9fa8ddc8c

    • SHA256

      4b259a4d6a566836a4e511b7ca5d0bd5775360fd52eaf89b03035d4e602431c5

    • SHA512

      2488732d171cbd43f283cf423d493b1294439a5a4e200b6454a24267eb8f2a815058ef4798c16198b9b6bd4dbbb5442adaf103f483b02935b098bd9fa5fe966a

    • SSDEEP

      24576:KdWfwUBOzQKW8d4UR/tqhnyMIo0eyauZUKctbFPZX46fJ6dVUqhkNvaWJ6Uq:q0p6pR/mndIoxyPU/btmVUqyRTq

    Score
    10/10
    darkcometmetin2-gioevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Modify Registry

6
T1112

Impair Defenses

3
T1562

Disable or Modify Tools

2
T1562.001

Disable or Modify System Firewall

1
T1562.004

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks