Overview

overview

10

Static

static

10

Facebook A...er.exe

windows7-x64

10

Facebook A...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1f486fce9885728e55330e33adb0220a_JaffaCakes118

  • Size

    405KB

  • Sample

    240702-pcm2gs1erh

  • MD5

    1f486fce9885728e55330e33adb0220a

  • SHA1

    6533b2736e5fb84ee5c9bdef2600e2b333f1858d

  • SHA256

    42d412d8f6d6725326275f413cbe880c3489f4322d278a34830c42a5c47389e2

  • SHA512

    33f43d31e565787d2debfbd7d597fbb68377fcc2d115f2e2f09ab00de025155d9173079e87f628a59323a67f0d6aa10ee23d53e06c34dd61944aa808ac4b0491

  • SSDEEP

    6144:BZoHFN7FE0kNAIbxLSRcNoMdy/GyzB7+IkV+QglRVXR3569Q3FCbdolhdILJUguY:3oHZ/hINSwye4XjXa9Q3kolRguyzC9nq

Score
10/10
darkcometevasionpersistencerattrojan

Malware Config

Targets

    • Target

      Facebook Account Hacker.exe

    • Size

      1002KB

    • MD5

      810ee30f3831206f115a9de523d553ea

    • SHA1

      cce8aa42fff602345db5baa6b20bf663481ccb07

    • SHA256

      16af77f601bb55b12c0d4f4ec36c600fa651bb3c085b6342bd93437d287024d1

    • SHA512

      ec00695ba3aacb276b7a4f12f116e171f978363f5fc4f9c7f6a00ecfa8d4f61fa198f747ba0d107155b7992366655af78c7a00d034845d03a87b477ef7c2f305

    • SSDEEP

      24576:M3nbWmJVJFwSddIXvfhqbiaxvRxq9ULjpc:yamdZdcBYtPpc

    Score
    10/10
    darkcometevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks