General

  • Target

    11e5fe1ed48897be658e90416d671f17_JaffaCakes118

  • Size

    1.3MB

  • Sample

    240504-ked45sbd92

  • MD5

    11e5fe1ed48897be658e90416d671f17

  • SHA1

    b5fd0aa3b324954b4c94cf34189cea64efa61387

  • SHA256

    72664acbb76d528a1b930c3f9120f2125e6e3d8f7c68502cf67d78c7a108df9b

  • SHA512

    c1956b900a517048fd91d752d3b76282d38cc69fbc60de6d1e436ec88492acf3a5fe2848134556c6d3648126cf5e3643752ff867eddbf6bb0d2ebae03bc5ae2c

  • SSDEEP

    24576:f2O/GlB5fVh82Djw3MJXkN6GXEGvqCbOyIwJsyaNZIbUt0hM7gh8/pIHgs:KfVW2D8akAGVvRbOyIDBIYt0+W8/p8gs

Malware Config

Extracted

Family

darkcomet

Botnet

Malik El Shabbaz

C2

benzenekartel.ddns.net:2200

Mutex

DCMIN_MUTEX-XC4B7RD

Attributes
  • gencode

    RZXBxdP7UGXu

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      11e5fe1ed48897be658e90416d671f17_JaffaCakes118

    • Size

      1.3MB

    • MD5

      11e5fe1ed48897be658e90416d671f17

    • SHA1

      b5fd0aa3b324954b4c94cf34189cea64efa61387

    • SHA256

      72664acbb76d528a1b930c3f9120f2125e6e3d8f7c68502cf67d78c7a108df9b

    • SHA512

      c1956b900a517048fd91d752d3b76282d38cc69fbc60de6d1e436ec88492acf3a5fe2848134556c6d3648126cf5e3643752ff867eddbf6bb0d2ebae03bc5ae2c

    • SSDEEP

      24576:f2O/GlB5fVh82Djw3MJXkN6GXEGvqCbOyIwJsyaNZIbUt0hM7gh8/pIHgs:KfVW2D8akAGVvRbOyIDBIYt0+W8/p8gs

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks