General

  • Target

    1731cf21b7b273b219848bd8c0a3270e_JaffaCakes118

  • Size

    659KB

  • Sample

    240505-l9n39sac58

  • MD5

    1731cf21b7b273b219848bd8c0a3270e

  • SHA1

    3bffb3c8162d1fb1dde707d2753f6e55b17e9a8f

  • SHA256

    c4b495ba633b7f07225d6ee29ce0fa972a70c34b0af204cc5c688e82d2d888e8

  • SHA512

    41c386aea91b47d03aff532df8dc9ef1f60e70f8902d8b7d5b47dbc57d45de7fc3d7fc5c61c9c94aa2b1410a0a181c70d3f06afd52654f533d5394f344e2f905

  • SSDEEP

    12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/:+Z1xuVVjfFoynPaVBUR8f+kN10Ed

Malware Config

Extracted

Family

darkcomet

Botnet

AWESOME

C2

99.65.242.51:200

192.168.1.64:200

Mutex

DC_MUTEX-4B9Z3T3

Attributes
  • gencode

    6FLz4koiwUa8

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      1731cf21b7b273b219848bd8c0a3270e_JaffaCakes118

    • Size

      659KB

    • MD5

      1731cf21b7b273b219848bd8c0a3270e

    • SHA1

      3bffb3c8162d1fb1dde707d2753f6e55b17e9a8f

    • SHA256

      c4b495ba633b7f07225d6ee29ce0fa972a70c34b0af204cc5c688e82d2d888e8

    • SHA512

      41c386aea91b47d03aff532df8dc9ef1f60e70f8902d8b7d5b47dbc57d45de7fc3d7fc5c61c9c94aa2b1410a0a181c70d3f06afd52654f533d5394f344e2f905

    • SSDEEP

      12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/:+Z1xuVVjfFoynPaVBUR8f+kN10Ed

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks