General

  • Target

    1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118

  • Size

    660KB

  • Sample

    240506-gm5qaaec56

  • MD5

    1b13fd5d2438595750bd28c0512a5efc

  • SHA1

    12fa776a5a2c2f6b6abbb23512c32f5f89e09e6d

  • SHA256

    8f5bfa1785455e30f95dc1aab6855220db3077a497448cedc15b435274efe238

  • SHA512

    7013c113fe427a3c35cfe8fc29850cef0569a5e2319d13ec6df4679528fa88cf3b18e8f577405b2ae0543f3b0acab0ffbbc823370ce0fbd6e0511bf43bd62f2e

  • SSDEEP

    12288:gXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Un:mnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JX

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

myramic.hopto.org:1604

192.168.1.34:1604

Mutex

DC_MUTEX-U21HY5A

Attributes
  • gencode

    17wuPD1x7bTT

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      1b13fd5d2438595750bd28c0512a5efc_JaffaCakes118

    • Size

      660KB

    • MD5

      1b13fd5d2438595750bd28c0512a5efc

    • SHA1

      12fa776a5a2c2f6b6abbb23512c32f5f89e09e6d

    • SHA256

      8f5bfa1785455e30f95dc1aab6855220db3077a497448cedc15b435274efe238

    • SHA512

      7013c113fe427a3c35cfe8fc29850cef0569a5e2319d13ec6df4679528fa88cf3b18e8f577405b2ae0543f3b0acab0ffbbc823370ce0fbd6e0511bf43bd62f2e

    • SSDEEP

      12288:gXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Un:mnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JX

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks