General

  • Target

    693d0e75117786c05a23a40915b0440e_JaffaCakes118

  • Size

    4.3MB

  • Sample

    240523-bglsbsfg91

  • MD5

    693d0e75117786c05a23a40915b0440e

  • SHA1

    d1bd566408d49b3cda734d045e3387ee821c4cac

  • SHA256

    4de3c9059ad7bba0d41c6884ecb885638dd0860bc7712f1f6367bb75f4fd2307

  • SHA512

    0c3242360589233a9a3da8158cf85d39ac722732ff90421efeb433d72bdd7538dbe1d42e55bfe093df6d33c04ad686a271e1ce89faeea71cf20fddde015c1269

  • SSDEEP

    98304:xB2fetOSj4J7+NlNbDrfIwAgCRLtu6a6fAQFdClR0EQ+8t:SfrSHNlNbDrffwu6awSLLQ5t

Malware Config

Extracted

Family

darkcomet

Botnet

A1Client

C2

subdomain-dns.duckdns.org:3725

Mutex

DC_MUTEX-9WL5KMH

Attributes
  • gencode

    F7b2NJbuPvt9

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/IconInjector.dll

    • Size

      13KB

    • MD5

      a011c4d9973857b53c6d26bb616ec7db

    • SHA1

      cabb81130a064bf9ca41047205af18ecd456433c

    • SHA256

      360b7cb7812529a3902c8adebec8975019454f762200b98ee78213532416f435

    • SHA512

      e8085290144e6090918c7bbff20e626f6d7812187f778b9c5705e4710ac589e020ba626c09be43156dcacf846f8571e7690e1e3569d704db3067be365833e6e3

    • SSDEEP

      192:jLCpu5cRy2zdtwsYvCZVzQInlYJL/efvnaDNIDLTHqaf+UJxX+3DrDmWcLc9C:jL+pY25OvCpQdqHnq+LTQUmrDmW98

    Score
    1/10
    • Target

      NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Interop.NATUPNPLib.dll

    • Size

      7KB

    • MD5

      8a24aa73080b46f93c4c9f3450fe43e5

    • SHA1

      ed0d8edf55ea6b0d717813fd829e434eb3d63abb

    • SHA256

      e45f7168be51641d43873f90ff538f9f7557755e911dc23783ff6a4028c30c25

    • SHA512

      17325bab37fb2a0975ba3e3885a73f235e06f1634124743eca2c2c76e5f2d76fbb751ca8eccecbeef8bb6a9872970e44e6e5847adc54af1cf63dd6f9a5c3b13d

    • SSDEEP

      96:CFinj09TiY5IxaUsyKY05YgZsXFn6cQkE8g8nIxqG0tVClW:mGEJIrKrYgZsd6wVIiX

    Score
    1/10
    • Target

      NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Mono.Cecil.dll

    • Size

      305KB

    • MD5

      851ec9d84343fbd089520d420348a902

    • SHA1

      f8e2a80130058e4db3cf569cf4297d07d05c93e0

    • SHA256

      cdadc26c09f869e21053ee1a0acf3b2d11df8edd599fe9c377bd4d3ce1c9cda9

    • SHA512

      5e1d1b953fda4a905749eff8c4133a164748ba08c4854348539d335cf53c873eae7c653807a2701bf307693a049ae6c523bd1497a8e659bdea0a71085a58a5f1

    • SSDEEP

      6144:ueMQM/aMOZabe3h1PtRjAqmYVNf3yTXcYBbt6KMBhu:uF/aMDb8BtRjA7XcYNclB

    Score
    1/10
    • Target

      NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/NingaliNET Cracked [VersionPremium].exe

    • Size

      2.9MB

    • MD5

      451b1dd1b12dbd70f3cf580deae0696d

    • SHA1

      81024d91d94c302e85455badb21e3a2e4f694eda

    • SHA256

      ade39b5cb7124f165ed933e8e7f45469aebe1bb85cec8aadff7fee8ae99e499e

    • SHA512

      7fc86b44a02d47f6b577d93ff81c0ba7239995b2d4f1e02475d963f593d9d2ac6ab451770ab4a7fefc9d440e33eeff494d6274fab66f4033f97bd0bb9a57d802

    • SSDEEP

      49152:P4+T1crpOB3pVPnBaTOhm5PbQqKpcYeD4K2CqFXBSLlTJcGXDlp/yBFwvP:xT1crpY5zWOEB4qYeSCq2Ll93YFq

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    • Target

      NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/NingaliNET [Original].exe

    • Size

      1.4MB

    • MD5

      eeda9e3dba1a866465f817af9e7c8212

    • SHA1

      b78966eb20fdd1c9b4c22c409b2bb9a9a071d680

    • SHA256

      f656b5b6736911a787fc4f3374ff247cfbcb277c7c2945c9c5c462354fea968c

    • SHA512

      7a7b008b23d1164cfb851c1dc5aa8545b1a76764c331c41cb7de18647f103ac99b138dd7fad20823c90362e17efa043b5517aa8ba11cb5cf836423ace430eccc

    • SSDEEP

      12288:Vtop+3x/jgQV7nXM3bFsatCwCUA0s1G9uaumrnmaR1G9218lgrIh1j:Vf3keatCwCsuGEarjmaGg2G

    Score
    1/10
    • Target

      NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/Filebinder.bin

    • Size

      14KB

    • MD5

      f4c7f8ef90e34c3e9f19d1366db79f03

    • SHA1

      3ee1d1fafa5444b376c729279939a64a69caa544

    • SHA256

      3ab5e13d7c560937ec3e1f764fb728bc81d22a177c695507065e09ae12d98894

    • SHA512

      82246a0b218d2fda14fcb358d5abc58a8d7b3c57cffad22c198f2bfdabc7465848940ef9b6a627a403197bf1a635feb2bec098725f9a2ef91b217f0bb466c78e

    • SSDEEP

      384:j6FMwWPfLQV42kuGCy4ju7LRB3u0+L6JOCzYcCe:uFHWPfXCEJvzYcCe

    Score
    1/10
    • Target

      NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/Server.bin

    • Size

      150KB

    • MD5

      8ee6cfa5124a73f0e61d602ea7878863

    • SHA1

      fbdff1a9009c2df072d74699f97700ccf2356ce7

    • SHA256

      37df8b661f2ac4bf71ff9ef424de495813468294a4d88d682c45da1333859aa4

    • SHA512

      da86a1e56e181c03ed7728b0cbbc9c516bdbe130361f2e74364a14d7686e148591dc272c4f5408d3f3f9e1e3d171a32c2af10927f46c0153e1d9b7e0c8997089

    • SSDEEP

      3072:VLhz+8pIFc/i3bJ1c2kHWuVx1cep3a9xk9knBq:7z+n3bQHWCx1cepK9xJn

    Score
    1/10
    • Target

      NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/dlentrypoint.bin

    • Size

      11KB

    • MD5

      14960a1079f4ffbfb46f553cfc52ad09

    • SHA1

      b3d18ffc2b1120d3a58c04d45bd3a404aceb8af3

    • SHA256

      b047352ca4a417181e493c6f353eba94a0fce9d67507dc0f3d694b49b4fce6ef

    • SHA512

      2bf999073f35df968d2c9bfc2189dbba163487c7287d1475dde998379bd20969d5140fbff7b6c01f9e7031871342a57ab1b215172bfd15dfac15b025dee0954c

    • SSDEEP

      192:03WKyDozynM11XvrKclkpZmGnloYk4ONIDLR7fV0ovpptwiA:03WvooMnXvrKcl+y4u+LR7Zxp6iA

    Score
    1/10
    • Target

      NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/dlnormal.bin

    • Size

      11KB

    • MD5

      2b53e572879a63aaa6ab032221a24d99

    • SHA1

      cecfb4dad0d128bc78369aba53839828af223ff1

    • SHA256

      0e36c6fbbc68953d2702c3d5f84eeb35912ce9a53aadf467f8df60faf51a7f5e

    • SHA512

      327d26775f38f29f462c8a3a9d921ab0d89cf80527acb2ddd539d0842988f93c2cbf335a865cea893ab2a81915a95683cdfd8033f9a357aacbf0b8d3360e8188

    • SSDEEP

      192:3d3WKytoFQldQKDFdzG1nvlldKXZmGnloYk46NIDLRKQVuYvpxGBA:N3Wuy7FBGJvl7KJy4q+LRK6lx8A

    Score
    1/10
    • Target

      NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Res/res.exe

    • Size

      861KB

    • MD5

      66064dbdb70a5eb15ebf3bf65aba254b

    • SHA1

      0284fd320f99f62aca800fb1251eff4c31ec4ed7

    • SHA256

      6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

    • SHA512

      b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

    • SSDEEP

      24576:o0ESdQpglO1CxDyawn27h+9hrlgKQY9SGcZwCdTp:o0RIglO1CuL9VNcaCd9

    Score
    1/10
    • Target

      NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/SocketServer.dll

    • Size

      15KB

    • MD5

      7f57ffb2f3def9388705e078c05f9818

    • SHA1

      1632a47a3f5d130d739be02c78cc5a127c2bdde7

    • SHA256

      1102f0cb41a876632c5c516da1645973867c77f1cf25ab18a705b33d4f7d1d99

    • SHA512

      c25f300838475482f02d1223fd312d1a6f6d42591af8024e9a00f80e9a02621b74fa368ed8db3da08e59bb6c015b86820de0dc14c45a2db8fdaf3dbc438bdda6

    • SSDEEP

      384:TdLY3cAoBc+R6V6j5qj1G+LTvYAtKt3rRP:JY36Bc+RzjnA8JrR

    Score
    1/10
    • Target

      NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/upnp.dll

    • Size

      11KB

    • MD5

      ca53e14184fb09ef3294cc4c51e21e04

    • SHA1

      0917bb5e295c9bd59ad3b0929bf1ad1f08122a86

    • SHA256

      7a915097caf17b3daa528e90d44972306fdfb0f7b46089b4b6332bfb70dcf1ae

    • SHA512

      3ee019448aeb0e47ead9395d4edc53573705c95592bb36b26f688e07810f9eab85f551ca8b41048c8e2bea681831dd1d64b368f71023e4d0f423c8632fcb2167

    • SSDEEP

      192:hKATtBzEToGAnDZVenlYJL/ertIuLROw6OW+Wv:hKEBQc5t9qBzLR2O1Wv

    Score
    1/10

MITRE ATT&CK Matrix ATT&CK v13

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks