General

  • Target

    10a71368ad2498e56cd3d64292e370c3_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240626-eksa3awgjr

  • MD5

    10a71368ad2498e56cd3d64292e370c3

  • SHA1

    77e2a4eccd5b4c1615fef1119ba7b27cc4caa0e8

  • SHA256

    3984187c57e1b9c45862e393f20cc33979c959f9310fcd292595251e7e8a35d6

  • SHA512

    156cbedf7aa2f6eec206a7034e481e89e28a7c74fd8e7017b89df34af8c5beea070785d73eb94532991927d2e9006885851c972fa0534bd25a2bdf6a3efeccf7

  • SSDEEP

    3072:zrnZZGjfs/XyPtBSbGypZM5/EdoQ3DWbbO4rzqj7AE5sOCAK6c4N1WFw//A2Pe+m:0JTY

Malware Config

Extracted

Family

darkcomet

Botnet

Torrent

C2

127.0.0.1:1604

zx5.sytes.net:1604

Mutex

fjfjrr66rjtytyt

Attributes
  • InstallPath

    Microsoft\lsass.exe

  • gencode

    4TpUNRfJavQX

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    lsass.exe

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

Targets

    • Target

      10a71368ad2498e56cd3d64292e370c3_JaffaCakes118

    • Size

      1.1MB

    • MD5

      10a71368ad2498e56cd3d64292e370c3

    • SHA1

      77e2a4eccd5b4c1615fef1119ba7b27cc4caa0e8

    • SHA256

      3984187c57e1b9c45862e393f20cc33979c959f9310fcd292595251e7e8a35d6

    • SHA512

      156cbedf7aa2f6eec206a7034e481e89e28a7c74fd8e7017b89df34af8c5beea070785d73eb94532991927d2e9006885851c972fa0534bd25a2bdf6a3efeccf7

    • SSDEEP

      3072:zrnZZGjfs/XyPtBSbGypZM5/EdoQ3DWbbO4rzqj7AE5sOCAK6c4N1WFw//A2Pe+m:0JTY

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks