General

  • Target

    10ebd248f121a61518a8aeffa125e7b7_JaffaCakes118

  • Size

    660KB

  • Sample

    240626-ggtqts1dmj

  • MD5

    10ebd248f121a61518a8aeffa125e7b7

  • SHA1

    7d18da8d72bd9c5e33366ea9a54e56b42041e568

  • SHA256

    71d8a7b8dddc55173689a9f090bf64d3eee60a74fe4d34592b319437ef928099

  • SHA512

    52c1b7a39e35a3dc777533c1823511b92ef2cbf212a84ee025369e326f0f38298f6e3a4a3500289985a3e54779f9346263d55b8c9179dc1155c639db79b26d1c

  • SSDEEP

    12288:MXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UO:anAw2WWeFcfbP9VPSPMTSPL/rWvzq4J+

Malware Config

Extracted

Family

darkcomet

Botnet

DarkComet

C2

178.33.181.10:1604

Mutex

DC_MUTEX-P3P2TTH

Attributes
  • InstallPath

    Windupdt\winupdate.exe

  • gencode

    T5rJaLq4qNuE

  • install

    true

  • offline_keylogger

    true

  • password

    lol1234

  • persistence

    true

  • reg_key

    winupdater

Targets

    • Target

      10ebd248f121a61518a8aeffa125e7b7_JaffaCakes118

    • Size

      660KB

    • MD5

      10ebd248f121a61518a8aeffa125e7b7

    • SHA1

      7d18da8d72bd9c5e33366ea9a54e56b42041e568

    • SHA256

      71d8a7b8dddc55173689a9f090bf64d3eee60a74fe4d34592b319437ef928099

    • SHA512

      52c1b7a39e35a3dc777533c1823511b92ef2cbf212a84ee025369e326f0f38298f6e3a4a3500289985a3e54779f9346263d55b8c9179dc1155c639db79b26d1c

    • SSDEEP

      12288:MXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UO:anAw2WWeFcfbP9VPSPMTSPL/rWvzq4J+

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks