General

  • Target

    11b439932d089a0cf681b2c01df27124_JaffaCakes118

  • Size

    756KB

  • Sample

    240626-mmvg7stbrj

  • MD5

    11b439932d089a0cf681b2c01df27124

  • SHA1

    d98de33d66073d8cca48f74d39ab3dce5b364c70

  • SHA256

    4a700932d9a4d72e48d4a710150c8c56b7d42b3a86a1c128f76f8e7038cc55f2

  • SHA512

    a05d7e03e6ab617d7ce5ffbef60ae47a972bf5da408de26bcf64effcb914a4cbdad281221f2c5f4d5deedb2422abfe3f593287c6b86f3c5fcfab0b96ea7888ab

  • SSDEEP

    12288:ZBKyEkAzx2AfzhaEjLae+MMBuUyxg/jqGt6Mi8aOfrmfNi/vrf:ayY2w5GjqGt6eBf1/v

Malware Config

Extracted

Family

darkcomet

Botnet

tailex-serv1

C2

dk.salesasia.info:5622

50.31.0.228:5622

Mutex

DC_MUTEX-PRWHYG9

Attributes
  • gencode

    l4uWLvpxxyhk

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      11b439932d089a0cf681b2c01df27124_JaffaCakes118

    • Size

      756KB

    • MD5

      11b439932d089a0cf681b2c01df27124

    • SHA1

      d98de33d66073d8cca48f74d39ab3dce5b364c70

    • SHA256

      4a700932d9a4d72e48d4a710150c8c56b7d42b3a86a1c128f76f8e7038cc55f2

    • SHA512

      a05d7e03e6ab617d7ce5ffbef60ae47a972bf5da408de26bcf64effcb914a4cbdad281221f2c5f4d5deedb2422abfe3f593287c6b86f3c5fcfab0b96ea7888ab

    • SSDEEP

      12288:ZBKyEkAzx2AfzhaEjLae+MMBuUyxg/jqGt6Mi8aOfrmfNi/vrf:ayY2w5GjqGt6eBf1/v

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks