General

  • Target

    128963528e6cb03078ef9f584e946bd4_JaffaCakes118

  • Size

    620KB

  • Sample

    240626-taa2csthkn

  • MD5

    128963528e6cb03078ef9f584e946bd4

  • SHA1

    cbce6617606da167fdf40a390d9e75dc55cdc97e

  • SHA256

    167f6c3cd08077a0a1f86513e84c27ae0f39d8b2f1bd1b2833e330465de0388c

  • SHA512

    1239513f028948a35b577d30f5f354b6338f9a494d1e2aca84b0644fd262de34afaf1b6658b3294e821ee4da0b9035b3eeb6d8522eab3399321ceb4d6ca7b995

  • SSDEEP

    12288:JTmbU0MBAUZB0igu6G/KdM9h2418lbkCZuoYYsK5yxXvX7L35yxXvX7L:JQUX0iA8Ko2wwgztYsAMDLpMDL

Malware Config

Extracted

Family

darkcomet

Botnet

lozpe

C2

lozpers.no-ip.biz:1604

Mutex

DC_MUTEX-0AY9FAN

Attributes
  • gencode

    h5i5JEJmPirH

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      128963528e6cb03078ef9f584e946bd4_JaffaCakes118

    • Size

      620KB

    • MD5

      128963528e6cb03078ef9f584e946bd4

    • SHA1

      cbce6617606da167fdf40a390d9e75dc55cdc97e

    • SHA256

      167f6c3cd08077a0a1f86513e84c27ae0f39d8b2f1bd1b2833e330465de0388c

    • SHA512

      1239513f028948a35b577d30f5f354b6338f9a494d1e2aca84b0644fd262de34afaf1b6658b3294e821ee4da0b9035b3eeb6d8522eab3399321ceb4d6ca7b995

    • SSDEEP

      12288:JTmbU0MBAUZB0igu6G/KdM9h2418lbkCZuoYYsK5yxXvX7L35yxXvX7L:JQUX0iA8Ko2wwgztYsAMDLpMDL

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks