General

  • Target

    5caae1ac6f6d9f58b17a51fc7808e3e1_JaffaCakes118

  • Size

    783KB

  • Sample

    240719-tmvljasgkd

  • MD5

    5caae1ac6f6d9f58b17a51fc7808e3e1

  • SHA1

    40b2ebe3c36a26ee2ef1abb2b2f59837451ff577

  • SHA256

    07a3b70386d9d81fff3856e5fe764d24bc347570ccf6330e51062dd1d29e3ee6

  • SHA512

    d8e2f602e49208990bdeeb3d58365bc0ee5172e2666c2676f874b24282e12620c095abd4574801490cc2815af2606d81e4ca95147c80a5cb1b4b8b43d9f8ebf1

  • SSDEEP

    24576:En/Ooh2u7PqrF65zMTohFxOxEgquWx2R+5l2Bzb:sBB7qGMiFMdquFzzb

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

activate.strangled.net:100

Mutex

DC_MUTEX-ZJ3D950

Attributes
  • InstallPath

    MSDCSC\activate_now.exe

  • gencode

    vdEZLjDj5hlD

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Activate Now

Targets

    • Target

      5caae1ac6f6d9f58b17a51fc7808e3e1_JaffaCakes118

    • Size

      783KB

    • MD5

      5caae1ac6f6d9f58b17a51fc7808e3e1

    • SHA1

      40b2ebe3c36a26ee2ef1abb2b2f59837451ff577

    • SHA256

      07a3b70386d9d81fff3856e5fe764d24bc347570ccf6330e51062dd1d29e3ee6

    • SHA512

      d8e2f602e49208990bdeeb3d58365bc0ee5172e2666c2676f874b24282e12620c095abd4574801490cc2815af2606d81e4ca95147c80a5cb1b4b8b43d9f8ebf1

    • SSDEEP

      24576:En/Ooh2u7PqrF65zMTohFxOxEgquWx2R+5l2Bzb:sBB7qGMiFMdquFzzb

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks