General

  • Target

    620af7b60cd12d45630c8d254c158139_JaffaCakes118

  • Size

    704KB

  • Sample

    240722-arg2fsvdrn

  • MD5

    620af7b60cd12d45630c8d254c158139

  • SHA1

    e8376adb5c5824c48cb73a0205ff567232e813eb

  • SHA256

    ead0fc8e813f6db3cf84cee547be2f6f1c9f03b606421c736f11c062937c3dc9

  • SHA512

    9d5d7e44a4066dec8b0795310720a5da432e1b8582eb9a9e79a60889540effd4cff3a4d2781237aee71515b580b86f163de51960f49b78c3e5f8867c4728800b

  • SSDEEP

    12288:M7pgQNvpFBNpQQqiR7RD3rvPFz/drQtQl2G+ot9PlHY6hRxuU00:M3NvVNqXiRRrHrB2GLl1M3

Malware Config

Extracted

Family

darkcomet

Botnet

avec_dns

C2

dark-sam.no-ip.org:1604

Mutex

DC_MUTEX-E99E03J

Attributes
  • gencode

    q4T9jpjHRf00

  • install

    false

  • offline_keylogger

    true

  • password

    180818sa

  • persistence

    false

Targets

    • Target

      620af7b60cd12d45630c8d254c158139_JaffaCakes118

    • Size

      704KB

    • MD5

      620af7b60cd12d45630c8d254c158139

    • SHA1

      e8376adb5c5824c48cb73a0205ff567232e813eb

    • SHA256

      ead0fc8e813f6db3cf84cee547be2f6f1c9f03b606421c736f11c062937c3dc9

    • SHA512

      9d5d7e44a4066dec8b0795310720a5da432e1b8582eb9a9e79a60889540effd4cff3a4d2781237aee71515b580b86f163de51960f49b78c3e5f8867c4728800b

    • SSDEEP

      12288:M7pgQNvpFBNpQQqiR7RD3rvPFz/drQtQl2G+ot9PlHY6hRxuU00:M3NvVNqXiRRrHrB2GLl1M3

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks