General

  • Target

    6713143bff2698120466897c617714b6_JaffaCakes118

  • Size

    436KB

  • Sample

    240723-lrrfnszanb

  • MD5

    6713143bff2698120466897c617714b6

  • SHA1

    7b280a01ebef171aa565c348201f5c53477c7800

  • SHA256

    60dbdec0ec25f470df6e9ab29e445c100be65364067b7e74c6c95d484e278557

  • SHA512

    9de4a7d51cb846e775ffdacd86e4d511ca6d170fc5d0ef230548619a81a2aeb678c5bcb91e910a63af9b2c23f4bbd1bec85d4f76bdd6a70f6e6e3d199984f60c

  • SSDEEP

    12288:fxlpLnAXramRWX8bZAMMAPkvs5gDmMmabt7X9Rhj:fXpLZ4Cj44t7X9R

Malware Config

Extracted

Family

darkcomet

Botnet

TUBBY

C2

24.21.77.148:1604

24.21.77.148:8080

Mutex

DC_MUTEX-8KN114X

Attributes
  • gencode

    zcNk1kGyyC30

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      6713143bff2698120466897c617714b6_JaffaCakes118

    • Size

      436KB

    • MD5

      6713143bff2698120466897c617714b6

    • SHA1

      7b280a01ebef171aa565c348201f5c53477c7800

    • SHA256

      60dbdec0ec25f470df6e9ab29e445c100be65364067b7e74c6c95d484e278557

    • SHA512

      9de4a7d51cb846e775ffdacd86e4d511ca6d170fc5d0ef230548619a81a2aeb678c5bcb91e910a63af9b2c23f4bbd1bec85d4f76bdd6a70f6e6e3d199984f60c

    • SSDEEP

      12288:fxlpLnAXramRWX8bZAMMAPkvs5gDmMmabt7X9Rhj:fXpLZ4Cj44t7X9R

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Drops file in Drivers directory

    • Drops startup file

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks