General

  • Target

    67c9f1b0bf6b5d8ac8eb53c22dad5688_JaffaCakes118

  • Size

    717KB

  • Sample

    240723-qwmqhawara

  • MD5

    67c9f1b0bf6b5d8ac8eb53c22dad5688

  • SHA1

    2015915844759fee3d0a3069c93f9b28795ceb46

  • SHA256

    69b2a3b438e568feb73d429e1478588003d606f81a20b5174ea4e8fb75ebde4b

  • SHA512

    882769525f3d3c5e880b6d455989a2f508144391510c3b5758c3f2b91a3a2122f721d99ce95ac85c5b20266c1c52f35a38c95c610644603cdd95822e4a08ac8d

  • SSDEEP

    12288:FdcwXXPnn1Ygth9v3IKVRRuUUxCjdsb588/aL539Pe+mVdhRt+INt2WlJHmpR:FdRv7Xv3dufCjd5G2ne+mVdhrZNEws

Malware Config

Extracted

Family

darkcomet

Botnet

NewestFUD

C2

darkcometnotbs.no-ip.org:999

Mutex

DC_MUTEX-6K82Y6L

Attributes
  • gencode

    J2dlaWGFf8qj

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      67c9f1b0bf6b5d8ac8eb53c22dad5688_JaffaCakes118

    • Size

      717KB

    • MD5

      67c9f1b0bf6b5d8ac8eb53c22dad5688

    • SHA1

      2015915844759fee3d0a3069c93f9b28795ceb46

    • SHA256

      69b2a3b438e568feb73d429e1478588003d606f81a20b5174ea4e8fb75ebde4b

    • SHA512

      882769525f3d3c5e880b6d455989a2f508144391510c3b5758c3f2b91a3a2122f721d99ce95ac85c5b20266c1c52f35a38c95c610644603cdd95822e4a08ac8d

    • SSDEEP

      12288:FdcwXXPnn1Ygth9v3IKVRRuUUxCjdsb588/aL539Pe+mVdhRt+INt2WlJHmpR:FdRv7Xv3dufCjd5G2ne+mVdhrZNEws

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks