General

  • Target

    67e6a67f5397c1ce77180f4d3cb51330_JaffaCakes118

  • Size

    1.0MB

  • Sample

    240723-rlsdnsvajp

  • MD5

    67e6a67f5397c1ce77180f4d3cb51330

  • SHA1

    367196dbdc09c295c6ec14dc3e983f810a0a7c55

  • SHA256

    47871bb9d548507aabbc7e8ad58350fbdee144bac33cb0e5853557e6cd79fb20

  • SHA512

    52b3a89376c47e5e92a831ace7ce8fceacbcddc38783adb8491506aadb6cdde7e0a02375e54f760cda2d5c88f474e90d1b4a561184ccfc867e4255cb90d3ef26

  • SSDEEP

    24576:R////cnaUnwZZ8ZEWzEKOltxADTjwE0k3Ui3ZB/:QtwMZpwxDWPSoUM

Malware Config

Extracted

Family

darkcomet

Botnet

Hacked-nac

C2

city972.no-ip.biz:1550

Mutex

DC_MUTEX-C2BT3Z0

Attributes
  • gencode

    RlFJw1nz9gDT

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      67e6a67f5397c1ce77180f4d3cb51330_JaffaCakes118

    • Size

      1.0MB

    • MD5

      67e6a67f5397c1ce77180f4d3cb51330

    • SHA1

      367196dbdc09c295c6ec14dc3e983f810a0a7c55

    • SHA256

      47871bb9d548507aabbc7e8ad58350fbdee144bac33cb0e5853557e6cd79fb20

    • SHA512

      52b3a89376c47e5e92a831ace7ce8fceacbcddc38783adb8491506aadb6cdde7e0a02375e54f760cda2d5c88f474e90d1b4a561184ccfc867e4255cb90d3ef26

    • SSDEEP

      24576:R////cnaUnwZZ8ZEWzEKOltxADTjwE0k3Ui3ZB/:QtwMZpwxDWPSoUM

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks