General

  • Target

    6d7347e903d7ed1465b03fe414932940_JaffaCakes118

  • Size

    313KB

  • Sample

    240725-axpy9axalq

  • MD5

    6d7347e903d7ed1465b03fe414932940

  • SHA1

    348d1922f49153b715aa8e78cfacec9f315c1215

  • SHA256

    e0bf510264960c3ab3155aa02037f9f60e67a632e9e2feefd44e13fc425618d1

  • SHA512

    93af3cd8a14d94ee284f6fdeed64af2f70127d0fb0eae26b69eb8dced2fc14bedd4eaef98ac3025fa81e9b6257fd0ccf2fa8a1ca6246129b832effe1bc028575

  • SSDEEP

    6144:/JRbTrZgngKutvNmvj6545Ax3FpkhYBVEnlj+UMZfyLI7TUKd4z:BR/N50vj6iO1p6YBVEnlSU6fy+Tg

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

existencepowa.no-ip.info:1604

Mutex

DC_MUTEX-W0CR02Y

Attributes
  • gencode

    icTdDYhoCJhM

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      6d7347e903d7ed1465b03fe414932940_JaffaCakes118

    • Size

      313KB

    • MD5

      6d7347e903d7ed1465b03fe414932940

    • SHA1

      348d1922f49153b715aa8e78cfacec9f315c1215

    • SHA256

      e0bf510264960c3ab3155aa02037f9f60e67a632e9e2feefd44e13fc425618d1

    • SHA512

      93af3cd8a14d94ee284f6fdeed64af2f70127d0fb0eae26b69eb8dced2fc14bedd4eaef98ac3025fa81e9b6257fd0ccf2fa8a1ca6246129b832effe1bc028575

    • SSDEEP

      6144:/JRbTrZgngKutvNmvj6545Ax3FpkhYBVEnlj+UMZfyLI7TUKd4z:BR/N50vj6iO1p6YBVEnlSU6fy+Tg

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Renames multiple (187) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks