General

  • Target

    79f990b51a93bcea447361c0ff124fa5_JaffaCakes118

  • Size

    540KB

  • Sample

    240730-zlc8raxhln

  • MD5

    79f990b51a93bcea447361c0ff124fa5

  • SHA1

    0b0f738448b585e95876a1db1a5ccd349bb8f394

  • SHA256

    1fd2795be467787899008bd222d7c4d336701f294461e4c6c7a28059148b0a81

  • SHA512

    a1f78ad9c0e89c07d02bea6664d04803a051c1aaae3a4658c1525946cf3e190e943b25681dfab3897b643ea65896a462ac66d254cbc05a2525d1092b15164e8a

  • SSDEEP

    12288:ke0upxXUG/EwhiALlal/1VOqIn9fy/afPdTL67P/wcpG5txe+bE:zzxEG/Eclw9s59q/sZu7P/waGrxe+I

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

winupdt.sytes.net:5500

Mutex

DC_MUTEX-FYC4NVU

Attributes
  • InstallPath

    Install\Winup.exe

  • gencode

    xlw5yo0FAZSj

  • install

    true

  • offline_keylogger

    true

  • password

    111

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      79f990b51a93bcea447361c0ff124fa5_JaffaCakes118

    • Size

      540KB

    • MD5

      79f990b51a93bcea447361c0ff124fa5

    • SHA1

      0b0f738448b585e95876a1db1a5ccd349bb8f394

    • SHA256

      1fd2795be467787899008bd222d7c4d336701f294461e4c6c7a28059148b0a81

    • SHA512

      a1f78ad9c0e89c07d02bea6664d04803a051c1aaae3a4658c1525946cf3e190e943b25681dfab3897b643ea65896a462ac66d254cbc05a2525d1092b15164e8a

    • SSDEEP

      12288:ke0upxXUG/EwhiALlal/1VOqIn9fy/afPdTL67P/wcpG5txe+bE:zzxEG/Eclw9s59q/sZu7P/waGrxe+I

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Molebox Virtualization software

      Detects file using Molebox Virtualization software.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks