General

  • Target

    880b74213950b0697dfb41be1eedfae2_JaffaCakes118

  • Size

    232KB

  • Sample

    240810-25mmmsxdja

  • MD5

    880b74213950b0697dfb41be1eedfae2

  • SHA1

    c885a23b2e0b30d49430341d471c9221b7d97484

  • SHA256

    be1615005027a1f209bdbfc340b7d5b7a22a65adae1b4ce8dd6019f4e96f97ac

  • SHA512

    ac124b3726eee063629dac74b2f4f3bfa3928868410c6159daf9aef9f5317d388c91cdea3d1d1aed1c451412e1b5e43909aec8c478f10f5e13e60f17a66e294b

  • SSDEEP

    6144:WNJiMqZjp9qRfKgGoVcgF9//+LkwFA372KdKVNJPWhXkL7X:WvMZN9QKh3S/qs2KUnJPWu7X

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

ksa-root.no-ip.org:43

Mutex

DC_MUTEX-KS8RZ9R

Attributes
  • InstallPath

    update\avupd.exe

  • gencode

    2SvfLEsL8u3E

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

Targets

    • Target

      880b74213950b0697dfb41be1eedfae2_JaffaCakes118

    • Size

      232KB

    • MD5

      880b74213950b0697dfb41be1eedfae2

    • SHA1

      c885a23b2e0b30d49430341d471c9221b7d97484

    • SHA256

      be1615005027a1f209bdbfc340b7d5b7a22a65adae1b4ce8dd6019f4e96f97ac

    • SHA512

      ac124b3726eee063629dac74b2f4f3bfa3928868410c6159daf9aef9f5317d388c91cdea3d1d1aed1c451412e1b5e43909aec8c478f10f5e13e60f17a66e294b

    • SSDEEP

      6144:WNJiMqZjp9qRfKgGoVcgF9//+LkwFA372KdKVNJPWhXkL7X:WvMZN9QKh3S/qs2KUnJPWu7X

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks