General

  • Target

    86109d4b7366539f835dc5e091e083b3_JaffaCakes118

  • Size

    2.8MB

  • Sample

    240810-pq5tfstdnb

  • MD5

    86109d4b7366539f835dc5e091e083b3

  • SHA1

    8f144dc1993cb52778db11f8024cc0ebbd1f6b27

  • SHA256

    8d0171f371dc3318b1bbb754c79b430b404cd309f512173b297d72dd2c9fea1d

  • SHA512

    b9345b5db48c0478caddf2971519bec8087644a7c5979de18d82215a8a0db3ddd17e3f41f29a99db9a0f973380f5526338713f684fa8a4941e7946308268682d

  • SSDEEP

    3072:xCGhO3Qka4UC6swWFrggA0HkFkSh2wgtskiFKQTnrbk/zwWq/da/LV+GTtX471aQ:kMra8TIFHztkROIAeF87x27Q9

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

adobe-update.servehttp.com:19

Mutex

DC_MUTEX-7ZPXCP1

Attributes
  • InstallPath

    adobe\adobe-updt.exe

  • gencode

    3VCBdXlEZJbz

  • install

    true

  • offline_keylogger

    true

  • password

    hitman450

  • persistence

    true

  • reg_key

    adobUpdate

Targets

    • Target

      86109d4b7366539f835dc5e091e083b3_JaffaCakes118

    • Size

      2.8MB

    • MD5

      86109d4b7366539f835dc5e091e083b3

    • SHA1

      8f144dc1993cb52778db11f8024cc0ebbd1f6b27

    • SHA256

      8d0171f371dc3318b1bbb754c79b430b404cd309f512173b297d72dd2c9fea1d

    • SHA512

      b9345b5db48c0478caddf2971519bec8087644a7c5979de18d82215a8a0db3ddd17e3f41f29a99db9a0f973380f5526338713f684fa8a4941e7946308268682d

    • SSDEEP

      3072:xCGhO3Qka4UC6swWFrggA0HkFkSh2wgtskiFKQTnrbk/zwWq/da/LV+GTtX471aQ:kMra8TIFHztkROIAeF87x27Q9

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks