General

  • Target

    8bdd66de383bb00ce035f43a2d45f7ee_JaffaCakes118

  • Size

    650KB

  • Sample

    240811-zbzc8swhpq

  • MD5

    8bdd66de383bb00ce035f43a2d45f7ee

  • SHA1

    7c98f01085dd9e6ae04059d2915fb2ddea552439

  • SHA256

    dfaa9c45005fbc1190e18567d4f4b9bbd651f539c4aa6249f5bdc0eb7576672c

  • SHA512

    4945b28eb3517306f948e72fe0dfe46e8775f2fdf5c55d1b35565b52e6b7fc311419a9256bf22e0b6947d89bd076be586e08e78625fd75dc097d5c586afa8ac3

  • SSDEEP

    12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+D:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+GS

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

violatorhf.no-ip.org:1604

Mutex

DC_MUTEX-JHDB4Y2

Attributes
  • InstallPath

    Explorer\explorer.exe

  • gencode

    DJjy391Alxs4

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    svchost.exe

Targets

    • Target

      8bdd66de383bb00ce035f43a2d45f7ee_JaffaCakes118

    • Size

      650KB

    • MD5

      8bdd66de383bb00ce035f43a2d45f7ee

    • SHA1

      7c98f01085dd9e6ae04059d2915fb2ddea552439

    • SHA256

      dfaa9c45005fbc1190e18567d4f4b9bbd651f539c4aa6249f5bdc0eb7576672c

    • SHA512

      4945b28eb3517306f948e72fe0dfe46e8775f2fdf5c55d1b35565b52e6b7fc311419a9256bf22e0b6947d89bd076be586e08e78625fd75dc097d5c586afa8ac3

    • SSDEEP

      12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+D:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+GS

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks