General

  • Target

    9529007b60abba98ec81e958389d55c2_JaffaCakes118

  • Size

    980KB

  • Sample

    240814-jcnp5avdlq

  • MD5

    9529007b60abba98ec81e958389d55c2

  • SHA1

    60b2736f2cc80d297b5b095ca3aa1ac3d1154221

  • SHA256

    5805a4b0fa6f01603413da235f21ac65a1e774986b39e702311283cbd058d52d

  • SHA512

    54c8ac45737705ecb094d2a55ffa504e99afad4ec5b4b57809fed7a56b64b373cff5858b4aaf42a6b8ca5e4c25f1a69f5d6e53f8a87c96598c6c60e047a6ed0e

  • SSDEEP

    24576:4/tDKfnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JJfp:4JsELbVMTrOq4

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

174.64.189.203:1337

Mutex

DC_MUTEX-GQXYBHC

Attributes
  • gencode

    o9gtPa3gdZfv

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

darkcomet

Botnet

N00b

C2

idaniel.servebeer.com:1245

idaniel.servebeer.com:1244

127.0.0.1:1244

127.0.0.1:1245

75.138.81.18:1245

75.138.81.18:1244

192.168.1.104:1244

192.168.1.104:1245

Mutex

DC_MUTEX-3W5SST7

Attributes
  • InstallPath

    SKYPE\skype.exe

  • gencode

    uBzz65arFAWd

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      9529007b60abba98ec81e958389d55c2_JaffaCakes118

    • Size

      980KB

    • MD5

      9529007b60abba98ec81e958389d55c2

    • SHA1

      60b2736f2cc80d297b5b095ca3aa1ac3d1154221

    • SHA256

      5805a4b0fa6f01603413da235f21ac65a1e774986b39e702311283cbd058d52d

    • SHA512

      54c8ac45737705ecb094d2a55ffa504e99afad4ec5b4b57809fed7a56b64b373cff5858b4aaf42a6b8ca5e4c25f1a69f5d6e53f8a87c96598c6c60e047a6ed0e

    • SSDEEP

      24576:4/tDKfnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JJfp:4JsELbVMTrOq4

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks