General

  • Target

    98b7fd0528de9b2c632ac6f4e8a6116f_JaffaCakes118

  • Size

    279KB

  • Sample

    240815-dtz7lasaqh

  • MD5

    98b7fd0528de9b2c632ac6f4e8a6116f

  • SHA1

    61a7dbc20aca7b24153882b7a8cd2dbef16f8ed1

  • SHA256

    79b53cdf26a1ab0937017ab940fa0c1007a974cf9ab90dc4ec9fac5a6536feaf

  • SHA512

    d2a165350e5bdb7d9fd01c0504451702a2c3d841898f10cc3a7054b25664a071631913ae577c28879499a8b6e99dd669d9273d1b6d8ef5628617e1003bed2855

  • SSDEEP

    6144:woMUmoD2qJqFMw+iz3Wygrfa/OONKDKjz+kBSsGEeHzAeKHrXElCEXpb:wohfwFMwbzGbri/BKDtkQEeHzoLrEX

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

smr9.no-ip.org:1604

Mutex

DC_MUTEX-NJSZLY8

Attributes
  • InstallPath

    MSDCSC\lsass.exe

  • gencode

    6xtSkc229rlk

  • install

    true

  • offline_keylogger

    false

  • password

    123456

  • persistence

    true

  • reg_key

    lsass.exe

Targets

    • Target

      98b7fd0528de9b2c632ac6f4e8a6116f_JaffaCakes118

    • Size

      279KB

    • MD5

      98b7fd0528de9b2c632ac6f4e8a6116f

    • SHA1

      61a7dbc20aca7b24153882b7a8cd2dbef16f8ed1

    • SHA256

      79b53cdf26a1ab0937017ab940fa0c1007a974cf9ab90dc4ec9fac5a6536feaf

    • SHA512

      d2a165350e5bdb7d9fd01c0504451702a2c3d841898f10cc3a7054b25664a071631913ae577c28879499a8b6e99dd669d9273d1b6d8ef5628617e1003bed2855

    • SSDEEP

      6144:woMUmoD2qJqFMw+iz3Wygrfa/OONKDKjz+kBSsGEeHzAeKHrXElCEXpb:wohfwFMwbzGbri/BKDtkQEeHzoLrEX

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks