General

  • Target

    99845f856f924384f7dd5197fd29137d_JaffaCakes118

  • Size

    1.3MB

  • Sample

    240815-j6rnwatalh

  • MD5

    99845f856f924384f7dd5197fd29137d

  • SHA1

    252295035a411925232cff11d97f5e67c4847e52

  • SHA256

    dfd22018f391695de3436e68005881f24cb84f1bdc9c0eb5e42600ebca94df7f

  • SHA512

    8471b02edcd1985663990288235a98e5750ef75603c8e0eba084bb95791e1b867e9069c9d5047cba39baad72e5399ba9b3305df515493d9b40ad7f2aafd0e8ee

  • SSDEEP

    24576:BP5VaIZE/4AtPhapwzHXddGXoVOYzA7uN3OrdJ:B2IZEnaerX3go1zjN3OZJ

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

pvcoolio.no-ip.biz:1604

Mutex

DC_MUTEX-F54S21D

Attributes
  • gencode

    2xgNmjalb1Py

  • install

    false

  • offline_keylogger

    true

  • password

    123456

  • persistence

    false

Targets

    • Target

      99845f856f924384f7dd5197fd29137d_JaffaCakes118

    • Size

      1.3MB

    • MD5

      99845f856f924384f7dd5197fd29137d

    • SHA1

      252295035a411925232cff11d97f5e67c4847e52

    • SHA256

      dfd22018f391695de3436e68005881f24cb84f1bdc9c0eb5e42600ebca94df7f

    • SHA512

      8471b02edcd1985663990288235a98e5750ef75603c8e0eba084bb95791e1b867e9069c9d5047cba39baad72e5399ba9b3305df515493d9b40ad7f2aafd0e8ee

    • SSDEEP

      24576:BP5VaIZE/4AtPhapwzHXddGXoVOYzA7uN3OrdJ:B2IZEnaerX3go1zjN3OZJ

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks