General

  • Target

    f7fde5fd9701a66a2278c15cb93d64a4_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240926-knmsms1anh

  • MD5

    f7fde5fd9701a66a2278c15cb93d64a4

  • SHA1

    87e16c270fa099abc8730b6c71bb41fce3e56893

  • SHA256

    a0025a6cf0dfdaa08349dbe3e13264d24e2b8f8d6f43f99ba5427c7de6c1f93c

  • SHA512

    810577649f7699ed58e024023cf56945ae9d1f1cb6d29ba09f39c3fbcce3afab35e511cdf98587ab9c0eb0d8e0c7fc29518c6c8582cdd3960ba2fe69188e5d1c

  • SSDEEP

    24576:jthEVaPqLvupTc6GT42PVIKMRpSEKZsvWXzlwyN6Mug3iqw:3EVUcAcjWK+sTQo5w0B3E

Malware Config

Extracted

Family

darkcomet

Botnet

Pedo

C2

kl0w.no-ip.org:1604

mozillaproxy.zapto.org:1604

Mutex

DC_MUTEX-DP8F6B1

Attributes
  • gencode

    ACM2WY4UF9FU

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

latentbot

C2

mozillaproxy.zapto.org

Targets

    • Target

      f7fde5fd9701a66a2278c15cb93d64a4_JaffaCakes118

    • Size

      1.1MB

    • MD5

      f7fde5fd9701a66a2278c15cb93d64a4

    • SHA1

      87e16c270fa099abc8730b6c71bb41fce3e56893

    • SHA256

      a0025a6cf0dfdaa08349dbe3e13264d24e2b8f8d6f43f99ba5427c7de6c1f93c

    • SHA512

      810577649f7699ed58e024023cf56945ae9d1f1cb6d29ba09f39c3fbcce3afab35e511cdf98587ab9c0eb0d8e0c7fc29518c6c8582cdd3960ba2fe69188e5d1c

    • SSDEEP

      24576:jthEVaPqLvupTc6GT42PVIKMRpSEKZsvWXzlwyN6Mug3iqw:3EVUcAcjWK+sTQo5w0B3E

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks