General

  • Target

    b1fdd5e88db97e06cb1aa34250a2e7aa_JaffaCakes118

  • Size

    1.2MB

  • Sample

    241129-sbp18swlck

  • MD5

    b1fdd5e88db97e06cb1aa34250a2e7aa

  • SHA1

    3a5bf3f22918e1e90fb79224aabb70872d4f2a6e

  • SHA256

    d9d1115de07bc42d5f04144fdaea4b0e266625f412b3fe40f9894c47bf723355

  • SHA512

    e11c9726b6cf25a2ee11622d2f65efd3d95a8935b118bf62b21378fc89d52b60073109830d142244bbbb76083485c05f73c828cf70aea62b477247cd51015169

  • SSDEEP

    24576:DXdy9QgPZbB7PtkivzbV25ID2qFycEtq7xLPTASqt/VK21S:DCxfrtkKh9j2SqtNX1S

Malware Config

Extracted

Family

darkcomet

Botnet

Dyn

C2

rezausa.dyndns.org:3030

Mutex

DC_MUTEX-FP62LLT

Attributes
  • InstallPath

    taskhost.exe

  • gencode

    hUY9zKTsFEQe

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      b1fdd5e88db97e06cb1aa34250a2e7aa_JaffaCakes118

    • Size

      1.2MB

    • MD5

      b1fdd5e88db97e06cb1aa34250a2e7aa

    • SHA1

      3a5bf3f22918e1e90fb79224aabb70872d4f2a6e

    • SHA256

      d9d1115de07bc42d5f04144fdaea4b0e266625f412b3fe40f9894c47bf723355

    • SHA512

      e11c9726b6cf25a2ee11622d2f65efd3d95a8935b118bf62b21378fc89d52b60073109830d142244bbbb76083485c05f73c828cf70aea62b477247cd51015169

    • SSDEEP

      24576:DXdy9QgPZbB7PtkivzbV25ID2qFycEtq7xLPTASqt/VK21S:DCxfrtkKh9j2SqtNX1S

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks