General

  • Target

    d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118

  • Size

    350KB

  • Sample

    241207-f838xaykdz

  • MD5

    d0e0f6380b41345ddd15c2eaa2e1d058

  • SHA1

    83c58927d06b1bb4b649797a369ed24ff422043a

  • SHA256

    d6bf9497d6ceec5a40a538c2470371343318a71aa490a48ea59abac338c92473

  • SHA512

    d945882062f607d3df1149a4f7d0d22115523ed9db06a057891dfa2a911c458e83ae9cade18f90227c7263596752ba1b2dd3635e300fa1cdc3e1a3475aa2376b

  • SSDEEP

    6144:kD7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZTlI2hgplSZJ:kl8E4w5huat7UovONzbXw3Nh/NVR

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

zarloc.weuns.fr:1604

zarloc.dyndns.org:1604

Mutex

DC_MUTEX-F54S21D

Attributes
  • gencode

    qzavXgkDi3Kh

  • install

    false

  • offline_keylogger

    true

  • password

    jet'aieuconnard

  • persistence

    false

Targets

    • Target

      d0e0f6380b41345ddd15c2eaa2e1d058_JaffaCakes118

    • Size

      350KB

    • MD5

      d0e0f6380b41345ddd15c2eaa2e1d058

    • SHA1

      83c58927d06b1bb4b649797a369ed24ff422043a

    • SHA256

      d6bf9497d6ceec5a40a538c2470371343318a71aa490a48ea59abac338c92473

    • SHA512

      d945882062f607d3df1149a4f7d0d22115523ed9db06a057891dfa2a911c458e83ae9cade18f90227c7263596752ba1b2dd3635e300fa1cdc3e1a3475aa2376b

    • SSDEEP

      6144:kD7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZTlI2hgplSZJ:kl8E4w5huat7UovONzbXw3Nh/NVR

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks