General

  • Target

    d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118

  • Size

    1.1MB

  • Sample

    241207-mgmkeatpgm

  • MD5

    d1f834a0abe1adad23eb99e9d877e8f6

  • SHA1

    06047d238c3e5ca4a56a776e03148b4aba5ec842

  • SHA256

    1f665d378d61b7030eca36e761d508c5e98197d54c4b4501ea975a6682b134b2

  • SHA512

    8d2c9ad9ebf47c75d6b72e95875d00428ca5476ec74dbd536a2d67af1b7ac2ec83f60cc08dbe1f8f59d2e6326b26f227c732321e744a9b666ec67fa0640e4ac5

  • SSDEEP

    12288:Na6snd3as6YqYN3/Ry/NdMvQH5M8bKUA0i3PFbxNrOwcxDdArCbnIc4N/HbkGgL/:NviYDCNN5eDdArCjm0P48HZyNwcphW

Malware Config

Extracted

Family

darkcomet

Botnet

Crypted

C2

jesusmanwoohoo.no-ip.org:1604

Mutex

DC_MUTEX-EW8ANM5

Attributes
  • gencode

    SDj8iuYh55Bf

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118

    • Size

      1.1MB

    • MD5

      d1f834a0abe1adad23eb99e9d877e8f6

    • SHA1

      06047d238c3e5ca4a56a776e03148b4aba5ec842

    • SHA256

      1f665d378d61b7030eca36e761d508c5e98197d54c4b4501ea975a6682b134b2

    • SHA512

      8d2c9ad9ebf47c75d6b72e95875d00428ca5476ec74dbd536a2d67af1b7ac2ec83f60cc08dbe1f8f59d2e6326b26f227c732321e744a9b666ec67fa0640e4ac5

    • SSDEEP

      12288:Na6snd3as6YqYN3/Ry/NdMvQH5M8bKUA0i3PFbxNrOwcxDdArCbnIc4N/HbkGgL/:NviYDCNN5eDdArCjm0P48HZyNwcphW

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks