General

  • Target

    d97c83769db2a543d904501f22056290_JaffaCakes118

  • Size

    515KB

  • Sample

    241209-n2hyds1mcn

  • MD5

    d97c83769db2a543d904501f22056290

  • SHA1

    95d0d0521f7a88e9b8dc08907509799c128e77c1

  • SHA256

    3e5d82b39b9212613383ae6c94094051ecfbeddbeafbf1d3a63ed23328cc6ee1

  • SHA512

    270caba631ff8d054515f89a96bea3cce9abe9b3221f88388fb25bb1c5aa7bb9fb6d74cd83c2b10c0dffb29ae3bd4aeb662313c92cb6e458bc5c2d59f72298e8

  • SSDEEP

    6144:M8HE5leAjqA7e7lMXh2PVtS2+SN0X5Wx8lzR0PqXcl51q45dMG4XbMg65AGdU:M8HUeAjqRGh2PLB0X5WgtRX01qzDrMBQ

Malware Config

Extracted

Family

darkcomet

Botnet

26.05

C2

grrr.no-ip.org:1604

morans.no-ip.biz:1604

Mutex

DC_MUTEX-P3CD4XX

Attributes
  • gencode

    D6xGbXCz58rr

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      d97c83769db2a543d904501f22056290_JaffaCakes118

    • Size

      515KB

    • MD5

      d97c83769db2a543d904501f22056290

    • SHA1

      95d0d0521f7a88e9b8dc08907509799c128e77c1

    • SHA256

      3e5d82b39b9212613383ae6c94094051ecfbeddbeafbf1d3a63ed23328cc6ee1

    • SHA512

      270caba631ff8d054515f89a96bea3cce9abe9b3221f88388fb25bb1c5aa7bb9fb6d74cd83c2b10c0dffb29ae3bd4aeb662313c92cb6e458bc5c2d59f72298e8

    • SSDEEP

      6144:M8HE5leAjqA7e7lMXh2PVtS2+SN0X5Wx8lzR0PqXcl51q45dMG4XbMg65AGdU:M8HUeAjqRGh2PLB0X5WgtRX01qzDrMBQ

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks