General

  • Target

    e1432a7d5347ceb3c3349876e38a2955_JaffaCakes118

  • Size

    438KB

  • Sample

    241211-nkvwma1jcy

  • MD5

    e1432a7d5347ceb3c3349876e38a2955

  • SHA1

    559bdb6ef9a712bf6580a90bdf4629698b77af4f

  • SHA256

    b1c1fd131f896d582ee4a290b3be1cf7a8fd7447e5c38e4c1d7300acab80b8de

  • SHA512

    032c5b78b5bfbaa28491c4796855ef1e0e4423ff80514e49d884babdab0e13f9cd0471896c5532cdeb559a250d6712d79b5b5a76bbc798024705f124e0eeb3ab

  • SSDEEP

    12288:Oe2CB53mzfJXTZEBnMOaXjYBV5b5xRURq9/:OOqf8qrYBLdqqd

Malware Config

Extracted

Family

darkcomet

Botnet

19.01 ASK

C2

morans.no-ip.biz:1700

grrr.no-ip.biz:1700

grrr.no-ip.org:1700

grrr.no-ip.org:1604

Mutex

DC_MUTEX-6TLN7NX

Attributes
  • gencode

    f6JygSQ6qexm

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      IMG_2003251447.exe

    • Size

      558KB

    • MD5

      fc96649f5eeeb19d55ae1e581786d349

    • SHA1

      3b6af40e040a4ed70a261df8d56c6787aab7bfeb

    • SHA256

      146ef2521c6e02b0396042699489cefa8d4d096e03ef9ce3366e3a08ea8f2ce9

    • SHA512

      b03797c838d12e68a3705e5aeebbab6165dc14f6962ddace1a73f44c0ee2c3939733299f32fe174285f94a9829cbcb0a8b1eff1fd22d6142ad5238a0cde979d8

    • SSDEEP

      12288:dl7bmzxB1l9ExnMOaBXwHFT////////////////D5rOlZkg4Skk3kQwCJk/hN0:jqx4a/wl5qjkBCRJU

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks