General

  • Target

    f2485a3bb600b7af5dd1e812a2b3a595_JaffaCakes118

  • Size

    2.0MB

  • Sample

    241215-e12vfawkdr

  • MD5

    f2485a3bb600b7af5dd1e812a2b3a595

  • SHA1

    1179741c00ffe2ea8d2ae76dd0b87a79c89b9edd

  • SHA256

    d85c9c99292bfc14eb103a7bef2388125c501f65c71802e688967561d30a27c9

  • SHA512

    ed57bc492e5601c5e30d7e32a6bb7db657b513309a5ea18d4043a4bb500a1f76962c6207b5fd53729586c41a88a9ad5ede22ab798ed07cfafc4fcde8f9f39b79

  • SSDEEP

    49152:0QCEn/7SFLRxdNocwwZtFRcPcRSc/7f8ueqIGaWNTd75j83InWqFlSX2AOb8/aTL:

Malware Config

Extracted

Family

darkcomet

Botnet

G-8

C2

coyotte760000.no-ip.org:1604

Mutex

DC_MUTEX-PUYZZGK

Attributes
  • InstallPath

    Frame.net\hyhip�hdchjppsfhjk\frghjkkijfrdxcvvbb\Micro-soft\update.exe

  • gencode

    xZVjClPMvJ52

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      f2485a3bb600b7af5dd1e812a2b3a595_JaffaCakes118

    • Size

      2.0MB

    • MD5

      f2485a3bb600b7af5dd1e812a2b3a595

    • SHA1

      1179741c00ffe2ea8d2ae76dd0b87a79c89b9edd

    • SHA256

      d85c9c99292bfc14eb103a7bef2388125c501f65c71802e688967561d30a27c9

    • SHA512

      ed57bc492e5601c5e30d7e32a6bb7db657b513309a5ea18d4043a4bb500a1f76962c6207b5fd53729586c41a88a9ad5ede22ab798ed07cfafc4fcde8f9f39b79

    • SSDEEP

      49152:0QCEn/7SFLRxdNocwwZtFRcPcRSc/7f8ueqIGaWNTd75j83InWqFlSX2AOb8/aTL:

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks