General

  • Target

    f354fe54a8c1c49d5dc7fce13f6b5458_JaffaCakes118

  • Size

    658KB

  • Sample

    241215-la8cvszma1

  • MD5

    f354fe54a8c1c49d5dc7fce13f6b5458

  • SHA1

    aa55c82fe69c47749097990b60c5136c168db863

  • SHA256

    395217f00e128d72ab7ccb1a198e7b366b34ebb051a02b28297eaa5fcb5abc09

  • SHA512

    bcd579cf4baac21941c60652cf22697ea82a69e2486881f47cec7719077441dea8bb53e53a3d3e1948900e4d4911a8caa382b0ad4c4220b6f69152d4c565f141

  • SSDEEP

    12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hK:eZ1xuVVjfFoynPaVBUR8f+kN10EBQ

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

C2

mrdaniel.no-ip.org:18418

Mutex

DC_MUTEX-AGN4CQ3

Attributes
  • InstallPath

    SystemM\SystemHJ.exe

  • gencode

    KkWtqDcdwDun

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      f354fe54a8c1c49d5dc7fce13f6b5458_JaffaCakes118

    • Size

      658KB

    • MD5

      f354fe54a8c1c49d5dc7fce13f6b5458

    • SHA1

      aa55c82fe69c47749097990b60c5136c168db863

    • SHA256

      395217f00e128d72ab7ccb1a198e7b366b34ebb051a02b28297eaa5fcb5abc09

    • SHA512

      bcd579cf4baac21941c60652cf22697ea82a69e2486881f47cec7719077441dea8bb53e53a3d3e1948900e4d4911a8caa382b0ad4c4220b6f69152d4c565f141

    • SSDEEP

      12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hK:eZ1xuVVjfFoynPaVBUR8f+kN10EBQ

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks