General

  • Target

    f402a16676631d77a2dcb8c046991f00_JaffaCakes118

  • Size

    493KB

  • Sample

    241215-pp85gstpgy

  • MD5

    f402a16676631d77a2dcb8c046991f00

  • SHA1

    48c4f74248ff71dbd31267da4104e9c892882a2c

  • SHA256

    66590902797120864dbef0899092c139a15a2a0255864538c9af18df8f4881ca

  • SHA512

    97c76ff7c67e514e236d61dd48cdf40053e7283fa918c96aee94d132061b6965f9f0977cf097a97170490995390f9b070fd66bf410561df98f91a1a978aaee3e

  • SSDEEP

    12288:X+Xb/LLjHiVISC1ej9IC5Wh6o5SFMX9TLZebk/KH:XWvLjHlSCUtyRZi

Malware Config

Extracted

Family

darkcomet

Botnet

Victim

C2

kasual.no-ip.org:1604

Mutex

DC_MUTEX-BJY9NCZ

Attributes
  • InstallPath

    bootmgr

  • gencode

    NdSW8lmR1GU4

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    bootmgr

Targets

    • Target

      f402a16676631d77a2dcb8c046991f00_JaffaCakes118

    • Size

      493KB

    • MD5

      f402a16676631d77a2dcb8c046991f00

    • SHA1

      48c4f74248ff71dbd31267da4104e9c892882a2c

    • SHA256

      66590902797120864dbef0899092c139a15a2a0255864538c9af18df8f4881ca

    • SHA512

      97c76ff7c67e514e236d61dd48cdf40053e7283fa918c96aee94d132061b6965f9f0977cf097a97170490995390f9b070fd66bf410561df98f91a1a978aaee3e

    • SSDEEP

      12288:X+Xb/LLjHiVISC1ej9IC5Wh6o5SFMX9TLZebk/KH:XWvLjHlSCUtyRZi

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Drops file in Drivers directory

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks